[agglomerative]

And what, pray tell, were they checking up on?

My gut is telling me it wasn't just about prospective credit worthiness analysis or placing advertising for retail products and services.

Maybe debt collection and finding new ways to hunt down delinquent loan recipients? What else?

[Puer]

They needed those permissions to allow for sending/receiving of payments over Messenger. NYT is being intentionally misleading with what "permissions" mean here.

[IfOnlyYouKnew]

They had access to those messages. That is what they wrote, and it is entirely correct.

Nowhere does the article say they used that access in improper ways. The accusation isn’t that your neighbor stole money from your bank account. It’s that your roommate gave them your card and pin, without your consent or even knowledge. If you draw conclusions the journalists consciously did not make, that’s your error in reasoning, not theirs.

To then claim insights into the thought process of an action that did not happen, I. e. your accusation of intent, just heightens the absurdity.

[Puer]

News organizations as established as NYT understand the weight of their words because every single one is scrutinized by a board of editors.

"Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread — privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show."

I find it highly unlikely that these companies actually had the power to delete individual's users private messages. There's a distinct difference between needing general read/write permissions so that Spotify can insert a song into your message and Spotify actually having the power to delete your individual messages, read them, or write them on your behalf to their fullest wishes.

I claim "intent" because how an article will be interpreted, especially for a story of this scale, is no accident. Hacker News has a much more tech literate population than the NYT's general readership, and yet even here there are people misunderstanding what permissions Spotify, Netflix, RBC actually had because NYT framed the information to be interpreted that way.

[ryanmonroe]

So it sounds like your complaint is not that they are being misleading, but that they made factually incorrect statements. Do you have any reason to believe that statement is incorrect other than "I find it highly unlikely"?

[Puer]

I apologize if my argument wasn't clear enough. My issue isn't that they aren't being factually incorrect, it's that they're seemingly using "facts" to be misleading.

Example: Saying Spotify has full editorial control over your messages is a very different narrative from "If you connect your FB account to Spotify, you can then send FB messages to your friends from Spotify's desktop app."[1] In one, the implication is that Spotify as a company somehow has the power to directly modify a users' private message. In the other, the user has the power--through Spotify's app--to modify their own private FB messages.

NYT is being factually correct with their reporting, but they're also being misleading, and my argument is that at a news organization of their size and stature this is no accident. Just read the comments from their readers and you'll quickly see how many of them are misinterpreting the above information.

[1] https://newsroom.fb.com/news/2018/12/facebooks-partners/

[detaro]

The latter includes the former, unless there's specific safeguards in place?

I think that's the crux of it: what communication/disclosure has to happen around granting a company access level X, even when they only hold it to implement feature Y which doesn't do all the bad things you could do with that access level, and who gets trusted with that and who doesn't? (I haven't seen the details of the precise example, so I don't have a detailed opinion on it, but would like to note that a design process aiming to reduce this exposure would maybe have removed or restricted the ability to read messages, allowing only to send recommendations or only read responses to sent recommendations)

[stvswn]

Do you know for a fact they only had access to those messages? If that's the case, Facebook should be very clear about this in their response, and I'm not sure why they wouldn't be. Copying from their response:

"Did partners get access to messages? Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature."

So, why wouldn't Facebook add here: "to be clear, the third party apps only had access to messages which were sent and received from the app. Private conversations with friends could not have been leaked to the third party companies" or something like that?

[aNoob7000]

If Facebook were open about what exact information it shares and who it shares it with, then this vague crap wouldn't be going on.

[bunderbunder]

Well, "needed" is a strong word. They wouldn't have needed the ability to read arbitrary private messages, just the ability to find out when PMs contain whatever signal is used to send a payment.

If they got any more than that, it wasn't because of need, it was because someone at Facebook was being lazy and insufficiently respectful of user privacy.

[acct1771]

Not what they mean by "hunting down" at all.

[dvfjsdhgfv]

> They needed those permissions to allow for sending/receiving of payments over Messenger.

But then something is inherently flawed, isn't it? As if there was no way to solve this without giving them access to all private communication.

[news_hacker]

Although the implications are pretty damn scary and I'm disappointed in Facebook, it helps to remember Hanlon's Razor: "Never attribute to malice that which is adequately explained by stupidity."

This could possibly be a "build fast and break things" security oversight rather than a full-on Big Brother grant to external parties. We'd need more closure and proof from Facebook if this was the case.

[Xylakant]

This is very likely a “move fast and break things” related problem. However, if you handle millions peoples private data, move fast and break things is no longer a responsible approach, especially if you’ve broken quite a few things in the past.

[sevensor]

Surely credit-worthiness is a scary enough thing for them to concentrate their private message data-mining on?