[Puer]

News organizations as established as NYT understand the weight of their words because every single one is scrutinized by a board of editors.

"Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread — privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show."

I find it highly unlikely that these companies actually had the power to delete individual's users private messages. There's a distinct difference between needing general read/write permissions so that Spotify can insert a song into your message and Spotify actually having the power to delete your individual messages, read them, or write them on your behalf to their fullest wishes.

I claim "intent" because how an article will be interpreted, especially for a story of this scale, is no accident. Hacker News has a much more tech literate population than the NYT's general readership, and yet even here there are people misunderstanding what permissions Spotify, Netflix, RBC actually had because NYT framed the information to be interpreted that way.

[ryanmonroe]

So it sounds like your complaint is not that they are being misleading, but that they made factually incorrect statements. Do you have any reason to believe that statement is incorrect other than "I find it highly unlikely"?

[Puer]

I apologize if my argument wasn't clear enough. My issue isn't that they aren't being factually incorrect, it's that they're seemingly using "facts" to be misleading.

Example: Saying Spotify has full editorial control over your messages is a very different narrative from "If you connect your FB account to Spotify, you can then send FB messages to your friends from Spotify's desktop app."[1] In one, the implication is that Spotify as a company somehow has the power to directly modify a users' private message. In the other, the user has the power--through Spotify's app--to modify their own private FB messages.

NYT is being factually correct with their reporting, but they're also being misleading, and my argument is that at a news organization of their size and stature this is no accident. Just read the comments from their readers and you'll quickly see how many of them are misinterpreting the above information.

[1] https://newsroom.fb.com/news/2018/12/facebooks-partners/

[detaro]

The latter includes the former, unless there's specific safeguards in place?

I think that's the crux of it: what communication/disclosure has to happen around granting a company access level X, even when they only hold it to implement feature Y which doesn't do all the bad things you could do with that access level, and who gets trusted with that and who doesn't? (I haven't seen the details of the precise example, so I don't have a detailed opinion on it, but would like to note that a design process aiming to reduce this exposure would maybe have removed or restricted the ability to read messages, allowing only to send recommendations or only read responses to sent recommendations)

[Puer]

Well in the latter the user specifically gives permission to Spotify when they choose to connect their FB account to Spotify's desktop app. NYT's wording makes it sound like they have unilateral control regardless of user consent. You can revoke Spotify's access whenever you want from your FB account settings.

[detaro]

I haven't seen the specific prompts - if anyone has good info on them I'd like to see it.

Facebook in their response to this says:

> Did partners get access to messages?

Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature.

What does explicitly sign in mean here? For a while, signing in with Facebook was the only way to create a Spotify account, and sign in with X is a common pattern in apps for authentication purposes only. Did it explicitly ask for permission? (what permissions?) Could you use your Facebook-bound Spotify account without granting this permission? I wish both sides in this would publish screenshots...