Facebook may be in a bit of bother right now, but one can’t thank the social media giant enough for bringing issues such as app permissions right back into the general public’s consciousness one more time.
Just a month ago, some users discovered that Facebook actually stored some phone logs of all its Android customers who had previously opted to share their contacts with the company’s applications.
These logging activities took place in the days well before Jelly Bean or Android 4.1.
But all of that was a week ago.
Let’s talk about this week.
This week Mark Zuckerberg had to endure a marathon congressional testimony.
So no one should find it unreasonable that people serving the United States via government positions asked Facebook’s CEO a lot of questions.
Reports have now confirmed that two representatives actually did ask the CEO of Facebook whether this company may have listened to various private conversations via their user’s smartphone device’s microphones.
They also asked questions on how the company used the information to serve their users eerily relevant advertisements.
What did Zuckerberg say?
Or, more appropriately, how did Zuckerberg respond?
To start off, Zuckerberg did address those questions and responded to them in a definitive tone.
To the microphone conspiracy theory questions, Zuckerberg replied with a firm “no.”
After responding to the question of microphone usage, Zuckerberg somehow felt the need to also mention the fact that Facebook did not have any access to user’s audio even when Facebook users recorded video on their smartphone devices to use with Facebook services.
Zuckerberg said he believed the way Facebook worked made it pretty clear what the company recorded and what it did not record.
But, said Zuckerberg, he wanted to make sure that he exhaustively answered the question.
It is safe to say that the Congress’ do-si-do with Facebook’s CEO did not end up being exhaustive nor clear.
In fact, it showed that people still had little idea what the company did.
In other words, they genuinely did not understand how much of their data could the company’s smartphone apps could and could not access.
Why is that?
Surely people who are using smartphone devices are clever enough to know how the app works at least at a cursory level?
Part of the problem arises because of app permissions.
Developers and software engineers have oversimplified them.
They have designed them in such a way that they offer the absolute minimum amount of relevant information.
It is also true that right the point of asking people for access to their data, these app permissions don’t make much sense.
Of course, app permissions just like app themselves have improved in the last couple of years.
But an improvement is simply not enough at this point.
The improvements in app permissions have to match all the sophistication that is involved with data-gathering and other technologies that basically surround us at the moment.
Plenty of people would find it obvious at this point in time, but it is true that mobile applications (and not just the ones associated with Facebook) usually vacuum up a tremendous amount of user data with each and every user interaction.
All that one has to do is look at what happened when someone ordered a pizza via his/her smartphone device.
Here is a link to a report from The Wall Street Journal illustrating what actually happened.
No one needs any convincing on how much data can Android and iOS apps have the capability of accessing.
Both platform’s apps can and sometimes do access the user smartphone device’s,
- Camera roll
- Social media accounts
- Speech recognition
- Motion sensors
- Location services
Of course, some of the information that these apps want to access is a bit necessary.
Any photo application would want to have the permission to access the smartphone’s camera.
With that, it would simply not work.
Similar is the case with a ride-hailing application such as Uber and Lyft.
These type of apps can’t work if they don’t have a lot of information on the user’s location.
If the user rejects these kinds of permissions for these apps the user will essentially break the functionality of the apps.
But here is another problem with sensor data.
Sometimes, this data can potentially reveal way more information that the smartphone user realizes.
This is especially the case when a certain patterns manage to emerge from all the data.
An Android app developer told Wired that once a user granted the location access feature, app developers had the ability to pull in altitude and bearing information.
That is in addition to the information related to single location objects.
The Android app developer requested anonymity in order to avoid saying things on behalf of the company he worked for.
But what does that really mean for the end user?
It means that if the user allows access to location to some of these apps, the apps now have the capability to roughly know which floor of a given highrise does the user lives on.
Another independent iOS developer, Ish Shabazz, mentioned that once the user gave an app the permission to always have location access on the user, an API existed that allowed the app to keep track of how regularly the user visited a particular location.
People who use iPhone smartphone devices can find the list visible in their Location Services > System Services > Significant Locations.
Shabazz also mentioned that there were many friendly and legitimate ways in which apps could use the accessed data.
However, according to Shabazz, if the user was nefarious then apps could use that information in some non-helpful ways as well.
The former director of engineering at Yahoo, Amod Setlur, now runs Auryc, an analytics firm based in Silicon Valley told one of his recent clients how a travel application could learn some very interesting behavioral patterns related to the travel app’s customers.
And it could derive all that information based on the way the app’s users held their smartphone devices.
Setlur also mentioned that they had found that during many traffic spikes (inside the application) at night, a good number of device rotations usually happened.
He mentioned that apps could know how users started to use the application and then how they turned their smartphone in another way.
Setlur said his company realized that the app’s users actually tried to plan their upcoming trips.
That’s why they turned their smartphone device to look at various photos of different locations.
And they did that while lying in their beds.
Of course, these are just, what marketers call, insights.
There is no doubt about the fact that marketers froth at these type of information.
But many times, developers insert some clear overreaches in the app themselves.
For example let’s take a look at Path (a different kind of social network, the kind where it limits the number of friends one can have).
The Path application uploads peoples’ address books without proper authorization.
That is a problem.
Another very popular video game on the Android platform is Pokemon Go.
The official Pokemon Go app has the ability to see and then modify almost all of the information that is present in the user’s Google account.
Then there is Meitu, the image editing software application, which requests for access to the user’s SIM card and GPS information.
Most of the time, it is because of these examples where apps violate privacy restrictions that app permissions come into the limelight and receive a fresh dose of public attention.
Of course, one can’t ignore Facebook news feed in here as well.
But if everything mentioned here in these examples is supposedly unacceptable then what is acceptable?
What are app permissions are for if applications are not supposed to access any of our data?
Firstly, it is true, as mentioned before, that apps do not some permissions.
But too many apps take that “some permissions” to another level and turn it into “all permissions”.
App permissions have one purpose.
And that purpose is to act as a practical barrier between specific parts of the user’s smartphone data and the app developers.
Whenever an app permission notification message pops up on the screen, it is the smartphone user’s responsibility to decide whether or not that app gets the requested permission.
A lot of times, those permissions to come with their related explanations.
Even though a lot of media sources have pointed out problems with app permissions, the truth is, the app platforms themselves encourage developers to give users appropriate explanations for their required app permissions.
If one takes a look at the Android developer documentation, one can easily find that the documentation clearly mentions that developers should adopt the good idea of explaining to various users why their application wants certain kind of permissions.
Developers should do that before the app can call the requestPermissions().
So what’s the problem then?
If app developers do explain why they want certain permissions and the platform itself encourages that then that’s all the fuss about app permissions?
The fuss is about these explanations.
The explanations that come with app permissions are mostly short and mainly vague.
Let’s take a look at how Facebook explains (at least on the iOS platform) why its app needs the permission to access the user’s camera.
The explanation simply tells the user that allowing the app access to the smartphone camera will allow the user to record video and take photos.
Some may think that is sufficient.
But it is not.
Because it does not mention that Facebook’s app can leverage some more advanced technologies by feeding the user’s shared photo data to them.
There are other app developers who like to tack the text “and more” with there permissions explanations.
Of course, that is not reasonable.
For this case as well, let’s take a look at Facebook.
The official Facebook app comes up with an interesting explanation for the location permission.
It says that Facebook makes use of this permission in order to make some of its features work properly.
The permissions also help people to find places “and more.”
Facebook isn’t the only app that is taking advantage of the “and more.” part.
Let’s have a look at Snapchat.
Its permission explanation for accessing the user’s microphone goes along the lines of:
To record audio content for Snaps, video chat and more.
One should also not keep Google and Apple out of this whole situation.
Because they own the largest platforms for iOS and Android applications.
They run their official app ecosystems on their own.
And they have specific guidelines to establish various app permissions.
But that does not solve the problem.
Because they have left the implementation of those guidelines on the app developers themselves.
So if app developers don’t follow the guidelines there is little that Google and Apple can do.
But why do they rely on developers to follow their guidelines?
Why can’t both app ecosystems force developers to follow the above-mentioned guidelines?
No one knows the answer to that question.
And it’s not like app developers are evil.
They are not.
Most app developers want to avoid situations where they confuse or overwhelm people.
So how do they avoid doing that?
They rely on the actual consumers to read their explanations and then just get it.
Of course, consumers don’t always “just get it”.
There is little doubt about the fact that app permission for both Android and iOS have evolved just like the app stores have.
If one goes back three or four years, Google actually started to require developers to ask for certain permissions for access to certain features as users tried to use those features in their apps.
This happened with the rollout of the official Android 6.0 upgrade.
Google wanted developers to move away from asking for permissions when users first installed a given app.
Because users are more prone to forget about permissions and just hit the Accept button in order to install the app when they want to try the app the first time around.
To put it another way, they don’t realize that they may have to give a lot of data away in order to use the app.
The same official Android update also allowed users to manage each and every permission individually.
Before users had to allow or deny permissions in one single go because apps used to lump all the permissions together in a single package.
Then Android 7.0 came along.
It disallowed app developers from building any kind of overlays over the related permission boxes.
Some app developers had previously started to use these in order to trick people into performing a tap on them.
What About Apple?
Generally speaking, Apple has managed to exercise more stringent control over app developers than Google.
Just like with the Android platform, users have the option of controlling iOS permission both via their privacy settings as well as at the individual app level.
Apple began the iOS 11 rollout last year.
With iOS 11 Apple started to offer app developers the option of Write Only for using photos.
Why did Apple do that?
So that app developers would have to separately request for the Read access to the user’s camera rolls.
Moreover, Apple also started its plan of cracking down on those location permissions.
Apple has now forced app developers to display the only when using the app option to users when the app wants to request location access.
This is also something that Ars Technica noted in a previous report.
Ars Technica, in the past, has also reported on how Apple, as a company, has never allowed iOS developers to have access to the user call logs.
How does this relate to Facebook?
Well, let’s just say that the recent flare-up involving Facebook services on Android would have never happened on the iOS platform.
And that is precisely because Apple doesn’t allow app developers the kind of freedoms that Google allows them on the Android platform.
With that said, there is a lot of room for app developers to improve the way in which platforms handle different app permissions.
This is what the professor in the School of Computer Science at Carnegie Mellon University Norman Sadeh told Wired.
Professor Norman Saleh is also the creator of an Android app that manages user privacy permissions.
It is called Privacy Assistant.
He told Wired that he would continue to criticize the methods with which platforms and developers are bundling app permissions.
Sadeh also mentioned that the total number of control settings had certainly increased.
But instead of offering users more permission options add developers and platforms started to bundle a bunch of these decisions together.
This basically forced users to make almost impossible decisions.
According to Sadey, an app could need a certain permission for its functionality.
But sometimes, the app uses the same permission to share data with advertisers and marketers alike.
Needless to say, that is not fair.
App developers also need to make it super clear to all users what happened to their data once they revoked access from an app that they used previously and gave all sorts of permissions to.
Sadey says that for example, a user gave permission to an app of accessing his/her photos in order to upload a single photo.
Then the user turned the app off immediately.
What would happen to the user photos?
Or if a user granted access to his/her contacts years ago but then later revoked all access.
What would happen to those contacts?
According to Sadey, the fact is, app developers would get to keep all that data that the user shared with the app beforehand.
It doesn’t matter how long ago the user granted permission.
As long as app developers can make sure that they are complying with privacy and data protection laws in their own countries, they can keep the data.