This March reports broke that Facebook had been gathering call, SMS, and MMS metadata from Android app users for years with questionable levels of consent. Ars Technica suggested that Facebook was exploiting a loophole in Android to harvest call and SMS data without requesting the permission from users. Facebook responded that it was only collecting metadata through Facebook Lite and Messenger, both of which ask users for that permission during setup. The platform's integrity, however, has now been brought into question once more with revelations from internal emails released by the UK Parliament that show employees explicitly discussing how they might avoid any Android permissions request when accessing SMS and call history.
The documents come from Six4Three, a company you might remember as being behind the skeevy app that created a way to search for bikini pictures from your contacts on Facebook. When Facebook closed off access to data in 2014 Six4Three sued the tech giant for effectively shutting down its business. During the discovery phase of its lawsuit, it obtained documents from Facebook regarding privacy gaps in the Facebook partner API. One of the documents it received was a message thread summary sent as an email on February 4th, 2015, in which one Facebook employee wrote that the addition of a "read call log permission" would be "pretty high risk from a PR perspective."
Another employee stated later on in the thread that Facebook's "Growth" department was exploring a way to get call log permission without "subjecting" users to an Android permissions dialog at all. It's possible this plan was based on the fact that pre-4.1 Android permissions could be requested by apps on the Play Store up until 2017, and that those earlier permissions automatically granted call and SMS access together with requests to access contacts.
Now, one can't say definitively from this exchange whether foul play occurred, but there was already a fair amount of doubt that Facebook's excuse held water. After the social media giant issued its "fact check" blog post in March, Ars Technica responded that its statement contradicted the experience of several users who had shared their data with the publication.
In fact, the reporter himself, Sean Gallagher, wrote that a review of his Google Play data confirmed that Messenger was never installed on the Android devices he used. Only the Facebook app itself was installed on two different Android devices in 2015, and there was never an explicit message requesting the permissions, yet downloading his information from Facebook revealed it had call data from the end of 2015 until late 2016.
Ultimately, it seems pretty clear that Facebook exploited Android APIs for its own gain - but what was the gain exactly? According to the message thread, Facebook wanted to use this information for things like the People You May Know feature and feed ranking, but suspicions have long run high that the platform sells its users' data. The company refutes that, and none of the documents from Six4Three directly contradict the claim, but there was some new information revealed about Facebook whitelisting certain large tech companies, including Netflix and Airbnb, when restrictions on user data access were put in place in 2014. In other words, some companies got a pass while user data access was nixed for most others. Additionally, the documents show how CEO Mark Zuckerberg discussed letting developers use Facebook's login tools or publish to Facebook for free, but charging them for reading data at the price of $0.10 per user per year.
To all of this, Facebook responded in a press statement: "As we’ve said many times, Six4Three — creators of the Pikinis app — cherrypicked these documents from years ago as part of a lawsuit to force Facebook to share information on friends of the app’s users. The set of documents, by design, tells only one side of the story and omits important context."
Zuckerberg also published his own statement on the platform, shown below.
This week a British Parliament committee published some internal Facebook emails, which mostly include internal...
These documents close out a year full of astounding revelations about Facebook - each one enough to make the public question its integrity, but taken together a searing indictment of not only the platform itself, but all business models that depend on the harvesting of user information. Here's hoping today's revelations and the countless other scandals that have erupted this year start us on the path to solutions.
- UK Parliament
- The Verge