Facebook admits: Apps were given users' permission to go into their inboxes

Only the inbox owner had to consent to it, though... not the people they conversed with

By Rebecca Hill


Facebook has admitted that some apps had access to users’ private messages, thanks to a policy that allowed devs to request mailbox permissions.

The revelation came as current Facebook users found out whether they or their friends had used the "This Is Your Digital Life" app that allowed academic Aleksandr Kogan to collect data on users and their friends.

Users whose friends had been suckered in by the quiz were told that as a result, their public profile, Page likes, birthday and current city were “likely shared” with the app.

So far, so expected. But, the notification went on:

A small number of people who logged into “This Is Your Digital Life” also shared their own News Feed, timeline, posts and messages which may have included post and messages from you. They may also have shared your hometown.

That’s because, back in 2014 when the app was in use, developers using Facebook’s Graph API to get data off the platform could ask for read_mailbox permission, allowing them access to a person’s inbox.

That was just one of a series of extended permissions granted to devs under v1.0 of the Graph API, which was first introduced in 2010.

Following pressure from privacy activists – but much to the disappointment of developers – Facebook shut that tap off for most permissions in April 2015, although the changelog shows that read_mailbox wasn’t deprecated until 6 October 2015.

Facebook confirmed to The Register that this access had been requested by the app and that a small number of people had granted it permission.

“In 2014, Facebook’s platform policy allowed developers to request mailbox permissions but only if the person explicitly gave consent for this to happen,” a spokesborg told us.

“According to our records only a very small number of people explicitly opted into sharing this information. The feature was turned off in 2015.”

Facebook tried to downplay the significance of the eyebrow-raising revelation, saying it was at a time when mailboxes were “more of an inbox”, and claimed it was mainly used for apps offering a combined messaging service.

“At the time when people provided access to their mailboxes – when Facebook messages were more of an inbox and less of a real-time messaging service – this enabled things like desktop apps that combined Facebook messages with messages from other services like SMS so that a person could access their messages all in one place,” the spokesperson said.

Presumably the aim is to imply users were well aware of the permissions they were granting, but it’s not clear how those requests would have been phrased for each app.

We asked Facebook what form this would have taken – for instance if users could have been faced with a list of pre-ticked boxes, one of which gave permission for inbox-surfing – but got no response.

Although Facebook has indicated Kogan’s app did request mailbox permissions, Cambridge Analytica – which licensed the user data from Kogan – denied it received any content of any private messages from his firm, GSR.

But this is about more than GSR, Cambridge and SCL Elections: for years, Facebook’s policy allowed all developers to request access to users’ inboxes.

That it was done with only one user's permission – the individuals "Friends" weren’t alerted to the fact messages they had every right to believe were private, were not – is yet more evidence of just how blasé Facebook has been about users’ privacy.

Meanwhile, the firm has yet to offer details of a full audit of all the apps that asked for similar amounts of information as Kogan's app did – although it has shut down some.

And it is only offering current users a simple way to find out if they were affected by the CA scandal; those who have since deactivated or deleted their accounts have yet to be notified. We've asked the firm how it plans to offer this information, but it has yet to respond.

Amid increased scrutiny, Facebook is trying to sell the idea that it’s sorry, that it has learned from its mistakes and that it is putting users first.

But it's going to be a tough sell: just last night, Mark Zuckerberg revealed that, when the firm first found out about GSR handing data over to Cambridge Analytica in 2015, it chose not to tell users because it felt that asking the firm to delete the data meant it was a “closed case”.

Zuck gets another chance to convince lawmakers and the public this afternoon. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

BBC tells Conservative Party to remove edited Facebook ad featuring its reporters

Clip 'could damage perceptions of our impartiality', says Auntie

Facebook campus death plunge: Cops say man jumped from 4th floor in apparent suicide

Foul play ruled out at Menlo Park headquarters

California’s Attorney General joins the long list of people who have had it with Facebook

As thousands of internal files leak revealing antisocial biz's pressure on app makers

Facebook celebrates Independence Day by lighting up American outage maps

Like your cousin at the end of the BBQ, social network has pretty much blacked out

Oh there it is, Facebook shrugs as Free Basics private key found to be signing unrelated apps

Walled-garden Android platform security easily copied

Facebook ends appeal against ICO micro-fine: Admit liability? Never. But you can have £500k

Antisocial network accepts Cambridge Analytica wrist slap

Amnesty slams Facebook, Google over 'pervasive surveillance' business model

Rights warriors want governments to actually, y'know, do something – anything

Researchers studying Facebook's impact on democracy decry lack of data access, warn: We'll walk...

Programme to shine a light on elections lacks transparency

Stop us if you've heard this one: Facebook and Twitter profiles silently slurped by shady code

Rogue SDKs covertly harvested personal info, it is claimed

Facebook chucks 1.5 hours' profit at Citizens Advice anti-scam charity to defuse consumer champ's defamation suit

Meanwhile, UK users still first line of defence against fake ads


Guide to Antivirus (AV) Replacement

This guide provides in-depth information from leading security experts that will guide you through each phase of your decision-making process.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

6 Steps to Overcoming PCI DSS Compliance Challenges in Multi-Cloud and Hybrid Environments

This eBook examines the challenges inherent in achieving continuous PCI DSS compliance.

Requirements-driven software development and quality management

A shift is underway in many development teams from traditional delivery models to Agile methods.