A UK parliamentary committee released today which reveal, among other things, that Facebook knew triggering an Android permissions dialog during an app update that would collect SMS and call logs would lead to "bad PR" and allegedly attempted to circumvent the process in order to make it difficult for Android users to discover the new behavior.
The documents were part of a California lawsuit filed app developer Six4Three. These were sealed by the courts, but UK authorities seized them from the plaintiff in that lawsuit while he was in London as part of their investigation into Facebook's practices and handling of user data. According to the seized documents, the original lawsuit alleges:
Facebook knew that the changes to its policies on the Android mobile phone system, which enabled the Facebook app to collect a record of calls and texts sent by the user would be controversial. To mitigate any bad PR, Facebook planned to make it as hard as possible for users to know that this was one of the underlying features of the upgrade of their app.
Exhibit number 172 of the original suit provides some supporting details, where an email exchange between Facebook developers suggesting that including new permissions was a "high-risk thing to do from a PR perspective" and assurances that an upgrade path that would omit the new permissions dialog had been explored and was viable. Unlike other email exchanges about user data sales and API changes that would ensure data reciprocity between developers and Facebook itself, there is no evidence that Facebook CEO Mark Zuckerberg was aware of this particular issue.
Facebook has in the recent months because of it's data handling policies and internal practices surrounding the 2016 presidential election. These new discoveries add fuel to a still-burning fire and as Facebook faces a less-lenient UK Parliment, we expect to see and hear more in the coming days and weeks.
Facebook is the world's most popular social networking platform and as of the third quarter of 2018, has 2.27 billion monthly active users. That's a lot of valuable user data that needs to be protected. The question remains: is Facebook actually trying to protect it?