[detaro]

The latter includes the former, unless there's specific safeguards in place?

I think that's the crux of it: what communication/disclosure has to happen around granting a company access level X, even when they only hold it to implement feature Y which doesn't do all the bad things you could do with that access level, and who gets trusted with that and who doesn't? (I haven't seen the details of the precise example, so I don't have a detailed opinion on it, but would like to note that a design process aiming to reduce this exposure would maybe have removed or restricted the ability to read messages, allowing only to send recommendations or only read responses to sent recommendations)

[Puer]

Well in the latter the user specifically gives permission to Spotify when they choose to connect their FB account to Spotify's desktop app. NYT's wording makes it sound like they have unilateral control regardless of user consent. You can revoke Spotify's access whenever you want from your FB account settings.

[detaro]

I haven't seen the specific prompts - if anyone has good info on them I'd like to see it.

Facebook in their response to this says:

> Did partners get access to messages?

Yes. But people had to explicitly sign in to Facebook first to use a partner’s messaging feature. Take Spotify for example. After signing in to your Facebook account in Spotify’s desktop app, you could then send and receive messages without ever leaving the app. Our API provided partners with access to the person’s messages in order to power this type of feature.

What does explicitly sign in mean here? For a while, signing in with Facebook was the only way to create a Spotify account, and sign in with X is a common pattern in apps for authentication purposes only. Did it explicitly ask for permission? (what permissions?) Could you use your Facebook-bound Spotify account without granting this permission? I wish both sides in this would publish screenshots...