[fosco]

holy smokes...

>Michael LeBeau – ‘He guys, as you know all the growth team is planning on shipping a permissions update on Android at the end of this month. They are going to include the ‘read call log’ permission, which will trigger the Android permissions dialog on update, requiring users to accept the update. They will then provide an in app opt in NUX for a feature that lets you continuously upload your SMS and call log history to Facebook to be used for improving things like PYMK, coefficient calculation, feed ranking etc. This is a pretty high risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it.’

>Yul Kwon - ‘The Growth team is now exploring a path where we only request Read Call Log permission, and hold off on requesting any other permissions for now. ‘Based on their initial testing, it seems this would allow us to upgrade users without subjecting them to an Android permissions dialog at all.

This is huge, doesn't this make google guilty as well?

>‘It would still be a breaking change, so users would have to click to upgrade, but no permissions dialog screen.

EDIT: formatting

[arminiusreturns]

Now remember that Facebook has made agreements with phone manufacturers to have fb installed by default and made un-uninstallable, with all the default permissions to share the users data whether they ever log in and use the app or not!

Sidenote: I've noticed via umatrix that Netflix on pc, during a show, is attempting to load fb js... Netflix wtf!

[merrywhether]

fb.js is Facebook’s standard JS base, with things like polyfills/ponyfills to ensure certain features in a browser environment. It’s imported by React, Relay, etc.

So this might be what you’re seeing, but normally it’s included in a precompiled JS application bundle.

[jacobwg]

I believe you're thinking of FBJS (https://github.com/facebook/fbjs), which is a library as you describe, whereas the comment above is referring to loading the Facebook SDK from Facebook's servers. Among other things, Netflix offers Facebook login, which would need the SDK loaded.

[SmellyGeekBoy]

Don't they use React for their UI?

[dkersten]

Surely they would serve it from their own CDN though?

[seattlekiwi]

Taking advantage of everyone having it already cached on their machine maybe? Or it could just be standard ad retargeting - not unreasonable that Netflix would want to stream behavior data to facebook ads for targeting / lookalike purposes

[makomk]

As of a few years ago, Android asks users to agree to categories of permissions rather than individual permissions, and adding permissions from the same category doesn't count as a new permissions grant. Based on that description it doesn't sound like Facebook was abusing this since they still required users to opt in. (Though I seem to recall from older discussions of this that in actual fact, the opt-in process they implemented was sleazy and high-pressure.)

If their application only needed to run on newer Android, I think they could rely on runtime permissions and not request this permission at all unless the user actually turns the feature on - but even now about a third of Android devices in use are on versions too old to support this.

[mikejb]

> This is huge, doesn't this make google guilty as well?

I'm not sure I follow. An app can request permissions, and the user can allow or deny them. I don't understand how this puts guilt on Google. Can you elaborate?

[fosco]

this seems like a hole in their design, additional access is being granted without the user really knowing what is going on and they are deliberately keeping the user out of the loop.

at least, that is how I am interpreting it, it seems that the functionality of their software is not functioning in the 'spirit' of what it is suppose to be doing.

[emiliobumachar]

In essence, Android permissions system have (had?) a vulnerability that Facebook exploited, and Google is responsible to a small extent as the maintainer of the vulnerable software.

[JeremyBanks]

Google is very culpable because the various problems with Android's permission system were raised hundreds of times by security experts, both internal and external, and they didn't consider it a high priority to fix.

Even when they added a sane permission model in Android $VERSION, developers were allowed to bypass it for years by just building apps targeting Android $VERSION - 1 instead.

Google's web security may be the best in the world, but Android security is a disgrace and they should be called on it. (Fuschia may put them on top of the world if they ever switch Android to that, but we'll have to see whether that happens.)

[joshvm]

> Facebook had been aware that an update to its Android app that let it collect records of users' calls and texts would be controversial. "To mitigate any bad PR, Facebook planned to make it as hard as possible for users to know that this was one of the underlying features," Mr Collins wrote

So did this change? I installed Messenger recently and this is pretty much the first thing it requests (no thanks). It also asks to let people search for you by number (no thanks) and to sync with your contacts (no thanks, smells like LinkedIn).

I have zero permissions enabled for Messenger, so I guess it would then ask before uploading my call logs?

[jahlove]

> This is a pretty high risk thing to do from a PR perspective

What's "PR" here?

[IanPBann]

Public Relations - how they are perceived by the public. This was seen as a risky move because it had the potential (which Facebook realised and decided to press ahead with anyway) to anger a lot of people.

https://en.wikipedia.org/wiki/Public_relations

[cbkeller]

Public relations -- bad press. Here's some more context from the BBC article:

> Facebook had been aware that an update to its Android app that let it collect records of users' calls and texts would be controversial. "To mitigate any bad PR, Facebook planned to make it as hard as possible for users to know that this was one of the underlying features,"

[aembleton]

Public Relations