“Did partners get access to messages?
Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app.”
Does anyone have a screenshot or remember what the opt in UX was like this for this? I have been logged in to Spotify via Facebook since basically the very beginning. I worked in tech as a dev, PM, and designer of flows. I never had the understanding that my Facebook connect with Spotify gave them read/write to all my messages. It’s certainly possible that this permission was requested in an auth form that I quickly granted without realizing, which would make this more of a dubious product decision that blatantly unethical. Anyone have info?
I wish there was a data audit log for your account. I'd like to be able to check which companies accessed what part of my data, when, and for what purpose. If I noticed something I didn't like, I could revoke permissions. If I noticed something that seemed very shady, e.g. Spotify editing my private messages, I could start an escalation.
This seems like a good way to move the burden of auditing partners onto the users for Facebook to me. Make application fill in information about why they call specific operations, make those operations and reasons available in an audit log that any user can review.
That just shows which apps have which permissions. I think what is desired is a log of date and times the app accessed specific bits of data. For example, do they poll every day and hoover up all of your recent data for everything they have access to, or do they only take just what they need for the task at hand?
Nice, good find. That doesn't give permission to read (or even generate) private messages, unless you interpret "my data" to mean something in the last bullet point that's much broader than the three above.
>unless you interpret "my data" to mean something in the last bullet point that's much broader than the three above...
Hmm. It seems this may sound weird to you and many others, but that's exactly how I interpreted it. When looking at that screen I was wondering why anyone in their right mind would grant Spotify these rights?
The only thing Spotify does is play songs for you, right? They shouldn't really need access to any of your FB data to do that.
Alright, I confess, your interpretation was the same as my immediate hot-take reaction, but then I stopped and said waiiiiiit a sec, they can't literally mean, all the data, right? They must mean, like, "my data" in the sense of that stuff above, right?
Only now does FB reveal themselves to the be treacherous jerk they've always been and abuse whatever leeway you give them. Use recovery phone number for marketing? Why not!
I interpret that as saying "the data you're granting Spotify access to, they can access while you're not using the app", i.e. not broadening the scope of the data, just when they can use it.
That’s fair, but surely the concept of sharing music with friends isn’t so crazy? Not saying it was necessarily handled well here, but it seems like a feature many would and do want.
Copy a link send it as an IM, that already worked with ICQ. Update your status message in your message client, manually or possibly provide a client side API to do that, pretty sure there are scripts that do that for pidgin / Amarok, it also is definitely possible on macOS using Automator. There is no reason to involve a server other than possibly platforms like iOS not allowing interactions between apps in this way, which I doubt.
Yeah, but that's the thing: even if you do want to broadcast to your friends that you're listening to BW, that doesn't necessitate access to all your PMs! That just means write-to-wall or -to-updates privileges.
I apologize if my tone was not right... to be clear, I use Spotify exactly as you describe (different choices though) and am as baffled as you about people using those other ways.
I interpreted your comment as a joke, but could see how that could be unclear. Tone is hard on the internet, probably best to explicitly say when you're being sarcastic. :-)
That's not how it works. I've built a FB app in the past and had offline_access permission. It does not expand the scope of what data you can query. It just allows you to use the permissions granted whether the user is logged in or not.
That auto dialog referred to the “offline_access” scope. At the time, most app access tokens would expire unless they specifically requested that the user give permission to access at any time.
It did not expand the permissions of what could be accessed.
that's weird. It seems very clear to me. they are giving you four distinct warnings: 3 plus my data. I would have immediately interpreted this as its clearly written - Spotify would get access to my data. So I would have never enabled it,
Giving FB the benefit of the doubt, I suppose it’s possible that there could have been an additional permissions dialog that popped up whenever messaging integration happened. But I’m usually pretty good at being paranoid about giving apps unnecessary FB perms.
Personally I derive zero utility from integrating Spotify and messenger, and my private FB messages are one of the most sensitive data streams, period. So I find it hard to believe that I would have missed this. Which makes facebook’s latest vigorous non-apology feel a bit off to me.
That is absolutely a dark pattern if that dialog box was intended to speak to read/write access of messages.
"Access my data at any time" is truly deceptive. The icon is one specifying "time" - a moon in the dark; night time. And the operative context seems to be "at any time". However, the grant is actually for, "data". Which is itself seemingly already being granted by the above "Posts", and "Public Information". If Facebook presumed that "data" included everything, then why did they ask for access to posts and public information above?
It is clearly deceptive. If they thought what they did was in the right, then why deceive? And if they felt like they made a mistake, why not make the new dialog boxes not deceptive?
That they do not feel that they can sustain their business model without being deceptive makes NYT articles like this all the more necessary; if people really don't care about their privacy, then go ahead and ask for their privacy - don't dance around and say you're providing a service (and omit that you're also taking their private data). If they asked clearly and they were granted the ability to farm out to third parties whole read/write access to all data, then I'd be more inclined to believe that their users were actually acquiescing.
I completely agree. They're very clear about who can access what in the first few statements, but "Access my data" is so vague.
It takes a very cynical perception to accurately assume what they mean by this, and they absolutely take advantage of this. Cynics wear the tin-foil hats in the minds of many, and nobody wants to be like that.
Permission to post on behalf of the user and read posts from the user's feed does not grant access to messages to any other app getting these permissions from a user. If they were getting access to messages, it was a special stealthy "partner only" deal not reflected in the permissions prompt as posted on imgur above.
That's exactly right. The fact that "wall posts" is in that list gives you a false notion of the granularity of the items in the list. One of those is not nearly as granular as the rest - if you assume that it is, like I did, you guess that "data" means "where you went to High School" or your "favorite movie" or some such, not "everything." Really deceptive.
That cannot possibly be it, the last permission is just the "offline_access" field that was available to normal developers and I remember seeing used a lot. I refuse to believe this is what fb talks about when saying users gave permission.
On the other hand, Facebook is known to make a lot of one-off arrangements with specific preferred partners such as Spotify to grant permissions and access normal apps can't use. I suspect that money changes hands for some of these special arrangements, or if not outright cash then intangibles with significant value, hence the "selling data" accusations.
I worked for Spotify very close to this integration. Not going into too many details, but the access they got is generally what's being reported. That said, I'm not aware of Spotify doing anything with messages other than displaying them to users; they weren't mined for data or retained. The intent was a unified messaging experience across apps, but it's been effectively dead for over four years. The only creepy thing I'm aware of that they tried with Facebook data was try to build a taste profile from "likes," and this is from public profile data.
There's a big difference between what the permissions could do and what they were actually used for. Facebook takes its contracts with trusted partners as seriously as they say. My concern would be less around "how was my (let's be honest--Facebook's) data used" and more around Facebook's growth at any cost engine.
I've always believed that this was one of the primary motivations for Facebook separating Messenger out into its own app: it feels separate and therefore more private, without actually being either.
The content of a post with privacy controls restricted to just one other person is functionally the same as sending a message to that person on Messenger — only the UI is different. But, to the average person, it feels completely different because it looks like texting.
It has screenshots of the messaging functionality but no clarification on how permissions were granted for this, as discussed elsewhere on this thread.
Reading this post, it simply misleads about how deep things happened: they want to say that apps had access only when logged in, carefully phasing around the fact that the apps had offline access too. Also, "they pinky promised to limit their functionality", not "we had controls in place so any of their data reads and writes was clearly trackable and labeled as such, and they couldn't download everything".
Basically their defense is: You trusted FB with data, dumb fucks.
Facebook is giving fairly precise technical information about what happened. The New York Times is being as coy as possible, using obfuscating language, to ensure it's readers do not understand what happened but assume the worst.
The reality is that Facebook allowed me to send messages from within Spotify, when and if I agreed to grant that access to Spotify. That's the baseline.
> “Did partners get access to messages? Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app.”
Of course this is true. The media reports complete nonsense like "everyone had access to all your messages and your microphone and everything else ever on you and Zuckerberg sucks" and the truth is always, always that the users agreed to give up permissions and the permissions were actually pretty finely controlled. (Or Facebook was hacked.)
But that doesn't sell, so instead people conflate some data sharing with NSA-level conspiracy trolls and drum up bullshit media reports that they know Facebook cannot effectively fight since everyone currently hates them. It's absolute trash journalism.
The language of this post seems extremely carefully chosen and to present as 'let me explain why what Facebook did was fine' and 'Facebook is full of great features that people use.' The language is somewhere in between reductive and manipulative.
"this work was about helping people" and "people could have more social experiences" and "People want to use Facebook features"
and then: "Our integration partners had to get authorization from people. You would have had to sign in with your Facebook account to use the integration offered by Apple, Amazon or another integration partner."
I read the last quote as "we used a dark pattern[1] to get your permission for this"
There's a reason the post wasn't worded as "you would have had to explicitly give permission for Spotify to access all of your messages."
It is my opinion that Facebook recognizes exactly how unethical their behavior was, as evidenced by the language they choose to use to describe their behavior.
The whole article seems odd. I have no training in public relations, but I assumed the narrative would try to at least seem sincere about end-user's privacy concerns.
There's none of that at all, not that it would be believable at this point anyhow. But it reads like a bully trying to justify to a teacher why he chose to eat another kid's lunch. It's clear fb has no moral guilt here and actually implies that all blame is shifted off of themselves.
It's extremely poor PR. I was caught up in the 2012 FTC investigation on social networks and data brokers. Public just wants to hear how you are going to protect their data. Doesn't matter if you're right or wrong. Pushing that you weren't wrong narrative just alienates your users even more.
What did I just read? Is this a legitimate Facebook post? Are they actively trying to defend and justify their actions? First step in crisis management would be to acknowledge the crisis for what it is. Without that stage Facebook will never get out of this. It's like Microsoft's security before Bill Gates's trustworthy computing memo. Facebook you have to change.
I assume someone at Facebook, hopefully the person that wrote this, or someone who has more influence over this issue, is reading.
I am an engineer. I understand technology better than most of the general population. When I sign in to my Facebook account to use Spotify, I am absolutely not expecting that Spotify will now have access to read every single one of my private messages. This is a gross violation of trust, and if this is what happened, then the fact that you not only made this mistake, but also then published this blog post defending it, marks a low point for Facebook. Perhaps irrecoverably so for me.
"After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature."
This is a write permission. So you needed to give Spotify permission to create a message. It seems that your system combines the read and write permissions, since you just grouped them together by saying "access to the person's messages". It also seems from your defense that you see absolutely no issue with this. In order to share a song through Spotify, you are giving them access to every single private message the user has ever written.
I find it hard to believe that Facebook refuses to acknowledge any fault in this: The initial product decision, the upholding of this decision through previous privacy investigations, and this PR response. Am I misinterpreting the facts or scale of this?
> I find it hard to believe that Facebook refuses to acknowledge any fault in this.
I feel that the distance between their rhetoric and their technical machinations is their liability. And to those who say, "no big deal, everyone already knew this" - well, then why does Facebook's rhetoric not match their underlying technology?
If Facebook came out and said, "our business model is to sell ads, so we do everything legally in our power to give people the power to connect to each other, while supporting ourselves by selling ads," then I would have confidence in their statements. They instead obfuscate and disemble.
When they speak of "integration partners" and speak about using Facebook services on various devices, and not in terms of selling the data itself, opening up entire streams of data to read and write permissions, then their aims in this press release are different from the aims of their clients and shareholders. And the extent of that difference is a liability.
That they can't be honest in plain language about their technical systems means they don't yet have confidence that their technical systems would be culturally sustainable were they to be well understood. Incentives are not aligned here - and that is a very scary and generally untenable place to be.
Well if you want to receive a message that someone sends you then you'd also need to grant Spotify read permissions. In essence, you'd be using Spotify as a client app for fb messenger. How else could that work without Spotify getting read/write access to your messages?
The same way that Spotify doesn't just ham-fistedly show you all your Facebook messages... and other apps don't show you messages intended for Spotify.
Presumably messages are tagged in such a way that the source and/or destination are intended for Spotify. Using that same system, you should be able to specify "Spotify can only read & write Spotify messages."
I assume the point here to send someone a message on FB with a Spotify link, so they click on it in their messages and it opens up the Spotify app. If you just want to send a message from one Spotify user directly to another in Spotify, you don't need FB messages at all, right? Spotify has a list of all your FB friend IDs already and knows which Spotify accounts each is connected to
I think the use case is closer to Spotify acting as an alternative client to the messenger backend, much like Adium is an alternative client for Google Chat. Which in this case you have to trust the client. It feels grosser because Spotify isn’t just a desktop application, they could in theory have stored and mined your chats.
There are a number of different authentication schemas with varying levels of privilege. The best practice is always to give the smallest subset of privilege necessary to accomplish whatever task is needed. But it looks like Facebook basically gave On Behalf of User privilege -- the highest level -- to basically everyone who needed any sort of API access from Facebook.
I assume they could have done some kind of "firewalled plugin" architecture? Where there's Facebook code running alongside Spotify code but where the latter has no access to what the former is doing?
Edit: But more generally, this seems like a hard thing to get right, and I just don't see the mind-blowing value-add of being able to FB-message within Spotify!!omg that would justify it.
Not by itself it doesn’t answer that. Why 3 years ago rather than 1 year or “this is stupid, why give Spotify access to all PMs on our system just so a user can send and view PMs within the third party app?
This incident is the first one I've felt this strongly about. There have been many others, but even Cambridge Analytica, to use that example, was just taking information that was semi-public (your likes and interests that all your friends could see), and abusing that information. But that was information that I never mentally compartmentalized as private. Sure the scale and method of abuse was unprecedented, but I also don't blame facebook as much as many people did for not really knowing the extent of how that data could be abused. I also believe that fake news spreading on facebook was a novel-at-the-time phenomenon who's impact was hard to detect until after the damage was done.
My private messages are a whole different category of private. Facebook had a phenomenal engineering team and I put the same trust in them that I put in google for my email. A hack is still possible, but it's the highest level of trust that I can have in a service that I can't control (sure things like Signal exist, but 99% of my friends don't use it, so there's a tradeoff). So this particular incident, and the dismissiveness of the response, is my dealbreaker
Me too. And since most of my social circle have moved from Facebook to WhatsApp for messaging, I am now seriously concerned that WhatsApp is no longer secure... or wont be in the future under Facebook's ownership.
Sure, but there's a big difference between a college kid at 20 and a man at 35. I don't know where you draw the line on things you can assume someone has outgrown, or how they've changed, but I draw it at some point where what he said at 20 when facebook was still a Harvard project doesn't affect how I think of him or the company today
But it’s the same product. Run by the same person.
It’s not like Zuck moved on to a different product besides trading trust for cash. How has he changed? If you’re an engineer and don’t get it then 20 year old Zuck is actually right about you.
"After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature."
> This is a write permission. So you needed to give Spotify permission to create a message. It seems that your system combines the read and write permissions, since you just grouped them together by saying "access to the person's messages".
How is it a write permission when the thing you quoted says "send and receive messages"? That's an inbox. An inbox reads messages.
I was too young to really keep abreast of the Microsoft anti-trust lawsuit, but I've never seen a technology company come under so much sustained pressure than Facebook over the past 18 months.
The New York Times in particular has definitely made it a mission to air out all of Facebook's dirty laundry. Overall, I don't think that this will result in users becoming more concerned about privacy (although their governments may) but it does seem like Facebook from a product perspective is vulnerable, even considering the amazing backstops that are Instagram and WhatsApp.
> The New York Times in particular has definitely made it a mission to air out all of Facebook's dirty laundry.
There are two thoughts here that people here assume are mutually exclusive, but they're really not.
(1) What NYT has reported is true, and highlights some serious issues that Facebook needs to address.
(2) NYT also, without saying anything untrue, takes negative news about Facebook out of context and gives it more prominence/repetition than is appropriate.
Both of these are possible simultaneously. I happen to believe both are true. The "providing a platform" argument was much more relevant at the time most of these actions occurred, even if that doesn't fully excuse them. And even if this significant news, that might not justify burying other important stories (e.g. imminent government shutdown) so that it can be top of the news multiple times in the next week. As it surely will, even if there are no new revelations.
As for the substance of the OP or the NYT story to which it responds: no comment. Facebook PR is going to have to do this one without me. >:-(
Facebook has so far admitted to everything, or in other words, the gross mishandling of privacy of a billion people for a decade and an unwillingness to improve.
Is your point that we shouldn’t worry about Facebook being an evil company because there are worse things out there?
Why can’t we worry about multiple things at once?
Even if we go down the road of whataboutism, don’t you think Facebook has earned its place in the spotlight? Facebook has shown itself to be an existential threat to liberal democracy and truth in recent years, it’s hard to imagine a bigger threat than that. I mean, if it wasn’t for a gazillion fake accounts gaming interest groups on Facebook, a lot less people would think things like climate change was fake. Which means that at its very worst, Facebook is being used to kill the planet.
Don’t get me wrong, I still think Facebook can be really good, at its best, and that’s exactly why I think the focus on their missteps is welcome. We need to tell them where the line is, so we can get more good and less bad.
Mass communication is a threat to democracy? That somehow only more censorship (fake news screening or whatever people want to call it) can fix? This is such a profoundly anti-democratic position, with extra overtones of “these voters didn’t know any better”.
Why did you think that strawman would work on HN of all places? FB didn't invent email, chatrooms, message boards, or the internet, things that actually support mass communication.
Curious how you can call that a strawman without knowing OP's actual position. I mean to be fair I likely misrepresented his ideas but to do otherwise requires a lot of back and forth questions to really understand the positions at hand.
I hope we don't have a long internet argument about what "mass communication" is, that would be a great waste of time.
I just suspect that if facebook didn't exist, message boards and chatrooms would have launched Trump into the white house just the same, and we'd be casting them as a "threat to democracy".
> I hope we don't have a long internet argument about what "mass communication" is, that would be a great waste of time.
100% agree. That is why I don't bother reading the comments where the discussion veers into the semantics of the label used ("socialism" and "market forces" related stories being the worst offenders).Usually the story isn't about that at all, but people seem to love rehashing their college-era debates that ended nowhere.
> I just suspect that if facebook didn't exist, message boards and chatrooms would have launched Trump into the white house just the same
I partially disagree. Without FB, Twitter could still have spread mass misinformation and divisive propaganda. Either way, the scale of either isn't comparable to message boards of yore. Those allowed for total anonymity. You weren't mandated to provide a real name. You weren't encouraged to share details of your personal life (relationship status, alma mater, location). Message boards also didn't have ad networks built into it that incentivized data gathering on a mass scale. Finally, message boards were not built around "sharing". That's what got fake news posts outside of your crazy uncle's FB circle and into local news website comments page, etc, giving it visibility it wouldn't have otherwise.
What were the biggest message boards back in the day? Something Awful? Digg? 4chan? A few million members max. FB has 2 billion + on a single network. A single point of entry where the network gives you (as an advertiser/bad actor) near-unprecedented targeting ability for promoted posts and ads. If you popped into your local phpBB baseball forum and dropped off a meme showing Clinton with the Star of David with no additional context, you'd get booted by a moderator for being off-topic and thread would be locked. No way to spread it to the outside world. Not so on social networks.
> Why can’t we worry about multiple things at once?
That was exactly my point. Is it somehow a bad thing to acknowledge criticism of both parties, largely in support of 40acres's point? Is it somehow better to use criticism of one as an excuse to ignore the other, as a pseudo-refutation of my own point? That's the truly noxious kind of whataboutism.
It seems like NYT was right on this one as FB themselves acknowledged that they gave 3rd party access to their users’ private messages (and apparently they still don’t see this as a big no-no ?!?). There are also quite privacy-aware users on this very website who say that they don’t remember being explicitly asked by FB about granting Spotify access to their private messages, and there’s also a link to an old screenshot from around 2013 showing that the FB confirmation screen was indeed very vague, there was no explicit mention of the user giving a 3rd party access to his/her private messages, just to his/her “data”, a very general term which is not generally correlated to private messages.
As such I’d say that articles like the one recently published by the NYT are spot on, and I also hope that FB will pay the price for what it has done (I’m personally in favor of a forced break-up).
It's hilarious. Facebook misbehaves like a three year old and lies to your face about it. Fifteen years later and the same dysfunctional relationship continues. In a few days, in a couple of weeks there will be some post from their engineering department regarding some fantastic thing they are working on, they released, whatever. And this hate love debate will dissipate to the far end of your minds. When will you say enough?
I think what they are failing to address here, and what is incredibly misleading of them in this message, is that they fail to define what "public information" or "public activity" means to them. They define this in their TOS & Privacy Policy as pretty much anything you do on facebook, or a separate property that integrates with them, that you don't EXPLICITLY set as private. This statement tries to make it sound like they use very little data, when in all actuality most of what you do on FB is considered "public" to them even if they don't show this stuff publicly. That's not okay.
So basically it's totally OK because someone clicked sign in with fb? I bet the majority didn't realise that implied giving access to private messages.
Seems pretty dark pattern-y at best
>this work was about helping people do two things
One of the most disengenious things I've read in a while. Nothing about this was about helping users.
I hope they get slaughtered on the markets tomorrow (again).
There are 3 parts to a genuine apology.
1 we’re sorry
2 we messed up
3 here’s what we’re doing to fix it
This is a poor attempt at an apology. It just shows how desperately they acted to grow users with little to no regard for user privacy. That’s a typical footprint for a mercenary company, not one who’s mission is to respect its users.
This is all the more confusing that Facebook internally is genuinely great at that. I was hoping that with Schrage out, those half-assed statements would be gone but nope…
> To personalize content, tailor and measure ads and provide a safer experience, we use cookies. By tapping on the site you agree to our use of cookies on and off Facebook. Learn more, including about controls: Cookie Policy
> By tapping on the site
> use of cookies on and off Facebook
So an accidental interaction when trying to navigate away after seeing your cookie policy opts me into your cookie policy.
And now you know why Google is _really_ shutting down Google+ earlier than planned. Someone should also take a look at Android, where there are some insane permissions available, like accessing your messages and call log. I wonder how much those have been abused by third parties far less trusted than e.g. Spotify. Granted, you have to consent to all of this crap, but 99% of users perceive this as a speed bump and click OK without reading, and the remaining 1% won't touch Android with a 10 foot pole after seeing one of those permission dialogs.
> And now you know why Google is _really_ shutting down Google+ earlier than planned.
You are implying that this was some deeply hidden motivation until now, but both of the announcements pretty directly attributed the shutdown (and accelerated shutdown) plans to security problems.
There's no way to get call log access or messages access on iOS. There's at least a dozen other insane permissions that exist (and are frequently requested by apps) on Android and don't exist on iOS. Is this sufficient "evidence" for you? Do you seriously believe that these Android permissions are never misused? Because there's easily discoverable evidence to the contrary. With a 1 billion+ installed base, I'd hope this would get much more scrutiny than it's getting.
If I'm understanding what Facebook did correctly, the Google equivalent would be that whenever you "Sign in with Google" to any website or app, that website/app gets full and permanent read/write access to your Gmail. Are you alleging that this is the case?
I believe you're misunderstanding the situation, and I don't blame you. I believe that when you log in with FB it'd bring up your typical permissions dialog that would say what permissions you're granting. Most people don't read these, and even fewer actually understand what they're really agreeing to.
I don't see how you could misconstrue my comment in this way, but what I meant to say is "Google should also receive scrutiny" for these very similar privacy issues. I don't think anyone can argue with this in good faith.
Can someone clear this up (preferably if you've worked with the FB API):
when NYT published that spotify and netflix have accessed to private messages, isn't that simply for them to do a POST call for sharing a tv show or song?
Facebook appears to have designed their system in such a way that permissions were not granular enough to do things like "Spotify can only post certain types of messages". Instead it had to be "Spotify has full read/write access to all private messages".
Given Facebook's history it's hard to believe that the lack of granularity, and resulting incentivizing of users to grant as much access to personal data as possible, was an accidental oversight.
This article seems to imply that Spotify ran an entire messenger client within its front end, which does require full read write access, just like your email client requires access to your email right?
It’s more dangerous because Spotify is a website and so could store your messages in theory.
I think a very common problem with OAuth (way beyond Facebook) is that people often underestimate the permission they are giving to a 3rd party. For example, if you use some email client to manage your Gmail, the email client would request permission to "manage your Gmail", exactly what you want, but that actually gives the 3rd party permission not only to read all your mails, but to send out emails on behalf of you.
The Title should be corrected. The title of post is actually:
"Let’s Clear Up a Few Things About Facebook’s Partners"
This distinction is notable for it's patronizing tone.
Of course the assumption that we all have it wrong. "There's nothing to see here, please move along." Everything that was done was done to make the world a more connected place and for us to have more "social interactions."
This post is a case study in how not to do PR. There's wasn't even a remote hint of concern for what their users might be feeling in the wake of this story. But perhaps it doesn't matter anyway since this company has zero credibility at this point.
So CuteApp allows you to read FB messages and email from their app. They cut deal with FB but you still need to want to do it and then enter your FB credentials while in CuteApp. Unless messages are saved in the app, unsecured, I see no problem. FB users read his messages somewhere else but using their FB credentials. (If I understood it correctly)
No, CuteApp allows you to read FB messages and email from their app. They cut a deal with FB and even if you don't use the service, CuteApp can still access your messages. You don't actually know about the service - it isn't in the permissions and you didn't give explicit consent for it. Doesn't matter.
Yes, actually.
1. There is no record of an explicit permissions check, and there are records of other checks.
2. Facebook has acknowledged (multiple times, now) giving read/write access as long as you were logged in through Facebook to one of these systems - you don't have to explicitly enable it and engage the message service, which is what OP was saying.
3. They say: "No third party was reading your private messages, or writing messages to your friends without your permission."
They aren't saying that no third party was reading or writing messages, just that you gave it permission to do so. Unfortunately, that permission was, again, not explicitly given. It was a blanket (access data) permission. Facebook has a documented and admitted history of obfuscating what permissions you are actually giving it - the messaging app being one example.
> even if you don't use the service, CuteApp can still access your messages. You don't actually know about the service
I don't disagree that permissions dialogs can be confusing and misleading, but you were initially claiming that CuteApp could access your messages even if you have never used it. Are you no longer making this claim?
The bigger issue is that the vast majority of users aren't informed about what they're granting access to.
If they truly knew half of what these applications were doing with their "private" information, I can guarantee less than half would continue using it.
They are no good at all at apologizing. They somehow manage to be consistently condescending. Facebookers, take this into account next time (or the next dozen times) you have to write up an apology. https://news.ycombinator.com/item?id=6116544
...and every time I think FB can't get any worse, it does.
Serious Q: is there a way to find out what services I've ever authorized into using my Facebook account, and nuke those links/permissions? I haven't done that in years, but who knows how many of these there are still lying around.
Its funny how the article keeps repeating “people had to explicitly sign in” to give access. Well that should not be enough let 3rd party apps read my messages.
It all boils down to convinience. People are so easy manipulated with just a little incentive. Just keep one thing in mind. If at any given time there is a product or service that has no cost or fee to use, the first thing should pop in your head is: “There is nothing free in this world.” If you hit Accept / OK for a free service / product the blame is on you/us, not them.
If not the US, other nations should take stringent measures to reign in the out of control Facebook horse. They have broken most ethical and moral boundaries of trust. They not only treated users like a product, but exploited them. I hope they find their day in the court of law.
I think the person who wrote this piece first ordered those companies on alphabetic order to look as neutral as possible, then somebody standing behind the editor leaned over and said "Perhaps you could move Apple to the first spot?"
There isn't a single comma accidental in this article.
Anyway: as somebody pointed out the dialog clearly stated that Spotify could access your data even without using Spotify. I think people should be a bit more conscious about what they trust to a third party to begin with. No, you're not paranoid running your own mail server.
This has been the de facto practice for ages in API integration. Everyone is doing it. When you grant Dropbox access to an app, can you say Dropbox is colluding with app developer?
That is what confuses me. It is a widespread issue in the industry, but somehow Facebook is getting singled out for it. And the particular integrations in question were disabled years ago.
The FIRST thing I see when I visit this site (on mobile) is a popup telling me this...
```To personalize content, tailor and measure ads and provide a safer experience, we use cookies. By tapping on the site you agree to our use of cookies on and off Facebook. Learn more, including about controls: Cookie Policy. Cookie Policy```
I know they have to do that, and it was already there... but doesn't that feel like a slap in the face?
I cannot proceed to reading the article because I refuse to accept fb's cookie policy that doesn't seem to give a way to read the content without accepting a cookie from them.
> Today, we’re facing questions about whether Facebook gave large tech companies access to people’s information and, if so, why we did this.
> To put it simply, this work was about helping people...
Putting it simply would be to answer YES to the first question instead of sleazing your way into a thousand words false apology where you don't admit to have ever done anything wrong besides leaving old APIs running for longer than they should have (!)
Also, nothing Facebook does is about "helping people". That is not their business. Their business is exploitation.
Is all business exploitation? And capitalism is the problem?
Businesses have to have customers and users to survive, even tobacco companies provide value to users even if their product kills them.
If Facebook provides 0 value, stop using them and all the other rational people will too. If they provide a modicum of value, then people will use them if the value delivered is below the cost (cost includes privacy violation and bad trust).
> To be clear: none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC.
Always take note of the defense, "It was legal." It is the last defense of an opponent who knows they have lost the moral battle.
It reads like a fairly clear and descriptive statement to me and in-line with actual facts reported by the newsmedia (without the messy presentation of the newsmedia).
This is just more NYT slander to finish off their biggest advertising rival. Nothing about this was out of the ordinary or hidden from the user. The next article will be the NYT saying Zuck broke the public’s trust because Facebook had this thing called an API which is totally evil and corrupt. It probably stands for Anti-Privacy Interface.
Does anyone have a screenshot or remember what the opt in UX was like this for this? I have been logged in to Spotify via Facebook since basically the very beginning. I worked in tech as a dev, PM, and designer of flows. I never had the understanding that my Facebook connect with Spotify gave them read/write to all my messages. It’s certainly possible that this permission was requested in an auth form that I quickly granted without realizing, which would make this more of a dubious product decision that blatantly unethical. Anyone have info?