Tuesday, August 12, 2014

Facebook Messenger Controversy Explained

I have seen a number of people on Facebook reposting a "news" articles explaining the privacy violations of Facebook's Messenger application. A number of people have declared that they have uninstalled Facebook from their phone completely. Even the reviews featured on the application's page on the Google Play Store are all complaining about the privacy invasion.


The article, which I am not linking to here (you can Google it), set off a lot of red flags. I have never written an application for Android, though I have followed their developer's tutorials a few times. I'm not an expert on Android development, but I have a rough understanding of the basics.

When writing applications for a desktop computer (PC, Mac, etc.) applications have a lot of access to the computer hardware. Mobile devices are much more restrictive. Android locks out key functionality of the hardware from the applications that are installed. Before an application can have access to these parts of the system the application must first "request" permission. This is done by declaring in a file what permissions you need for your application. This includes permission to make and receive calls, access to the contact list, use the microphone, GPS, etc. This allows users to review and approve an application's access before installing it.

However, if an application needs any access to one of these resources it can either always have access to that resource or never have access. This can make some applications look more scary than they are. For example, an application that shows you the weather based on the city you are in will need access to your GPS and the Internet. Granting these permission could allow this application to surreptitiously spy on you without your knowledge and report that back to some database, but it does not necessarily follow that it is actually spying on you.

This is how the Messenger scare is working. For example, there is a feature that allows you to record an audio clip and then send it to a friend to listen to whenever they have the chance. To provide this functionality the application has to require access to the microphone. With this access the application could be listening in on you. However, the mere fact of the application having this permission is very, very different than proof  that it is spying on you. In fact, it is not evidence at all. Fortunately it actually is possible to know if the application is using this permission for these purposes, but I'll get to that later.

There is a great deal of irony in seeing people complain on Facebook about the privacy implications of their messenger application. It is hard to imagine how the privacy concerns of Facebook itself can be acceptable, but the possible implications of the Messenger applications are not. There are much better ways to protect your privacy than uninstalling a single application.

One way I protect myself is by running an aftermarket version of Android called Cyanogenmod. It is based on the Android Open Source Project and is fully open source. The version of Android that carriers ship contain a lot of proprietary code that they have written to customize the experience. In the past some carriers have been shown to spy on their users in ways that where very embarrassing to the companies, and they where forced to remove it. However, there is no guarantee that many devices are not reporting on their users in ways that users would not agree with. In a post Snowden-world this is more than paranoia, but actually very likely.

A nice feature of Cyanogenmod is that it provides much more fine-grained control over an applications privacy settings. Usually if you do not trust an application to have a permission it is requesting, your only recourse is to not install the application at all. Privacy guard allows the users to turn off any feature, or put it on "always ask." It also reports how often an application has used a permission and when it did it last. This allows us to peer into what an application is actually doing with the access it is requesting.

What follows is a very long list of all of Messenger's permissions and reports on its use.

Click to enlarge
So let's talk a little about what is going on here. As you can see, Messenger has to ask me before it can know my location. The only time it ever actually does that is when I message somebody. and that's only because I checked the "New messages include your location by default" box in Settings. It has never attempted to read my call log, calendar, SMS (text message) database or send or a text message, record audio, or make a phone call. In fact almost everything in here is looking pretty legit. Almost.

You may notice the "Read Contacts" section. I have it set to Deny. Why? Look at the subtext. "Allowed 1854 times, denied 429 times." I had set this to Ask for a little while. I noticed that whenever I made or received a phone call or text message that the Messenger app was trying to read my contacts. I can imagine some semi-legitimate reasons why it might be doing this. For example, it may be trying to gauge who are the friends I contact the most so that it can then prioritize their posts on Facebook.

However, this is too creepy. I do not want Facebook knowing this level of detail about my life. I do not want them knowing every time I send or receive a phone call or text message and who I was communicating with. I think that there is an actual new story behind this and would be worth someone's time to grill Facebook on and educate the public.

And that's the real point. There are legitimate privacy implications of these portable computing devices we are carrying around in our pocket. People need to be more informed on what those implications are and have the education necessary to make informed decisions on how to manage these privacy concerns. Yellow-journalism articles that spread half-truths, getting people riled up about nothing-much are more hurtful than they are good.