What Do Facebook Permissions Really Mean?

By

Over the weekend, as a particularly vivid panic about Facebook data-harvesting continued to sweep the globe, users began to pick through what records the company kept on them. In addition to saving data on where and when you log in, who your friends are, which friends you’ve removed, every message you’ve ever sent, and the like, a New Zealander named Dylan McKay discovered something else: a history of phone calls and text messages that he did not place through Facebook’s services.

Hmm! Weird! Why does Facebook have this? For some of the data, the answer is pretty simple. In order to connect you with users you already know, Facebook will cross-reference contact information you have with its own database. When the app requests access to your contacts, it uploads them to its own server, checks if the phone numbers and email addresses are already registered to certain users, and then reports back to you. Whether or not you think this is creepy, this is standard social-media practice. Should the contact info be purged after the cross-reference happens? Probably. Will that happen? No.

As for the call and message metadata-logging, that’s a different story. Before we go any further, I will point out that Facebook appears to have the communication metadata, not the actual contents of calls (it’s also the same type of metadata the NSA reportedly collects). In a “fact-check” blog post on Sunday, Facebook explained that it got that data from Android users who installed Messenger or Facebook Lite, a stripped-down version of Facebook for users with slower data connections.

When you sign up for Messenger or Facebook Lite on Android, or log into Messenger on an Android device, you are given the option to continuously upload your contacts as well as your call and text history. For Messenger, you can either turn it on, choose ‘learn more’ or ‘not now’. On Facebook Lite, the options are to turn it on or ‘skip’. If you chose to turn this feature on, we will begin to continuously log this information, which can be downloaded at any time using the Download Your Information tool.

Facebook also says that you can delete the information from your profile entirely if you’d like. Okay.

What’s important to understand is this: For the (stated) purpose of a more satisfactory user experience, Facebook felt comfortable taking data from your phone, and storing it on its servers. You might not have understood exactly what access you were granting, and Facebook decided to use that to its advantage. It’s not Facebook’s problem that you gave it permission.

Now, compare this situation with the Cambridge Analytica one. Central to the matter was that Cambridge Analytica had kept Facebook user data outside of Facebook’s system, rather than reading it live. Think of it this way: You could check Monday’s weather on Friday, and work off of that, or you could check Monday’s weather on Monday. The latter is more up-to-date and reliable, and Facebook’s platform requires developers to pull data in a similar way, rather than retaining the data independently.

A developer built an app to collect user data, obtained permission through the platform’s official channels, and then saved a copy for their own use outside of Facebook. The last part of that was a regulatory violation, not a technological one. Facebook has no clear way of knowing how many apps siphoned data from the platform and were used to build independent databases.

What both of these instances show is that developers, regardless of who they are, will always opt for the most permissive definition of “access.” Facebook felt completely comfortable pulling as much of its users’ metadata as possible, and transferring it to its own servers. But by Facebook’s own admission, Cambridge Analytica doing the same with Facebook user data was a severe violation.

In addition to illustrating Facebook’s data-protection hypocrisy, it also points to a crisis in consumer technology. Does being able to access data also mean that developers are automatically allowed to copy and retain data? And what, if anything, can be done to stop the practice? Not even Facebook has a clear answer.

What Do Facebook Permissions Really Mean?