Android's permissions system for stuff like that is indefensible. Anything with severe privacy implications like "years of text message history" should explicitly opt-in with a permission request popup at runtime like iOS has done for features like camera since launch.
Of all the things to not copy from iOS, of course privacy is the one that they decide to skimp out on. I'm glad they've started to catch up, but they have a ways to go yet.
Android has a lot of nasty corners around stuff like this, which can prevent being both streamlined (accessing all photos does let you optimize for your app, some people want that) and privacy-friendly (for people who don't want that). My personal favorite:
If you don't request camera permission, you can still open the camera with an intent. This is great!
"Give app X direct access to the camera, microphone, and all my photos literally any time it pleases" and "use this camera app I trust instead" are very, very different desires.
Usually I hate the in-app cameras, because they're not optimized for my device. They're usually slower, have no flash control, no zoom, no manual exposure options, etc. I'd almost always prefer to use a dedicated camera app instead.
Because of this permissions decision, if an app wants to bake in a camera thing (nearly every app that might ever touch the camera does, even if e.g. only for a QR code reader or something), I can no longer choose. The app can't open my camera app when it makes sense.
This would be easier to control if Android would allow users an option to see historically what resources the app requested and how it processed them (just list them, used them, processed them).
I'm not sure about recent Android version, but on my 3~4 years old Alcatel with Android v4.3, there is already a rudimentary preference menu listing the last accesses of app to resources (eg "Instagram accessed contact list 3 hours ago"). The menu is not easily accessible, I found it by chance.
That appeared in 4.3, hardly accessible. Was made somewhat more accessible in 4.4 and then was patched out in something like 4.4.1 or so. I presume, some Google exec got to know of it and demanded it removed.
Starting with Android 6, there's the new permission model, meaning that a similar screen is added to the settings of each app, but it doesn't show when an access happened (or at least it does not for me on Android 8.1).
DTEK by Blackberry app can track/notify on foreground and background permissions usage (but there's no data from before you install it). To log how requested data is actually being used by an app doesn't sound possible to me.
Intents are alive and well, but they've been broadly crippled until recently-ish (well. they still are, but at least now you can read/write stuff in a user-defined folder... kinda.). And the fancier stuff is totally broken on a large number of devices. And it's fairly complicated to support all of it and still be backwards compatible for older OSes that don't have it.
But yes! It exists, and most applications could pretty easily use it instead.
But most of it seems to be laziness / misunderstanding. And Android's broadly terrible documentation does not help this at all. E.g. a huge number of apps that want external storage permissions just use it to store external caches outside your system partition, which is very nice for people with an SD card / limited internal space. Many companies don't seem aware that this no longer requires any permissions though - you can store internal and external data in your app-sandboxed folders by default.
Applying this to contacts, too, would also make it somewhat less impossible to use WhatsApp and similar messengers legally.
If you don't know why it's illegal: WhatsApp uploads all of your contacts to their server. Granted that their ToS are not themselves ruled illegal at some point, it is on you to get a written permission from all of your contacts that they are okay with you uploading their data to WhatsApp's servers.
So, unless you block access to all of your contacts or actually ask every single one of your contacts for written permission, it's illegal. With selective contact access, you could at least attempt to only grant access to contacts that you actually did get written permission from, or I don't know, of which you know for sure that they are using WhatsApp, too.
And yes, I do love the thought of hitting on someone in a bar and then pulling out this massive form sheet to ask for their written permission, just so you can ask for their number afterwards.
What legal system are you thinking of? I don't really see myself getting in legal trouble for revealing someone's contact information to a third party. It's a pretty normal thing to do. If I knew your phone number, and somebody else asked me for it, what's stopping me from telling them?
Germany has privacy protection laws and a privacy protection officer warned that 99% of WhatsApp users act illegal by not asking their contacts for permission before giving WhatsApp access to their contact information.
If I don't sue you, yeah. But if you're not sure that I won't have a problem with it, you should better ask me in advance.
In your example, this sounds silly, but it's just not categorically different from examples where it doesn't, like say someone who stalks me asks you for my phone number, or a scam caller does.
At least on iOS I think you can do this from the Photos app itself using the share sheet -> Messenger rather than using Messenger’s send photo button (which requires the app to get photo permissions).
I do agree it would be nice to have “Just once” on pretty much every permission dialog. Apple’s change to mandate an “Only while using the app” on location info after Uber’s location tracking fiasco was a good step in this direction.
They don’t get access to everything on your phone do they? As I remember (and this was years ago) they could ask for the photo dialogue to pop up and you could choose a photo but the app didn’t actually get access to all of them, only the ones you chose.
But they don't have to ask for access to all your pictures. You can ask Android to show the standard picker, get the one picture you've selected and that's it.
Or you can do it the way FB does it, by asking for permission to access all your pictures and build your own non-standard picker...
On the iPhone this was actually fixed in iOS 11. The standard image picker (UIImagePickerController) now runs out of process, and no longer pops up a permission dialog, but instead just gives the app access to only the photo(s) the user selected.
What they're saying is that it should be the user's choice, not the developer's. If I want to run your gallery app with only a handful of the pictures that I have, I should be able to do so.
Because ultimately, developers don't really need to care. Too many users don't understand the implications at all. And if it's for example a messenger that all your friends use, you don't really have much of a choice than to trust it, if you want to talk to your friends.
Heh I don't bother with the app and suffer with the web interface.
Annoyingly I now need to "Request Desktop Site" to use messenger or else it tries to get me to install the app. The artificial friction they're put in place has pushed me ever closer to just deleting my account.
Thank you, I remember using this at some point but forgot it. I'm still probably going to trash my account but this does make it much more tolerable. This and i.reddit.com make life on mobile a bit more pleasant.
Custom ROM's for Android phones had this feature. You get to choose whether to allow once, allow all, deny once or deny all. I haven't used a custom ROM in a long time though so I don't know if they still have it.
"Allow once" is different from "Allow just this one picture". With "Allow once", they can still scrape all your pictures, they just have to do it in one go.
Custom ROMs unfortunately can't really do much to implement the latter, they'd have to break compatibility with the whole Android ecosystem, which Google knowingly built this way.
I mean, Android technically supports it, if the app developer wants to. Then they can send off an "Intent", asking the OS to ask the user to select e.g. one or multiple .jpg and .png files, and then the OS hands those files back to the app.
The problem is that not many users understand the implications of just granting permission, so developers don't really need to care.
And this dialog that Android opens is roundabout the shittiest, least usable piece of software I've seen in a long while, so for an developer it actually can pay off to ask for full permission and then build your own file selector even if you have no malicious intentions.
Others here have mentioned that iOS also supports basically this the same way as Android, though presumably they have not quite managed to make their file picker quite as shitty.
And then, well, browsers have worked like this since forever. So, presumably Firefox OS works/-ed like this, too.
I think the main difference between the two mediums is that email is push-based, while Facebook is pull-based.
With email, you have to explicitly select recipients. You're essentially saying "here are my photos, I think they are relevant to you specifically". The onus is on the sender to figure out what's good for the receiver, and it's considered rude to send many frivolous or irrelevant messages. Think of how you grumble when you unsubscribe from some company's mailing list - this is an example of this social norm.
With Facebook, you say "my photos are here, anyone may look at them if they want". Figuring out whether the content is relevant is now the job of the receiver, not the sender. Facebook's UI is well aligned with this role: unlike email, where you must explicitly download attachments and mark messages as read, on Fb image previews are displayed inline and to never see a message again you must only scroll past it. Advertisements aren't considered intrusive, it's just content from another source that is (in theory) just as easy to ignore. The social dynamic is very different, and so it's used to send a different sort of message than email.
I have 75 relatives on Facebook who live around 3000 miles away from me. If I want to share a photo do I send a mass email to all 75 annoying those who aren’t interested, do I BCC everyone so I get repeated responses (and those responses aren’t shared with anyone else who is interested). Or do I post it on my Facebook feed where those who aren’t interested can ignore it (and it will be gone soon) and those who are can have a conversation around it without getting in everyone else’s way?
Edit: ok maybe around 40, not 75. But point still stands, it’s indirect communication rather than remembering about that cousin of an auntie’s grandparent’s nephew’s sister-in-law that I met ten years ago.
People are strange. My family all have iPhones, we all use iMessage, yet for some reason we have a group chat on WhatsApp which is where my sister and mam share photos of my nieces.
The functionality is no different to iMessage. I don’t know why this happens. It just does.
The first time I installed the Facebook app and saw the huge wall of permission requests (back before they had on demand permission requests and they all had to be up front), I noped out of that crap.
Never installed the facebook app on any of my phones (In the odd event I REALLY need to check a cat picture on facebook, I use the browser version). Glad I went that route.
Now though I got a Samsung phone that has the facebook app preinstalled, but I never opened it (and all the other preinstalled apps DONT have the permissions on by default...so I hope it's true of the FB app too)
Do handset manufacturers ship Facebook pre-installed? And if so, do they choose the permissions for pre-installed apps, or does the user do this on setup?
The only difference is the you don't get your space back since preinstalled apps occupy a different partition, but the app itself cannot run in any way.
MIUI has brilliant permission mechanism for older Android version. From Lollipop, it switched to iOS like permission--and so TrueCaller like apps cannot be even opened without giving permissions.
I removed my phone number from Facebook profile months ago.
Now and then, Facebook still asks me if "XXXXXX" is my number?
Once I unintentionally linked my Facebook account with my insta account. And then I started getting follow suggestions from people in my Facebook friend list.
I tried many thing to de-link the accounts. Ultimately, I created a fake Facebook account and linked it to my insta.
Once you give something to Facebook; it's never truly erased.
I never connected my FB/Insta accounts and they were created with different email addresses entirely. Was conscious of not letting the two connect. One day my Instagram account started actively recommending my FB friends. Anybody have this experience?
Yes! It's insane. It's probably using location data and IP address among other things. If they had even an ounce of concern about privacy they would detect and explicitly prevent making recommendations across accounts that someone is obviously trying to keep separate.
I created my Insta account before FB bought it. For some stupid reason I let it connect to FB for (limited) sharing some pics, rather than doing it manually - then that was it.
I don't want all my FB contacts to "see me" on Insta; I just have tonnes of people adding me with no real interaction. The integration is really quite obnoxious. I have in fact stopped using Instagram now due to this.
Good story. And I bet you there are lawyers in Europe sharpening their teeth right now waiting for GDPR to kick in to send Facebook discovery letters just a minute after April 1st pass. Need popcorn and comfortable chair, as the stock is down 10%, and we've just started!!
I understand the blow-back against their privacy abuses, it's well deserved (as it was in the past). However, this kind of response is just funny.
The stock is back to where it was in July. Up 100% in less than three years.
$464 billion market cap.
Things are really dire. They'll only earn $20 billion this year, growth will only be 30%+.
They only have ~$43 billion in cash right now with zero debt. That's barely enough to keep the lights on. They should shut down the business right now before they run out of money.
The speeding tickets they might one day get from the EU, could cost them hundreds of millions of dollars. But just imagine, what if it's $3 billion. I mean, it's not like Facebook can reluctantly change several of its policies while maintaining its massive 2+ billion userbase and keep right on printing money at their 50% operating income margins. Yeah, but just imagine if their operating income margins decline to only 40% because it crimps their business model by reducing the value of their ad targeting. And what if it cuts their growth rate in half? Under that scenario they might only earn $30 billion in net income in 2021. It's a rough road ahead.
The other fun part? They'll still net add global users in 2018. None of this is going to matter for the survival of their business, although it might improve user privacy around the globe and that'll be a big win.
Many have tried to take a slice of FB’s pie - almost all failed to make a serious dent, and the main social media alternatives are also generally struggling (or have serious fundamental issues of their own).
At this point, I’m very skeptical another company will unseat FB’s dominance for quite a while, if ever.
That's true, but there's a difference between FB and Friendster/MySpace: Zuck is apparently trying (and succeeding) at managing that risk.
Instagram was growing quickly and could seed the next big FB competitor. So FB bought them for a $1B valuation almost everyone thought was crazy at the time.
WhatsApp could seed the next big FB competitor. So FB bought them for $20B or so, which again was mostly considered crazy at the time.
Neither of these is crazy in retrospect: FB's dominant position is easily worth what DB paid for these and more.
FB didn't manage to buy Snap, so they started waging war, adding Snap's features 3 times (to FB, WhatsApp and Instagram).
FB management is actively trying to stay dominant. MySpace was, in comparison, passive; and friendster was never as dominant.
Okay, then just wait and see what will kill Facebook, since you already described what killed previous networks.
I personally think what will kill Facebook is simply maturing internet and hence maturing people that use it. Most people (family) I had on Facebook deleted all their likes, and pages their follow, and artists they listening to; my brother told me "I have no idea why I added this dude guess I was young". Eventually I bet 30% of Facebook will wake up to privacy abuse FB made its business, and will move on.
Disclaimer: my view can be distorted, since I'm building a new social network.
Whatever kills Facebook won’t look like a social network - they will see and fight it.
It will look like something else but turn out to be a social network replacement in retrospect.
Microsoft was not dethroned by Linux or free software (cheaper and arguably better) - it was dethroned by mobile phones. And it’s still alive, just not the king anymore.
I'm more than happy to see FB go down the tubes, but legislating away memory is foolish. It's part of the war on general purpose computing.
The way things are framed to make them seem good is very interesting. What if I proposed we make keeping records of past information and actors encountered illegal if they don't want you to remember, while at the same time make it trivial for the same people to waste your time by demanding free consulting?
I realize that it's too late to cry over spilled milk, but that was one of the reasons for which Firefox OS was developed. We wanted to push a different permission model in which permissions were much more fine-grained and could be audited and revoked easily. Sadly, one of the reactions of the development community (including HN commenters) at the time was along the lines of "Android is just fine".
I understand that recent versions of Android have moved towards adopting a permission model closer to that of Firefox OS, though, and I suspect that the example given by Firefox OS at least showed that it was possible.
P.S.: Yes, Firefox OS had other problems. Let's not try and idealize the past :)
I don't see how revoking permissions solve that problem.
Once an app has scraped your info, you can revoke it's permissions all you want, it is not going to delete your data from its server.
What’s the supposed justification for scraping text message data? I mean the contact list could be justified as a means of cross referencing friends. I’m having a hard time coming up with a legitimate use for text message data. Best I’ve got is “who do you contact regularly?” which is still insanely creepy.
Is it known yet whether they just collect metadata or collect message contents?
I can't see any justification for collecting the actual text of my messages.
But if I'm digging for justifications, I can see some benefit to me, the user, of collecting aggregate stats of who I contact regularly. It could be used to decide what content to surface in my feed. Or whose birthday to remind me of. Or which names to suggest when I create an event invite. They are a social platform, after all, so knowing who I socialize with seems relevant to making that work better.
Not that it isn't creepy, but if the question is whether there's an actual benefit to their having the data beyond just targeting ads, it's somewhat plausible.
Isn't all of this for friend suggestions? The people you text most often are more likely to be your friends.
Other services ask you to give them your email username and password, so that they can scrape your inbox to discover your contacts. I think LinkedIn used to do this, but they appear to just use SSO with the largest providers now.
I think it's "This helps us orient both ad- and non-ad- content on Facebook to fit you optimally and keep you on Facebook and also figure out why people keep texting instead of using FB Messenger."
I never manage the address book in my email app, and when some services want your Gmail or Yahoo Mail credentials so it can import contacts, having an empty address book makes that useless. So yeah, the "clever" importers trawled through your mailboxes for the adresses. I'm guessing they thought they needed to do the same for phone contacts - which doesn't make sense because people actually manage that, although I've met one person who doesn't do that - she doesn't seem to need to know who is calling/writing her.
This is speaking speculatively but Facebook right now is heavily trying to go into Messaging AI (Messenger) and so it needs to train those AI. I'm actually kinda surprised if they foresaw that training data so early but yeah it's really creepy.
It's not hard to foresee wanting "everything" with the goal of sorting it out later, but Messenger is a no-brainer for FB if they want to continue having access to message content.
Funny how this is popping up now (presumably because some guy noticed his call logs were in his facebook data download and tweeted about it), even though the permissions in question (described in no unecrtain terms) were in the app for years, and there was an explicit setting in the app to turn this on/off http://i.imgur.com/NRarWdh.jpg.
There was no explicit setting to turn this off until somewhat recently, and is addressed at the start of the article:
> This screen in the Messenger application offers to conveniently track all your calls and messages. But Facebook was already doing this surreptitiously on some Android devices until October 2017, exploiting the way an older Android API handled permissions.
read your text messages (SMS or MMS)
read call log
Was nobody able to make the inference that facebook might be uploading this stuff to their servers? Remember this was during the whole "facebook is surreptitiously listening to our conversations" fiasco.
Everything you install on basically every desktop OS, by default, has access to practically everything.
I think most people would be surprised if they discovered that apps were uploading their emails. And photos. And tax documents. Just because they happened to be on the hard drive, and there were no permissions to prevent it.
Expecting FB to not do similar and respect basic privacy by default is reasonable. FB doing such things just because they can is not.
If I thought that a file manager would steal all my data, I'd never install it. On (most) desktops there's no easy choice: apps will have permissions, but you might be able to sue the author for illegal access if they took all your data.
On mobile, suddenly, it's: lol, you gave it away!
That makes little sense. Yes, we should have better sandboxes - but we still have very few (none) usable general operating systems with Internet access that are "secure beyond trust".
Absurdly, I'd be more confident in a typical Debian install with thousands of programs from "main", some running in the kernel - than a typical Android device.
Because of presumed incentives for the volunteers/employees working on debian and the various upstream projects.
This is 99% about trust and incentives and 1% about capabilities.
The problem is that apps need certain permissions to perform their function. Such as a music app that needs access to the phone module, so it can pause the music when a phone call arrives. This has the effect of users not paying attention the the specific permissions, since in many cases the need for them isn't obvious.
Why? Why doesn’t the operating system do that for them? Why is it up to individual applications to decide whether or not they want to pause music with a phone call starts?
Here's another one: app needs the storage permission to attach a diagnostic log file to a bug report email. An OS that sandboxes applications should absolutely provide a way to do this without additional permissions (a file that was only ever written by the app cannot contain data not available to the app to begin with); as it is, either the user starts ignoring permission prompts because otherwise things don't work, or they deny them and the developer can't get a log file.
I'm ex-FB and have it on good authority that this is indeed used to improve the relevance of friend suggestions (i.e. distinguish between your best friends and the plumber in your contacts). I'm also told it's opt-in, and the app dialog (not just the system dialog) does say call logs will be scraped.
But still, IMO it's an incredibly invasive, incredibly dumb thing to be doing in the current context for the small benefit it brings. I hope they wake the f* up to just how bad it makes FB look like to the outside world, and kill this feature with fire.
When you allow an app to access your contacts, they grab all of them and upload them to their servers. It's less severe in iOS because they can't access SMS and call logs.
This is one of the things that led me to stop using Facebook last year. In order to use the app you have to give it all manner of permissions. And of course, if Facebook can access your data they’re going to suck in as much as they can. They don’t respect you, they want to use you.
So put me in the “not surprised” category, but I’m really glad there’s more discussion of this.
Yawn! We knew this was happening for years. FB scraped data for one purpose only: To figure out who your close friends were offline. And they wanted all sorts of information that could indicate closeness. From location data that would show how often you meet up together and how long you hang out. To phone call and sms data.
Now a lot of that data is dead data. Like it has no use after a couple of years. But just like Google cookie having an expiration date of 20 years, FB just does not know when that data becomes irrelevant.
FB and zuck have this manifest dream of figuring out connections and then figuring out the strength of those connections. Then they want to figure out social relevance. Then they want to use that info to bind people together on their platform. It is not a bad idea overall, until you add in government and corporate entities.
And by that time you know how evil of a thing you signed up for.
I'll throw in another place where permissions aren't nearly granular enough - online file storage (Dropbox, Onedrive, Box.com, etc.). Perhaps I'd like to allow an app to save information for cross-platform use or just because I want it on my own personal cloud storage - 1Password's older versions are a great example of this. I haven't looked at it recently, but I'm not aware of any changes that add that level of granularity to the APIs.
What throws me is that I'd expect security conscious developers to be clamoring for this. If I'm writing an app that should store data for users on the user's own accounts, it's not "I do not want to have access to everything" it's "I do want to NOT have access to everything."
People had been running untrusted apps in the browser and collaborating over the internet for more than two decades now. Mobile OSes threw out all the safety lessons codified into web browsers and built an entirely new permissions model. A decade later, here we are - there are hundreds of companies holding varying levels of access to your entire contacts list, text messages, GPS data, photos and other media. And all of them will hold on to it for eternity.
I for one, am glad web apps are making a comeback. Now I use web apps wherever possible, fully aware that I can't do anything about what's already been shared.
From my insider source, I'm told that permissions will change significantly in the near future.
Just FYI: a lot of other apps also utilize the same permission. Just an aside but Google also has the authority to whitelist certain applications for these permissions - meaning they can enable certain invasive permissions without asking the users.
We shouldn't just vilify Facebook. It was how the privacy framework was designed for Android that's the issue. This will change in the next upcoming versions.
Their permission requests are outrageous. That's why I refuse to install any apps from Facebook on my phone, and pollute my Facebook account with false personal data.
Right now, an app can force a choice: enable all the permissions, or you don't get to use the app. Users need to be able to feed fake data into the app. For example, maybe Facebook should think I am spending my time with Bill Gates in Bhutan. Users should be able to install dishonesty plugins to generate this data.
I already suspected this due to getting more posts from my friends based on who I texted, and they were Android users. It's fucking annoying. Also, using the same wifi network leads to getting friend suggestions
The richness of the irony in your question makes me wonder about your level of sarcasm.
On one hand, its pretty reasonable to say that absolutely nothing changed at facebook. We are all witnessing the effects of latency.
On the other hand, the change(s) that has ushered in this uptick in negative opinions in regards to Facebook will likely be the source of vigorous debate for some time.
For one, this is just the latest example of habitual behavior on Facebooks part, selling third parties more access to personal data than the persons referenced are comfortable with. The response every single time has been for Facebook to say roughly "We agree in principle that we slightly messed up, and as our more than adequate self imposed penance, we will solve this problem in secrecy with the completely untested technology that we've been working super hard on ever since we discovered this problem 2 years ago, but only acknowledged publicly as a strategic move when no better alternative existed to preserve our viability as a corporation".
Additionally, the data subjects do not generally understand the power imbued to the purchaser of that data at the point they give away that data. Further, they possibly are giving up the legal right to any privacy stemming from what that data may tell third parties.
In the context of all of these generally nebulous problems, is the growing news story involving Cambridge Analytica's alleged use of Facebook's data, the Presidents use of both of those, and the extent to which it can be argued that voter outreach crosses a line in to deceptive psychological manipulation.
Its what folks in scientific fields refer to as evidence that supports, as opposed to weakens, a falsifiable hypothesis.
Google is as much to blame here as Facebook is. It shouldn't have allowed apps with "contacts" permission to scrape sms & call logs. I hope both of them are held accountable
If I run a program, I don't expect it to scrape my home folder just because technically my OS granted it permission to do so. And I don't think that is a distinction the law makes, either. Intent and explicit consent matter.
> If I run a program, I don't expect it to scrape my home folder just because technically my OS granted it permission to do so.
Back in the day, apps that did this were called spyware and would be forcibly removed by Antivirus/Anti-malware programs. It's incredible that Facebook gets a pass for equivalent behaviour.
While i agree with your view here i think app developers have proven over and over again that this is no longer a reasonable expectation we can have as users. We need more and stricter sandboxes for everything.
We can wear bullet proof vests every time we leave the house too.
Put a few app developers in jail for what they do and render their businesses bankrupt and maybe we don't need to treat our phones as hostile to their owners?
Not everything that's permitted is compulsory. I mean, suppose you frequent a store with a penny tray and you decide, since it's ok to take one penny, why not take all of them? And if you get away with that, why not start cleaning out tip jars? Maybe you will get arrested, but maybe not. I feel like computers are training people that everything you are technically permitted to do is worth trying. I'm not even sure what the rules should be, but rather I feel like losing a common sense of unwritten rules is losing part of what it means (or used to mean) to be human.
The app store is front and center on Mac. All apps are sandboxed by default. Steam is another sandbox. A browser is a sandbox.
The problem is that it's hard to write an interesting Mac desktop application that runs in a sandbox. The kind of complexities that require a full blown desktop application just don't fit in a sandbox. (As opposed to a game, mobile, or web app.) Whatever runs in a sandbox turns out to be just a prettier version of a web app, or a self-contained game.
I often use Pixelmator and Cyberduck sandboxed and downloaded from the AppStore.
I struggle to find out how they are not "interesting" or usable. But I get that it can be hard for developers integrate all constraints of sandboxing.
App Distribution on MacOS was always different (even since pre OSX) compared to the rest of UNIX world. The drag-and drop to deploy for instance must seem ridiculous for people used to install via apt-get command line. Yet it’s way more users friendly because it put the burden of complexity in developer hands instead of users’s.
The permissions are more granular than that. There are specific permissions needed to read SMS and read call logs, but android/google play groups them into top level categories such as "SMS" and "Phone".
I would like the option to write code that answers my phone or downloads call information or operates a switchboard etc. I don't have a current application but when faxes existed I might have wanted to automate things with an app of my own devising.
I am not a fan of operating systems that deliberately obfuscate things that could technically be done. If I was developing my mobile customer service app then I would like to develop it in such a way that it would not mysteriously fail due to some overly complicated access keys. Or to require a 'rooted' device.
I would not expect my app to be fit for the Google store though. Or any other online app store. Maybe rather than permissions it is the store and what is allowed in the store that is a problem.
None of the above. It is a hard UI problem to present the plethora of different features that need access control to the user such that they can meaningfully engage with each one.
For example: which of the following permissions does the Facebook app currently get on Android?
I bet you don't know off the top of your head, and I'm certain that fewer than one in a hundred users do.
This is not because Android team is lazy. All of this information is already surfaced to those who care to look, right there in the play store app. There's a spectrum of options between removing capabilities, presenting them in more detail, and providing a UI that doesn't make people's eyes glaze over. There is a constant tension among these three poles, and no matter where you are, there will be some use case that isn't served well.
No, permissions were done in a substantially more granular way on iOS from the beginning of permissions. Contacts, photos, location, notifications all with their own permission request API to be fired at will.
Android started off with a blanket permission screen required to even install an app — all or nothing.
I don't think granular is the right word here. Android defines something like 150 permissions, so granularity is there.
The issue is (in old versions of Android) you cannot be selective about which ones you grant.
The relevance is that when it comes to transparency, the big dialog of all permissions can disclose a fair amount of detail to the user about exactly what they're being asked to allow.
iOS isn't more granular, it just defers permission requests to the app rather than the app store. In proper practice that app then only asks for permissions when the user is performing an action that requires them, which at least helps the user to understand why they are being asked. Android has now shifted to this model too, but as always, old versions of Android persist.
There is some truth to that, but it's not that hard of a problem. Start by making a dependency tree, and only displaying the top nodes. "Do you want to share anything with app X?" yes/no and go from there.
Often the "it's too complicated" excuse is really a cover for "we make out money off your data and fund the development of this software to harvest it".
No, "it's too complicated" also recoils on consumers. I don't think your proposal would change behaviors.
Mass market customers don't read contracts and readily give out SSNs, credit card info, and other personal identifiers.
As a law prof. at NYU said,
>“For the most part [having read the contract] doesn’t matter,” she said. “Things don’t usually go wrong — except when they do. And then it matters.”[0]
Permissions are not long contracts, they fit in a single sentence. My super obvious suggestion further simplifies it. There's no reason a dep tree cant be made. The "people are too X" does not work.
My point's intent was to argue that consumer behaviors (not just those of firms) also shape these outcomes.
Do you have any studies or sources that support a permissions dependency tree approach for mass market customers?
I like "just-in-time" permissions (i.e. This app wants to use your location. yes/no?) That way, you aren't faced with accepting or not using the service at all, at the outset. [0]
RE studies: As far as I know it has never been tried. Dependency trees are common elsewhere in the software world.
This "just in time" stuff is awful, in it's simple form, the user only has to click incorrectly once. The obvious way is a dep tree. Start with:
"should any app be able to download your contact list?"
if no (global!!) -> "can I have one contact right now" and tag that information for the provider "I don't expect you to keep this" or "please keep this info and use it to market to me". Really, it's mostly just excuses, there is no reason to upload the data 99% of the time, only the local software "needs" it for a instant, and even then, that's because the OS stack is designed wrong. I don't want new law to mandate this stuff, I want users to demand it with existing contract law.
Making it "per app" instead of global settings with very deliberate and specific (one time unless instructed otherwise) exceptions is exactly what I would do if I wanted to design a system to maximize my user data snarf ability.
Android is new, nothing is "great" at first, I'm not expecting it to be right yet, but ignoring obvious fixes like this going forward is (hopefully) going to give it's forks more power.
I'm confident that you would not consider it so easy if you had ever meaningfully engaged with this problem. The simple fact is no one has cracked the nut yet, and not for lack of trying. Either it it is hard, or everyone who has worked on mobile device capability systems is evil or incompetent. I think the former is more likely.
Ok but then I really don’t want to read any more crap article about why Apple is lagging behind because their approach to privacy is restraining them to harness the full power of machine learning bla-bla-bla
It is fine to want things. These articles are as well founded as those that complain about the way Android does permissions. In that, they inform us about the spectrum of possible preferences among users. But inevitably every user considers only their use case, not how fixing it might break other use cases.
Are you claiming that there is no dep tree to be made? That's trivially false if so. Feeding apps fake data (for example to make them work with no data perms) has been suggested too many times to count.
Did you mean to respond to some other comment? In this thread, we are talking about cell phone permission systems. We are not talking about a "service," and the system in question is not something one buys or gets for free on its own.
I'm sure, there's cases where they just didn't want to have too many prompts, as that would result in people not reading them either.
But in other cases, this is also just Google that we're talking about. There's for example a presentation [1] where a Google dev introduces this new permission system and afterwards someone from the audience asks, if it's also possible to block internet access with it.
And the Google dev responds in the most innocent of ways that it doesn't need to be possible, because clearly the rest of their permission system works so flawlessly that no critical information one could want to upload to the internet would be available to apps anyways.
I know, never attribute to malice that which is adequately explained by stupidity, but it's not like the guy should be able to be this ignorant in the position that he's in. And Google does have reason to be malicious here. Without internet permission, their ads can't be displayed.
Especially the example in the video of the flashlight app is one where the permission system falls completely flat. In order to toggle the flashlight, you need to ask for full access to the camera, meaning you can take pictures as you like. And since you have internet, you can actually do something malicious with those pictures, too. Clearly, the user did not intend for their flashlight app to take pictures and much less so for it to upload them to the internet.
^this. As long as Google remains an advertising company with some incidental technology projects - they'll be hard pressed to ever fight internal culture/revenue enough to take meaningful steps towards privacy and security.
Just being able to write an app (code on the device) and deploy an ad (code on the Internet - possibility to run "code" like fonts, or trigger calls to site/unique.jpg) - would make preventing data exfiltration and/or tracking absurdly hard while continuing to cater to advertisers aka the paying customers.
The Android permission scheme is slowly becoming more granular. I'm not sure what the reason was from the beginning to have such generic permissions.
When you saw large lists of permissions on apps before marshmallow, you had to accept them all, now it requests for each on first use but I'm still not a fan of apps that want everything.
Android is a decade old. Our expectations of what apps would and wouldn't do, and would and wouldn't be capable of doing has changed. Back when the apps on my phone were in the range of being 400 KB to 600 KB, I don't think people even fathomed the complexity and power our devices are at right now, and their ability to secretly handle ever increasing amounts of our personal data without having a meaningful impact on device performance.
I never expected pine to upload my contact list (or email) to some third party server - or BitchX to steal my chat logs. Yet both programs could have done so.
The difference is that before Android, in the world of windows - we already had a culture of spyware bundled with freeware - as well as viruses/RATs - and plain malicious software -
that made it plain that simply allowing random code to execute in a context where it could read data and/or sensors (gps,mic,camera etc) would be a disaster.
There were to workarounds: stewardship (the Linux distro model, like software in debian main etc) or sandboxing.
Android chose too little of each, which essentially amounted to a false sense of security. And here we are.
It's not meant to be an excuse, Android has not aged well, and Google has done a poor job putting security at the forefront of their platform. Apple's taken a lot of flack over the years for making developers jump through new hoops all the time and having such heavy restrictions on their platform, but its clear the users have benefitted in other ways.
iOS had it's own issue, where Path uploaded a user's entire contact list without needing to ask permission for it. That was a wakeup call for Apple, and it should have been for Google too.
From a technical sense it's not. If an app can read data, and an app has Internet access, it can send that data to it's server, and there's nothing your OS can really do about it if it is letting the app run arbitrary code.
Technically it is NOT google's fault to open those access to Apps.
Just like credit card CVV, the right to grant you the access to it, prohibit you to store in your server. For personal information, I think social networks need to be held responsible to live up to the same standard.
By granting Facebook permission to read my contact, my understanding is that they should only use my contact to match against their DB and find those who are on FB. I don't think this require them to persist all my contact/conversation history in their own server.
Bear in mind, if you give your credit card to a website, the only thing prohibiting them from storing it on their server is fear of getting their PCI DSS certification revoked if they get caught doing it. There's no technical limitation... and there should be.
That's why, of course, chips for physical purchase have moved to one-time codes, effectively, so that your credit card number can't be stored without permission. Ideally, someday our online purchases will work the same way.
It is an open-source system, which is decided over purely by Google. They don't have to have any fear of being forked, so they don't have to take the open-source community's opinion into account at all.
The Custom ROMs that exist around it do not play into this. They cannot influence how shitty the ecosystem is, as that's entirely in the hand of Google.
Because you gave it to them. The alternative goes right to rules that prevent everyone (not just FB) from remembering things, and ultimately more censorship.
Is it just me or has a whole generation lost the concept of personal responsibility? I don't use FB because it's been obvious for a long time this was happening, and it's an awful platform, designed to socially engineer their flock of product people.
Use products that you control. LineageOS + FDriod is a great start.
This libertarian utopia obviously breaks down any time you're presented with a 200-page Terms of Service. Nobody has the time and/or skills to read and understand the content at the level required for "informed consent".
Which is why societies have come up with a far better method: collectively decide (or collectively choose people to decide) on reasonable limits for certain types of transactions.
My German law professor used to say that she never read ToS. Because under the country's law, they are either reasonable or unenforceable.
Such laws have nothing to with censorship. If you really need your users private messages, you just have to more explicitly present them with the choice, and respect their decision to say no without unreasonably denying them service.
The US has far more lenient standards for such one-sided contracts, but the basic principle is obviously the same: If Facebook were to add a paragraph giving them ownership of your house somewhere deep in the ToS, they wouldn't stand a chance in a court of law.
You don't need to read a 200-page ToS or live in a libertarian utopia to know what data they have access to and to assume they'll abuse it. A few quick examples:
Don't use Facebook - it's basically a tool for turning any little aspect of your social network into ad revenue. Communicate directly with people you actually value and fuck the rest of 'em.
Don't use Dropbox, their employees have access to all your data, so does someone who breaks in. Encrypt your data before it hits the internet or forget about it.
Don't use a paid VPN service for anonymity, they have your billing data and connecting IP directly and you have no way to verify if they "don't log". Don't trust them. Use an anonymity network which tries its damnedest using technical means to mask those sorts of details.
If you give someone else your data, think not what they can legally do with it, but what they can technically do with it. Write laws all you want, Facebook will still abuse your data to the maximum, attackers will still get access to far too much data, it doesn't help. Personal responsibility is the final solution to the problem. When you give someone data, always assume the worst. Computers have an amusing tendency to tend to make technical feasibility into reality.
I’m always amazed by the ability of libertarians to believe that in the jungle, they’d be tigers rather than tiger shit. More often it turns out they just have a grossly inflated opinion of themselves, as in this case. We’re all human, all weak, and we all need to depend on each other a lot, it’s just the way it is.
I think that people who go out of their way to present what they believe are alpha male characteristics are essentially hanging a neon sign above themselves. That sign is begging for someone with those characteristics to come along and fix the worlds problems in the way that the stereotypical Clint Eastwood or Arnold Schwarzenegger character solved his problems. In other words, an alpha male exerting his will, delivering satisfying one liners, and saving the world.
Why else would nearly every single popular conservative media "character" be so uncannily similar? Why did nearly all of those characters triple down on this machismo roughly 18 months ago? Could it be that they got back the results of their latest A/B test?
I think this all drives at the most interesting, world changing possibility that could come out of this reckoning with Facebook. What will happen when it becomes conventional wisdom that the true power of collecting all of this data is not the ability to predict what you will do, but the ability to direct what you will do? What will happen when it truly registers with people that this necessarily removes their agency? What will prevent that critical mass from making the trivial jump in logic that advertisers and public relations firms have been progressively improving on these same skills to the same general ends for a century?
I don't think there has ever been a human society in which people took "personal responsibility" in the sense you are using the phrase. I don't think it's humanly possible for even the smartest person to keep track of their personal data given the quantity of it, the multiplicity of tracking mechanisms, and the uncertainty about how it all works. Not to mention, even if we all read all the agreements we click through, that doesn't mean they are all accurate, sufficient, legal, or adhered to by the authors.
As I wrote in another thread, I have used LinkedIn for a long time, and I have never wanted it to spam my contacts, so I have always had it foremost in my mind to click "No" whenever it asks to import them. Yet at some point, it did it anyway, because it asks me if I want to connect with people who are only email contacts and not on LinkedIn.
Now if you had complete logs of everything I did with my phone and computer, you might well be able to prove in court that I inadvertently gave permission at some point - perhaps I didn't read all of the legalese on something, or perhaps my finger slipped and I forgot.
I can't imagine I would find anyone at LinkedIn who cared about figuring out what happened, regardless.
There is something perverse, in my view, in appealing to "personal responsibility" of individuals dealing with corporations, as it seems to me that the entire concept of a corporation is a way for people to work together as an entity without taking personal responsibility. The reason we have corporations is because it's impractical for people to be held liable for their screwups.
I’m curious about what you’re saying here and I’ll certainly be thinking about it more, but here’s something I was thinking about: maybe a step in the right direction would be to require permissions to offer a user configurable time limit. I think that users should be able to set the permission they grant to expire after a term of their choice—if they want to grant perpetual permission, fine. I think it would be interesting to think about the implications of apps having to come back to get reauthorization. When permission expires, maybe that just means that no more data can be collected; maybe it means the vendor has to destroy those records. Either way, I don’t want large companies to be able to exploit people who click a button they don’t read. Maybe companies should be required by law to charge users some form of consideration just like other contracts so that we can do away with companies dangling their product as a free carrot in exchange for swaths of personal data, and then leaking it.
A time limit would be a good idea, but putting that into law is not. This is the point of open source, we don't want to be required to do things, you let the consumers choose. If they can examine the code (and this is only going to get more important), then they, or the people they trust to look at it, can make informed decisions.
> maybe a step in the right direction would be to require permissions to offer a user configurable time limit
They can scoop your contacts and SMS messages in 10 seconds after the first permission was granted. Maybe permission should also limit the number of contacts/messages it can access.
Your standard of “personal responsibility” includes the ability to audit code. I assume that you’re just irresponsible if a carmaker sells you a dangerous vehicle, because you don’t know how to detect the flaw? Doctors can just talk to you without consideration for your ignorance, because your failure to attend medical school represents your irresponsibility? If you can’t parse all of changing EULA’s in your life, you’re just irresponsible?
What’s obvious to you in your very limited field of expertise is not obvious to everyone. You shouldn’t insult everyone who isn’t a programmer by equating that narrow expertise with personal responsibility. I wouldn’t assume that your inability to understand a conversation between two surgeons meant that it was acceptable to harvest your organs.
You are making it sound like I argued against standards, that's not the case. Yes, ability to audit the code is paramount, and I want to go that direction for everything. We are merging with our creations, people have their noses so far in their phones they are starting to head mount and have it overlay their field of view. Without source access, we wont even be able to check if our own experiences are real.
Relying on experts to audit things is obvious and correct, but they must be "anyone", not just a select few that get to see the details. Maybe I am not qualified to evaluate something, but that is never a reason to prevent me from looking at the same information the experts have, in fact that's how those experts came to be.
The fact that some people don't care is irrelevant. They get tricked, and learn. Consider how many people are re-evaluating what FB even _is_ right now.
Much as I appreciate you responding to only the first sentence of my reply, I’m going to have to point out that your FOSS rant is only tangentially related to what I said, mate.
Of all the things to not copy from iOS, of course privacy is the one that they decide to skimp out on. I'm glad they've started to catch up, but they have a ways to go yet.