Facebook permissions

When you willingly give your data away, you lose control of where it goes once it's no longer in your hands

Last week we told you about a bug on Facebook, where the popular social network ended up sharing some personal information with your friends. There's some more talk about it again today, as Symantec has stated that "the first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen."

The thing is, if you installed the Facebook app, you agreed to give them this information. It spells it out in simple terms, and forced you to agree to it before you could download the app.

This doesn't excuse Facebook for the latest privacy gaffe, but it does highlight the need to look at those permissions -- and understand them -- for each and every app you install. They are all there, and if you come across something you don't understand there are plenty of people to help you figure it out in the forums.

We're not saying the Android permissions system is perfect. But it is there, and we have nobody to blame but ourselves when we agree to something we end up not liking.

Update: People are asking about the pre-installed version of Facebook on their carrier and OEM branded phones. When you set up your phone, or first use the app, you're given a link to the full set of Facebook policies, including their data use policy. If what data is being collected is important to you, that's readily available right from your phone settings. On your first trip to the Google Play store, you'll be asked to update to the Google Play version, which again reviews all of the app permissions. This information is there, you only need to read it.

 
There are 63 comments

schlemer says:

The phone# thing doesn't bother me so much. My phone number has been listed for years. While it does not excuse the fumble from FB. It is something that happens on a regular basis. When you give your credit card at any place of business, you are trusting a merchant with your info. When I was a kid, my parents always told me to never give out my social #, well that's been out the window for years. Basically, my rule of thumb it, I give out personal info at my own risk. FB may have dropped the ball, but as you said. I gave them the ball to begin with.

icebike says:

Facebook came pre-installed on my phone. Last Two phones actually.
Pretty hard for me to get in there, root it, uninstall facebook, all while in airplane mode.

And why should I have to?

So no, Jerry's main premise is false, I did not give facebook access to my phone number by virtue of downloading it.

brendilon says:

Very good point!

And you accepted the terms and agreement when you first used it. You did read all that, right?

You can feign ignorance all you like, but the permissions are right there whether you choose to investigate them or not.

alexeiw123 says:

what terms and agreement - he said preinstalled on his phone? There's no play store log in, and acceptance of terms when it's pre-packed on your device, it's just a pretty 'f' logo in your app drawer. As your article states - you do not not even need a facebook account, just the app installed on your phone.

bettiol says:

Norton explicitly states that a phone number is not transmitted until the user launches the Facebook app. If Facebook is on your device, you probably (a) downloaded it yourself, or (b) purchased a device with Facebook pre-loaded. If (a) applies, you agreed to Facebook's ToS when you downloaded the app. If (b) applies, you agreed to the ToS when you bought you first turned on your phone and clicked through the ToS.

Whether or not the ToS that govern the use apps and services such as Android, Google Play, and Facebook are adequate in scope and transparency is a discussion that requires greater context.

mwara244 says:

Facebook is too intrusive, that's why No One Should use it. I used it once and never again on my pc in 2010. Facebook copy's everything you post and keeps it, picture, videos, anything you say to ieads, or idle chit chat, whether or not you delete any of it. FaceBook installs hidden Cookies on your devices to track every website you visit, unless you delete all cookies, which can suck to sites you visit frequently.

Google+ does none of that

heraldo says:

But when I Google something and then I go on to the next project online and that website is throwing me an ad for what u just searched for is them not storing cookies?

Posted via Android Central App

poglad says:

What are you talking about? Of course Google+ keeps it. Just like on Facebook, you can scroll back through your feed and see all the things you posted - and so can everyone else.

mwara244 says:

Facebook is too intrusive, that's why No One Should use it. I used it once and never again on my pc in 2010. Facebook copy's everything you post and keeps it, picture, videos, anything you say to idea's, or idle chit chat, whether or not you delete any of it they copy it all and own it all, you surrender copyrights to it once you post it on their site. FaceBook installs hidden Cookies on your devices to track every website you visit, unless you delete all cookies, which can suck to sites you visit frequently.

Google+ does none of that

Great article from a year or so ago how a woman found a picture of her family in Picture Frames for sale and it was the stock image in it. Turned out facebook sold her pictures to an Advertising company to put in the frames

MikeLip says:

No. FB is coming PREINSTALLED on devices. For it to transmit phone numbers upon launch is unacceptable. And when you download something it often does say it wants access to your numbers. It never says it will send them all to the mother ship. The assumption is that maybe it needs them for caller ID purposes or whatever. The implications and uses to which the numbers are put are not ever outlined when you download an app - just that it wants access to them.

Besides, FB is a data hog. Don't use the app. Just use the browser version.

icebike says:

Jerry, respectfully, you need to rethink your habit of being an apologist for bad vendor behavior, based on some faulty concept of implied consent.

Just because some fine print somewhere might have said that the application MIGHT share a phone number doesn't mean anyone automatically expected it to do so without explicit permission, especially when I choose NOT to sign up with Facebook.

I'm not given an opportunity to opt out, because even an accidental launch of the app transmits the number, even before I see the agreement.

Per your own quote:
"the first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen."

Somewhere in some obscure federal register there exists some obfuscated text authorizing the NSA to read your mail and record your phone calls. I'm sure you read all of that, right Jerry? And by merely breathing air, you've consented to that right?

I bought a phone. That's all I did.

That fine print is a bitch, isn't it? I make a habit of reading it.

Diskoman says:

Exactly. There are several popular apps that I refuse to install due to their privacy policies. In addition, this is why I will never enable auto-update in the Play Store. Too easy to get caught slipping, and it would really be my fault for allowing it in the first place.

Connor Mason says:

Even after or reading the fine print, what could I actually do anyways beside not buy a smartphone? Consumer protection agencies need to stand pay attention here.

Posted via Android Central App

iowabeakster says:

What you can do, is buy a smartphone that does not come preinstalled with Facebook. And then, don't install their app once you get one. Maybe a tad inconvenient, true, since Facebook is kicking all that cash to the carriers (and/or manufacturers) to have it part of the boatload of bloat that they stick on their phones.

But phones without that type of intrusive bloat ARE out there. Not many, but some.

Unless substantial numbers of people vote with your wallet, you will always suffer these tactics. Facebook makes way too much money (treating their users data as a commodity for sale) for them to ever stop what they are doing. That is their business model, for goodness sake!

Don't view their adds. Don't provide them the data. Life was just fine before facebook. It will be just fine after, too.

Complaining afterwards that they are doing something that you "explicitly allowed them to do" will do nothing to change the situation.

vorpalk says:

And with that response, Androidcentral is off my reading list, and all associated sites are blackholed at my router.

Condescending prick.

glazedfaith says:

Lol. You will be sorely missed. Who hates a website so much they blacklist it in their router? Someone who can't be trusted to follow through with a threat...including the one to blacklist the website in the first place. Enjoy your lurking, cause if you ever post again, everyone will point and laugh.

*grumble grumble* "don't want to accidentally type in androidcentral.com and then press enter, finding myself transported to where I wanted to go to the least"

You agreed to condescention when you signed up.

ads says:

Post of the day, awesome!

MikeLip says:

Really? That's not a very intelligent comment. By your own sites words you don't get a chance to read any agreements because you have just launched the app. You have not signed in or set it up. First thing it does, before providing terms of service (according to AC) is transmit private information to FB. THEN it says, yeah we're going to look at your numbers. And if you get it from Google Play, what does the warning say? It says FB will want access to your phone numbers. It does NOT say "Hey, as soon as you click that blue F, the first thing I am going to do is steal your numbers without telling you I'm doing that." If it says that anywhere, it says that after you've launched.

So, you find the behavior you outline acceptable? By your own description it's pretty damn sneaky (not to mention unethical and downright crappy), and with no warning it will happen. Just what is so attractive about Facebook that you are so willing to allow this behavior anyway? There are more acceptable and less amoral ways to run a business. Doing business like this simply because you can sneak it past the average user should not be a business model for anyone.

This is BS and you know it. I think I'm more angry at you for condoning this than FB for doing it. I used to think AC was a good place to come. I think you just changed my mind.

MikeLip says:

Jeez. Can't delete comments.

moosc says:

I was supposed to read those permissions? Oops click OK

Posted via Android Central App

swindelljd says:

Really Jerry? Trolling on your own site. I love Android Central and have been following you guys since very early on, but seriously.

This kind of untrustworthy, immoral behavior from Facebook is the type of thing that an agency like http://www.ftc.gov/bcp/ was made for and shouldn't be laid at the feet of the end user.

Like my mother or anyone's mother
has any idea what all that legalese or techno jargon means when reading a TOS or app permissions. She doesn’t have tens of millions of dollars to spend on lawyers to figure out what all this stuff means. She just wants to communicate with her grandchildren using the only way the know how. It’s just very sad.

I'm not trolling anything. If you want to trust companies like Facebook, feel free. I think reading what you're agreeing to, and then deciding whether or not to do it is a much better way. The accidental sharing with friends was an honest (I assume) bug on Facebook's part. But giving them your information was not a mistake, and I encourage everyone to start reading all those agreements and permission warnings each and every time.

mikejs78 says:

Jerry,

What is a problem here is that they keep the phone numbers and contact info of my contacts. So if a friend of mine had me in his contact list, and he signed up for Facebook and used the "find my friends" feature, then my phone number is now part of Facebook's database, whether or not I ever gave consent to the TOS. That, to me, is bad behavior.

In the case of the data sharing (which was, I'll agree, probably an honest bug) other friends who may not have had my phone number but have my email address could obtain that without me ever having joined or accepted *any* Facebook TOS. To me, I don't see any defense of this practice that's acceptable, even if it is in the TOS. Facebook has no business storing personally identifiable info of people's contact lists. To use as a one-time "find my friends" feature is fine, but it must be transient and then destroyed, not stored. I don't see how you can defend that.

return_0 says:

Very good point in the first paragraph.

Posted via Android Central App

MrSmith317 says:

You sound like me. Facebook is using round-about logic and pure gullibility to obtain data it has no right to. My PII is my PII and unfortunately all of my friends that have Facebook have probably already shared my name, address, email(at least one of them), and phone number with the company though I have no affiliation with Facebook at all(other than being a staunch opponent). Regulatory bodies from all countries should have an issue with this sort of legalized data mining.

AJC1973 says:

Answering comments to a story you write about is not trolling.. Bitching about it is... That said... You are going to go to the ftc.. Of the same government that uses Facebook as a direct tool to spy on you.. And you think your little complaint of not being an adult and reading everything you agree to is going to make them slam their willing tools.. Well that makes you pretty foolish. In fact it proves their tactics are aimed at the right people.. The American sheeple.. If it goes anywhere it would be the wink and nod.. Don't Do that anymore fine them 50k then a month later reward them a contract.. For 60.

DirkBelig says:

Every time Facebook changes its policies or has a security gaffe, everyone has a self-righteous cow about how "FaceSpace iz teh wurst! Mah pryvaseez!!!" Effing spare me.

How much are you paying for Facebook? What was that? Did you say NOTHING?!? Well, you should've. Does Facebook have access to anything that YOU DIDN'T SUPPLY IN THE FIRST PLACE? People have this insane notion that they should be able to pour all their secrets into some website and that they should be kept secret because.

Here's a tip, kiddies: DON'T BE TELLING ALL YOUR PERSONAL STUFF YOU DON'T WANT OUT THERE TO EVERYONE?!?!? If you look at my Facebook page, you can tell my birthday, but not year, though you can guess from my high school class info. You don't know where I live or where I work or what I even do for a living. You can see I'm in a relationship, but not with whom.

When I check into Foursquare, you can see that I shop at CVS and Kroger a lot and what my favorite restaurants and movie theater is, but you will never know if I went to a doctor or where I bank at.

It's hilarious that people are saying, "I'll be over at Google+ where my privacy is respected," as if the NSA isn't monitoring your traffic in real time to see whether you need an audit or not.

It never ceases to amaze my the misguided sense of entitlement so many people have, especially from something they don't pay a cent for. It's just, "Gimme a place for all my friends to hang out and for me to hand over all my personal info and don't charge me for its use and don't use my data to sell me to marketers. Just gimme gimme gimme or else I'll cry." Pfffft.

Jamookie says:

"Does Facebook have access to anything that YOU DIDN'T SUPPLY IN THE FIRST PLACE? People have this insane notion that they should be able to pour all their secrets into some website and that they should be kept secret because."

That's a simple one to answer. Yes.

They have My name, my face recognition, my e-mail address, my phone number, where I live, how old I am, who some of my friends are, and I'm sure a lot more. Right now you are getting all self righteous with your you gave them that info, but no I didn't. Friend Posts: Here's the picture I took over at X's 23rd birthday party. Now Facebook has pictures of everyone at that party, they know who's house, and they know where that house is cause of the GPS data embedded in the photo. They also have all the contact info from that persons contacts, so now they have the phone number and E-mail address.

Even if you don't have an account, they are compiling bundling and selling that info. It's what Facebook does.

Tigrisan says:

That would have been my response as well. I didn't download it. It came on my phone and other than rooting, which I don't want to do, I can't get rid of it so why should I be penalized having all my info spread everywhere by virtue of having it preinstalled? I've never opened it, have no intention to, but the point is, I didn't give them access. Period. They have no business sharing it with any and everyone.

DWR_31 says:

My old FB page has my pic and a cover photo that says " I've moved to Google+".
Stop using services that you think are shady. I have two listed #'s on my FB profile that are old and not working. If someone wants to find me they won't get far using FB.

From the DARK AC App!

brendilon says:

I don't think it's Facebook dropping the ball that is bugging folks. IT's that Facebook has dropped the ball.. yet again. It seems to be a pretty regular occurrence with them. I can't think of another company that seems to be so casual with the privacy and personal information of its users.

Heck, the government wouldn't have had to subpoena Facebook for user info, Facebook would have eventually leaked it all anyhow.

Most people don't download the app it comes pre-installed on the phone

Posted via Android Central App

cashxx says:

I think the problem here is shouldn't something be warning you that its taking your number? Android, iOS, etc should be warning you if anything personal is being sent or if anything is trying to get access to your cam or anything. This is just happening automatically and it may say in the terms, but who reads any of those! Its just shady practice!

To me, the whole point is WHY does it need my phone number? I don't particularly care, but there is a place in Facebook to enter your mobile number if you want to share it. There's just no need that I can see to harvest the sort of data that many apps harvest.

All we can do is try to see what data they collect, and make an informed decision about sharing it with them.

Diskoman says:

It may be shady, but it has been going on for decades with your silent permission in the sake of keeping costs down or "free". Do you really think that telecoms and internet providers haven't been using your personal info for marketing purposes? Do you really think cable companies haven't been selling info on what you watch & when? This is just more of the same, and companies like Facebook are so gung-ho about mobile for the simple reason that they can get that much more info from you. This simple rule always applies: if a product is supposedly "free", then YOU are the product. Just choose how much of yourself you want to give away.

-IRON- says:

I havent updated the app sice they added access to battery info and to write over other apps.

Also i think google is all about giving these apps more permissions. they no longer seperate apps that need more permissions in a manual update area. You have to be dillagent and check each one. This is a big negative to me about google

Posted via Android Central App

return_0 says:

No, that's wrong. It isn't in a manual update section, but it still notifies you of changes, requiring you to accept them if you want to update.

Posted via Android Central App

Jamookie says:

Not from what I've experienced. You leave an app not updated long enough and they compare permission changes to the last few versions to push out instead of the one installed. Back when they had the 2 categories, I'd watch apps migrate to the other category and no longer require a manual update.

-IRON- says:

Apps with or without new permissions have to be accepted the same way

Posted via Android Central App

What if I don't share my number, can they use some sort of backdoor to access it without my permission?

Posted via Android Central App

asd216 says:

I can't wait for Facebook to go under. Just takes the ignorant people that use it to realize that it's the devil.

Posted via Android Central App

CDH says:

So if the AC app were to completely wipe your memory card you shouldn't be upset because you gave them permission (or ball) to do so, even if it wasn't intended purpose? Interesting point I suppose.

s2weden2000 says:

yes you did, so shot up...

I think it is still fair to ask why FB wants the phone number. And further, why do they not collect a phone number from PC users, or from iPhone users.

One could say that they take the information because they can get away with it. So while what they are doing is completely legal, it is at least questionable and maybe also unethical. I don't see why one has to defend this kind of behavior.

The NSA at least can claim national security as reason for why they have to collect all data.

Talne says:

I Could make a FORTUNE selling tin foil hats to this crowd, a FORTUNE.

MarkMcCoskey says:

So I'm guessing if one is to use Facebook via their phone, do so through a browser?

dmcincubus says:

How icebike can still post here is beyond me. He's got to be one of the biggest shit starters to ever grace a message board. He's like the skip bayless of android discussion.

I believe this problem is wholly misunderstood. When you provide your phone number to Facebook in setting up your profile, you have the option of whom to make it visible to. If you make the visibility of a phone number public, friends, or any setting other than only me, it compromises your identity because certain settings (no, I'm not going to take the time to find out which) allow someone to find your Facebook profile from your phone number. Imagine giving your phone number to a stranger, say as you would in dating, and your first name, nothing more. Now imagine that person now knows your last name, and perhaps even more, because you did not practice due diligence in securing your profile and the attributes of such that are searchable. The Facebook mobile app's Find Friends feature will find friends by phone number, for example.

Qoheleth says:

This is yet another thing that highlights the old philosophical question: Do you want to take responsibility for your own decisions or do you want someone to protect you from making choices you might regret later.
I tend to be one of the former, but I can certainly understand, having made a few bad choices in the past, wanting some agency (theoretically, with deeper knowledge) to watch out for me. Still, I'm with C.S. Lewis on this: I think there's nothing quite so dangerous as someone who is doing something "for my own good."
To this particular instance, I can't really see much more Google can do to inform you. They can't make you read the warnings. I suppose you could have some sort of coding that highlights what is most likely to be objectionable (such as making calls without user intervention).

ACADM says:

"The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen."

How can you read the TOS first, and then agree or disagree without the above happening?

"When you set up your phone, or first use the app, you're given a link to the full set of Facebook policies, including their data use policy."

It seems by that point it is already too late, your phone number has gone to Facebooks servers without you being able to read the TOS, let alone agree or disagree to them?

I understand if you want to sign up to Facebook and give them all your information then that is up to you, but what about those who want nothing to do with it? Facebook should be allowed to data mine those who sign up for it, but not those who haven't.

The EU went after Google after it 'accidentally' sucked up peoples Wi-Fi data with its Street View cars, so I hope the EU take a look at this and Facebook as whole because I do think they've gone too far.

Andyvalver says:

The thing that annoys me is that they can do what they want. If you don't agree to what they put you cant use their service. Alot of these services like Facebook twitter, even Xbox live are so popular that they can put whatever they want in the terms and conditions because people don't want to be left out if all their friends are using them. So basically your screwed. You would have no social interaction over the Internet if you disagreed with every companies terms.

Posted via Android Central App

rlbrooks says:

Wow, the entitlement amongst commenters is amazing. This "I can be defamatory as much as I want but the author better shut up." Attitude is like watching a bunch of 5 year old's argue. I really think that if you are worried about friends finding out stuff about you, then maybe social media isn't your thing. Maybe you should event paranoid reclusive media.

Posted via Android Central App

ScottJ says:

People don't care about friends getting the info, they care about Facebook doing it. If Facebook is mining my friends' on-phone contacts to get my phone number and transmitting it, that's a problem. This is something the FB apologists don't seem to get.

Posted via Android Central App

ACADM says:

Exactly, you handing over your own private information to Facebook is one thing, someone else handing it over (or Facebook taking it) without your permission is very different. I'm not sure how Facebook has been allowed legally to get this far. How come they can get my private information and do whatever they want with it, without me even having a Facebook account? Or being able to tell them to delete it? This is far worse than anything Google has done and I hope authorities, probably in the EU, try to wrestle back some privacy control for people.

lightyear420 says:

Facebook is currently, and always has been installed on my phone and I even just checked to confirm....my phone number is NOT listed in my profile. I even have the new beta facebook apk installed, and my number is nowhere to be seen! If you don't give them permission it doesn't get shared. That's what makes linux so great...you need permission for everything!! That's why I use ubuntu desktop, as well! Be smart about your privacy and these things won't be an issue ;)

3165dwayne says:

Jerry's assessment is deeply flawed when it comes to those who had the app preinstalled. How could they have read anything of the sort especially when at the store most of the time the reps will setup the devices for the customers and skip these things themselves. When I bought the HTC one I had to argue with the T-Mobile rep to use my own Sim card which he denied saying u should always change your Sim card. wtf. I've never opened the app and don't really use Facebook. Thought it was enough to ignore it. I recently just disabled the app because I haven't yet felt the need to root it. Doesn't best buy also have that program called walk out working where the go even deeper than the store reps? Then the customers will never have a chance. What about those who aren't very computer savvy, the ones using smartphonesbfor the first time? It really isn't fair.

jerrod6 says:

I've read the article and all of these comments and I am still confused.

So I don't use facebook and don't expect to ever use it on a phone or computer. So I buy a phone that has the facebook app pre installed. I set my phone up and do not set up the facebook app because I am never going to use it.

So does my phone number get sent to the facebook servers?

ads says:

Unfortunately I probably used the facebook app 3 phones ago before I realized they did this, but maybe they didn't back then. I only use browser version now, don't do apps, everything is locked down. Imagine my surprise when giving my phone number to a friend that had the email addy I used for FB on his phone via his FB app.

I just checked my settings. "Allow friends to download my email address in Download Your Information" and it is NOT checked. Obviously that didn't stop anything. Once my work is done finding people for my HS Reunion, I'll probably close the FB account.
Their policies, practices, and service execution failures are just terrible, nothing else like the amount of fail they have IMO. Apparently, no matter how careful one tries to be, they're going to collect your stuff and put it out there, on purpose (constantly changing privacy rules and settings) or by execution errors.

ADS

SpyderHawke says:

Maybe it's just me, but I can't actually find where it says that Facebook can do this. The only time the terms mention your phone number in the terms is making sure that your number is up to date:

"In the event you change or deactivate your mobile telephone number, you will update your account information on Facebook within 48 hours to ensure that your messages are not sent to the person who acquires your old number."

The permissions, as I read them, only pertain to the app being able to read the number, not Facebook.

"READ PHONE STATUS AND IDENTITY
Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call."

So, where does it say that Facebook can store my number?

Dire Randall says:

I've given my phone number to a lot of people over the years, mostly friends, under the reasonable expectation that they wouldn't give it to other people. Facebook breaks that trust; in fact, if the last few years should have taught us anything, it's "Don't Trust Facebook." I don't, not with anything important, not anymore. 'Problem is, it's closing the barn door after the horse has left - these companies have mined SO MUCH data on us all over the last decade, that to refuse to give one data is pointless - all they or anyone snooping on you has to do is follow trails to the information where it's previously provided to other groups.