Facebook admits: Apps were given users' permission to go into their inboxes

Facebook has admitted that some apps had access to users’ private messages, thanks to a policy that allowed devs to request mailbox permissions.

The revelation came as current Facebook users found out whether they or their friends had used the "This Is Your Digital Life" app that allowed academic Aleksandr Kogan to collect data on users and their friends.

Users whose friends had been suckered in by the quiz were told that as a result, their public profile, Page likes, birthday and current city were “likely shared” with the app.

So far, so expected. But, the notification went on:

That’s because, back in 2014 when the app was in use, developers using Facebook’s Graph API to get data off the platform could ask for read_mailbox permission, allowing them access to a person’s inbox.

That was just one of a series of extended permissions granted to devs under v1.0 of the Graph API, which was first introduced in 2010.

Following pressure from privacy activists – but much to the disappointment of developers – Facebook shut that tap off for most permissions in April 2015, although the changelog shows that read_mailbox wasn’t deprecated until 6 October 2015.

Facebook confirmed to The Register that this access had been requested by the app and that a small number of people had granted it permission.

“In 2014, Facebook’s platform policy allowed developers to request mailbox permissions but only if the person explicitly gave consent for this to happen,” a spokesborg told us.

“According to our records only a very small number of people explicitly opted into sharing this information. The feature was turned off in 2015.”

Facebook tried to downplay the significance of the eyebrow-raising revelation, saying it was at a time when mailboxes were “more of an inbox”, and claimed it was mainly used for apps offering a combined messaging service.

“At the time when people provided access to their mailboxes – when Facebook messages were more of an inbox and less of a real-time messaging service – this enabled things like desktop apps that combined Facebook messages with messages from other services like SMS so that a person could access their messages all in one place,” the spokesperson said.

Presumably the aim is to imply users were well aware of the permissions they were granting, but it’s not clear how those requests would have been phrased for each app.

We asked Facebook what form this would have taken – for instance if users could have been faced with a list of pre-ticked boxes, one of which gave permission for inbox-surfing – but got no response.

Although Facebook has indicated Kogan’s app did request mailbox permissions, Cambridge Analytica – which licensed the user data from Kogan – denied it received any content of any private messages from his firm, GSR.

GSR did not share the content of any private messages with Cambridge Analytica or SCL Elections. Neither company has ever handled such data.

— Cambridge Analytica (@CamAnalytica) April 10, 2018

But this is about more than GSR, Cambridge and SCL Elections: for years, Facebook’s policy allowed all developers to request access to users’ inboxes.

That it was done with only one user's permission – the individuals "Friends" weren’t alerted to the fact messages they had every right to believe were private, were not – is yet more evidence of just how blasé Facebook has been about users’ privacy.

Meanwhile, the firm has yet to offer details of a full audit of all the apps that asked for similar amounts of information as Kogan's app did – although it has shut down some.

And it is only offering current users a simple way to find out if they were affected by the CA scandal; those who have since deactivated or deleted their accounts have yet to be notified. We've asked the firm how it plans to offer this information, but it has yet to respond.

Amid increased scrutiny, Facebook is trying to sell the idea that it’s sorry, that it has learned from its mistakes and that it is putting users first.

But it's going to be a tough sell: just last night, Mark Zuckerberg revealed that, when the firm first found out about GSR handing data over to Cambridge Analytica in 2015, it chose not to tell users because it felt that asking the firm to delete the data meant it was a “closed case”.

Zuck gets another chance to convince lawmakers and the public this afternoon. ®