They needed those permissions to allow for sending/receiving of payments over Messenger. NYT is being intentionally misleading with what "permissions" mean here.
They had access to those messages. That is what they wrote, and it is entirely correct.
Nowhere does the article say they used that access in improper ways. The accusation isn’t that your neighbor stole money from your bank account. It’s that your roommate gave them your card and pin, without your consent or even knowledge. If you draw conclusions the journalists consciously did not make, that’s your error in reasoning, not theirs.
To then claim insights into the thought process of an action that did not happen, I. e. your accusation of intent, just heightens the absurdity.
News organizations as established as NYT understand the weight of their words because every single one is scrutinized by a board of editors.
"Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread — privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show."
I find it highly unlikely that these companies actually had the power to delete individual's users private messages. There's a distinct difference between needing general read/write permissions so that Spotify can insert a song into your message and Spotify actually having the power to delete your individual messages, read them, or write them on your behalf to their fullest wishes.
I claim "intent" because how an article will be interpreted, especially for a story of this scale, is no accident. Hacker News has a much more tech literate population than the NYT's general readership, and yet even here there are people misunderstanding what permissions Spotify, Netflix, RBC actually had because NYT framed the information to be interpreted that way.
So it sounds like your complaint is not that they are being misleading, but that they made factually incorrect statements. Do you have any reason to believe that statement is incorrect other than "I find it highly unlikely"?
I apologize if my argument wasn't clear enough. My issue isn't that they aren't being factually incorrect, it's that they're seemingly using "facts" to be misleading.
Example: Saying Spotify has full editorial control over your messages is a very different narrative from "If you connect your FB account to Spotify, you can then send FB messages to your friends from Spotify's desktop app."[1] In one, the implication is that Spotify as a company somehow has the power to directly modify a users' private message. In the other, the user has the power--through Spotify's app--to modify their own private FB messages.
NYT is being factually correct with their reporting, but they're also being misleading, and my argument is that at a news organization of their size and stature this is no accident. Just read the comments from their readers and you'll quickly see how many of them are misinterpreting the above information.
The latter includes the former, unless there's specific safeguards in place?
I think that's the crux of it: what communication/disclosure has to happen around granting a company access level X, even when they only hold it to implement feature Y which doesn't do all the bad things you could do with that access level, and who gets trusted with that and who doesn't? (I haven't seen the details of the precise example, so I don't have a detailed opinion on it, but would like to note that a design process aiming to reduce this exposure would maybe have removed or restricted the ability to read messages, allowing only to send recommendations or only read responses to sent recommendations)
Well in the latter the user specifically gives permission to Spotify when they choose to connect their FB account to Spotify's desktop app. NYT's wording makes it sound like they have unilateral control regardless of user consent. You can revoke Spotify's access whenever you want from your FB account settings.
Do you know for a fact they only had access to those messages? If that's the case, Facebook should be very clear about this in their response, and I'm not sure why they wouldn't be. Copying from their response:
"Did partners get access to messages?
Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature."
So, why wouldn't Facebook add here: "to be clear, the third party apps only had access to messages which were sent and received from the app. Private conversations with friends could not have been leaked to the third party companies" or something like that?
Well, "needed" is a strong word. They wouldn't have needed the ability to read arbitrary private messages, just the ability to find out when PMs contain whatever signal is used to send a payment.
If they got any more than that, it wasn't because of need, it was because someone at Facebook was being lazy and insufficiently respectful of user privacy.
Nowhere does the article say they used that access in improper ways. The accusation isn’t that your neighbor stole money from your bank account. It’s that your roommate gave them your card and pin, without your consent or even knowledge. If you draw conclusions the journalists consciously did not make, that’s your error in reasoning, not theirs.
To then claim insights into the thought process of an action that did not happen, I. e. your accusation of intent, just heightens the absurdity.