Survey: 89% of Android users didn’t give Facebook consent

Originally published at: https://boingboing.net/2018/04/09/survey-89-of-android-users-d.html

…

Finally, someone pointing out that people don’t know what they are giving permission for; No doubt those 89% almost definitely did give permission and ‘agree to the terms’. No one has time to read or understand those terms or agreements and the agreements are use user-hostile dark-patterns to get approval.

And even if that’s not the case, Facebook will probably claim that it is, because it would be damn hard to prove otherwise. (Is there even any means of saving a TOS, and did anyone do so, if so, for all previous Facebook TOSes for various apps and devices?) Facebook relies on having arcane and difficult-to-understand privacy settings to get people to give them information they actually wouldn’t want to give up if they knew or thought about it. They must be pretty arcane, too, because I’m constantly seeing professional security/privacy people having discussions online about how to navigate Facebook settings to get a particular effect.

#deletefacebook

I suspect a company like facebook versions their TOS and stores which versions users agree to.

Depends.

Are you talking about Facebook users, or those of us who never agreed to the TOS because we were never users in the first place? My simply knowing and communicating with someone who uses a service does not mean I agreed to share my data with said service, but Facebook collected it through everyone I know who did use it.

TOS and EULAs are not the blanket absolution that companies try to claim they are, and Facebook stepped beyond the bounds of even those.

I wonder what kind of data Facebook has access to when you are using it via mobile Firefox?

Doesn’t mean they have to show anyone else, though. They’re becoming infamous for implementing changes without telling anyone; not being transparent about TOSes seems par for the course.

And once you do make sure you delete the app from your phone if it’s part of the bloatware.

Facebook operates on a frat boy model of consent… “opt-out”.

They think if you don’t say no, they can do what they please.

Not that it’s acceptable (or legal? not sure of the legality has been challenged yet), basically every TOS says they can be updated without notice.

#bewareoftheleopard

Hmm. I’m smelling a ROUS. I’m powering up my old phone, with Facebook baked in, to check the permission levels.

I might finally have an idea of what someone was doing when they managed to create a Facebook account against my main email account. As a Scientology critic, the balance between too much paranoia and not enough is tricky, but follow me on this…

Phase 1:

• The Android phone has the Facebook app baked in.
• The app contacts Facebook every night even though I don’t have a Facebook account. (I checked that myself by checking the trace logs in the Android Debugger. Never bothered to check what was transferred.)
• The app has Your accounts permission and Phone calls, which means that it has access to all account information on the phone, and call metadata at the least. (It also has Your personal information permission with access to all contact data.)
• If the app sends updates of call metadata (and anything else), then Facebook can collect that information and index it against the phone’s main gmail account, which the app knows.

Phase 2, years later, even after that phone has been scrubbed:

• An attacker tries to create a Facebook account against that main Gmail address.
• Facebook sends a verification link email to Gmail, but because the sign-up is in Arabic, Gmail throws it straight to the spam bin where it would usually disappear unread after a month.
• Somehow the attacker manages to trick the Facebook signup process without access (I hope) to Gmail.
• Facebook now associates the collected data against the Gmail account with the Facebook account.
• Attacker requests a dump of Facebook’s information, including the call data collected from the phone even before the Facebook account existed.

It seems far-fetched, but now I’m starting to wonder. I’m sure that Facebook has been taking having the app installed as my permission to gather everything that they can. (Never mind that it was pre-installed and couldn’t be uninstalled.)

Setting up a test case to verify phase 1 would be a pain in the ass. Or… create a dummy phone in the Android emulator…?

Phase 1 is very plausible. Not sure you could test it unless you can find the apk for the FB app from years ago, but test or no test I would wager it was sucking down all the contacts in the phone and associating them with a shadow profile based on your Google e-mail account and perhaps other e-mail addresses or phone numbers in your primary contact entry in the phone.

Phase 2 is less plausible, as a third-party attacker would have to have access to your e-mail or perhaps phone number (maybe there are other verification channels as well). You seem confident your Gmail wasn’t hacked or spoofed, so it must have happened another way (voice phone number, phishing script. etc.).

What I’m wondering is what happens when a non-member with a shadow profile associated with one e-mail address is signed up voluntarily or by an imposter using a second e-mail address. Is the shadow profile automatically merged with the member profile, with both e-mails included (one of them the primary)? I could see Facebook being that sloppy.

Your paranoia is justified, especially if you’re likely to be specifically targetted. I wouldn’t put anything above those Cult of $cientology scumbags and their “fair game” tactics.

I still have the phone, running Android 2.2 with the Facebook app that came with the phone.

Phase 2 works if Facebook’s confirmation link process is/was flawed (or, per XKCD, they hit a Facebook employee with a hammer [or cash] until they got what they wanted). If their link is guessable, at least within range of a brute-force attack, or some spoof exploit, then they don’t need that confirmation email.

My paranoia isn’t necessarily limited to Scientology. There was the strange incident later on where someone with a similar Gmail address tried to set up my email address as the recovery address for that account. I’m not sure how that could be exploited, but services like Gmail are adding too many damned backdoors around having the actual password, so I broke that link immediately. (It was first thing in the morning. If I’d had coffee, I would have used the recovery process grab their account and delete it.)

The thing is, the person was doing it from their phone, in Moscow’s timezone. /play Twilight Zone music.

I really think a major forensic audit of Facebook’s data and methods, with full legal powers, needs to be done ASAP.

Advice: For the love of god, delete the Facebook app off your phone, even if you need to root the phone to do it!

My phone is too dumb to run facebook. Checkmate Zuckers!

But really people, facebook is not your friend. Just look what it did to the definition of friend!!

I hate Facebook and have deleted my account; but I suspect that all of these people DID give permission.

Some didn’t read what was put in front of them
Some did and didn’t understand it, and clicked it anyway
Most did, and did understand it and didn’t care, and now their bias kicks in and tells them that they can’t have done, so they didn’t

Facebook obfuscate stuff, and are generally appalling and unethical, but I don’t believe they are collecting this data without permission.

I’m curious to know what Facebook knows about me. I’ve never had a Facebook account, and certainly never agreed to anything. I did used to have an Android phone with a Facebook app on it that I couldn’t easily delete (thanks Sony). Does anybody know if it’s possible to find out what, if any, data Facebook holds about me, even though I don’t have an account?

How reasonable is this, really?

Maybe a better question: how enforceable in court?

First question: i feel it’s unreasonable, which is why I deleted my fb account. BUT
Second question: I have a sense that it’s not illegal, because I think people have probably been asked a question (in the small print, but clearly), given an answer, and now regret it

To be clear, I hate Facebook with a passion; but I’m not mad at them for doing what they said they’d do when I signed up, I’m mad at them for allowing other things to happen with my data that I didn’t give permission for (CA, Brexit, leaks, abuse) and not being responsible adults about it. Whatever Facebook is culpable for in the courts, I have a feeling it won’t be this.