Over the weekend, The Sunday Times reported that Android and iPhone users are vulnerable to a new privacy flaw. Apparently, a number of popular smartphone apps, including Facebook, YouTube, Flickr, and others, can access private text message data or other personal information. For its part, Facebook quickly denied the allegations, which were quite obviously written in a way to spread fear, uncertainty, and doubt (FUD). Here's what my colleague Zack Whittaker wrote in an update to his coverage of the story:
That was quick. A Facebook spokesperson said there is "no reading of user text messages." Facebook calls out the Times piece as "completely wrong", but acknowledges that the Android application permissions require SMS read and write capabilities.
Facebook wasn't done there. The company soon released more details.
"The Sunday Times has done some creative conspiracy theorizing but the suggestion that we're secretly reading people's texts is ridiculous," a Facebook spokesperson said in a statement. "Instead, the permission is clearly disclosed on the app page in the Android marketplace and is in anticipation of new features that enable users to integrate Facebook features with their texts. However, other than some very limited testing, we haven't launched anything so we're not using the permission. If we do, it will be obvious to users what's happening. We'll keep you posted on our progress."
We worked with the Sunday Times to explain why the Facebook Android app requests some SMS read/write permissions.
Here's what we sent them:
Facebook is currently running a limited test of mobile features which integrate with SMS functionality.
- SMS read/write is not currently implemented for most users of the mobile app.
- As part of this test, we declared the presence of that functionality within our app store permissions starting with the 1.7 version of our application.
- If Facebook ultimately launches any feature that makes use of these permissions, we will ensure that this is accompanied by appropriate guidance/educational materials.
Basically - if you are going to potentially make use of any features on an android app - you damn well better declare them to the users - which Facebook did. The features aren't used outside testing (as we explained) with people who know exactly what we are testing. But hey, don't let that stop you.
(Just as an aside... we didn't say we're launching a messenger product. Any proper technology journalist will tell you that there are any number of things you can use SMS for, such as carrier billing)
And lo... look what it became in the paper:
"Companies are using smartphone apps to extract vast quantities of private information about users’ lives, in some cases reading their text messages and intercepting calls. "Among those that admitted reading text messages this weekend was the internet giant Facebook, which said it was accessing the information as part of a trial to launch its own messaging service. "Companies ranging from Facebook and Apple to small operations run by individuals gain access to the treasury of data when people agree to the terms and conditions of downloading an app."
A ludicrous attempt to cook-up a story about companies spying on users - spun out of our explanation that we declared the app permission to everyone even though we're only using it with selected people who know the score.
I wonder why the Sunday Times didn't actually include our statement? Makes the story look a lot less sexy.
So, what can we learn from all this? Well, Facebook is indeed testing new mobile features for Android that integrate with the smartphone text message functionality. This is nothing new: the Facebook app has always listed the permissions users implicitly grant when installing it. The ability to edit and read text messages was added back in September 2011, when Facebook for Android version 1.7 was released.
In short, while Facebook's app technically can integrate with the phone's SMS system, the company is only using it for testing purposes right now. Furthermore, the social networking giant appears to be very aware of the potential privacy issues, but unfortunately The Sunday Times chose to write about the problem in a very sensationalist and inaccurate way.
- Facebook for Android passes Facebook for iPhone (DAU)
- Facebook is now the most popular Android app
- Facebook Platform on Mobile comes to Android
- Facebook Timeline goes mobile, starting with Google Android
- Facebook launches Facebook Messenger app for Android, iPhone
- Facebook: "We're going to become a mobile company"