Sophos Cloud Optix
There’s good reason to be skeptical of Facebook when it comes to privacy, but the Facebook Messenger app isn’t the privacy nightmare that some people think it is.
Facebook is gradually forcing users of its mobile app to download the Facebook Messenger app to their smartphones and tablets in order to continue using the chat feature.
This move has led to a backlash against the social media giant, and it’s not just because Messenger is a separate app that takes up a lot of extra device memory.
Messenger offers much more than the traditional chat available on Facebook.com, including the ability to place calls, send videos, and send messages from the home screen without opening the app.
Although the Messenger app is available for Android, iOS, Windows Phone and BlackBerry, the main source of user angst comes from the lengthy list of app permissions you have to approve before you can download the Android app from Google Play.
Among the permissions the app requires are several that have given users reason to complain – when you install the Android app, you have to grant access to your device’s contacts, microphone, stored photos, videos, SMS messages, location, and more.
In a help article on Facebook.com, the company explains why some of these permissions are needed, noting for example that accessing the device’s microphone and camera is necessary for sending video messages.
Those permissions are similar to those required by other messenger apps, such as Snapchat or Viber.
The negative reaction seems to have been spurred in part by a December 2013 Huffington Post blog article titled The Insidiousness of Facebook Messenger’s Mobile App Terms of Service.
The article, by Sam Fiorella, which has been “Liked” on Facebook more than 785,000 times, has helped to fuel the fire of public outrage with statements like:
In the case of Messenger on Android, the attempt to collect so much information and take control of one's device is unprecedented and, quite frankly, frightening.
Yesterday, the post was updated to correct the author’s errors around the conflation of Android-specific permissions and Facebook’s terms of service, (which Facebook says are the same for the Messenger app as the Facebook website), and the outdated descriptions of its permissions.
As Facebook points out, Google Play requires users to accept all permissions the app might need before downloading – even if some of those features are never accessed by the user.
In its help article about the Android permissions, Facebook also says the way permissions are described is controlled by Google, even though they don’t “necessarily reflect the way the Messenger app and other apps use them”:
Keep in mind that Android controls the way the permissions are named, and the way they’re named doesn’t necessarily reflect the way the Messenger app and other apps use them.
By contrast, Apple takes a much more granular approach to permissions for iOS apps.
Apple’s mobile apps don’t ask for permissions up front all at once, but rather when a user seeks to use a feature for the first time.
So it could be argued that Facebook is the victim of Google’s decision in June 2014 to lump related permissions together and simplify their descriptions.
In this case at least, the Zuckerbergers don’t deserve the Big Brother accusations being lobbed their way – but they might have avoided a lot of pain if they had spelled things out for users better.
With that said, here are a few tips for Facebook Messenger users to help you better preserve your privacy:
- Decline or turn off sync if you don’t want Facebook to grab phone numbers from all your contacts.
- Turn off the location setting that alerts your contacts of your exact location when using the app.
- If you really don’t want to switch to Facebook Messenger, you can still use the web browser on your mobile device to chat on the Facebook website.
- Check out our 5 tips to make your Facebook account safer.
If you’re an Android user, you can download Sophos Mobile Security for Android to protect your device.
It scans your apps for malware when you download them, includes a handy privacy advisor – and it’s free from Google Play.
And, if you’d like to stay up to date on all our Facebook-related news, please Like the Naked Security Facebook page.
Image of Facebook Messenger logo courtesy of Facebook.
I thought i will get an anwser in this article to such privacy things like: If I ask my friend through fb messenger if he has 2 grams of weed for sale in a country where its strictly prohibited, can the police look up my conversation with my friend without a warrent?
Depends on the country. Some require warrants more strictly than others.
no, invasion of privacy. go buy your weed.
It depends on what kind of weed.
I’ve gone for the “access the facebook webpage from the browser” approach. It’s also allowed me to uninstall the main facebook app.
Thats what I have always used. And you;ll notice that it uses less amount of data too. Atleast I noticed that since I started using Facebook and Twitter’s mobile website instead of the apps.
There are ways around it…
My beef is that (on my iPhone) the messenger app demands that I let it have access to notifications, and will not function if I decline – which would allow it to “run” in the background.
I’m not interested in its attempts to replace the standard messenger services – I don’t want it to run in the background notifying me when I receive a FB message.
Its insistence is its downfall. If we were allowed not to allow notifications etc., then perhaps I might use it. As it is I’ve found a way of leaving it not running and tricked the normal FB app to allow me to use the inbuilt messenger function, which does “allow” me not to have it notify me of arrived messages.
We need a security app for iOS as well… are there plans for this?
Unless things have changed recently, the nature of iOS doesn’t allow security apps the permissions they would need to actually be useful.
Or at least that’s what I read here last time I saw someone asking 😉
Yes, there are plans for this. The nature of security threats are different on iOS though, it is not about malware, for example.
I believe it was this Naked that just told us about all the security breaches in Messenger app now your putting this article out there! Suddenly now its not bad?
the funny is i got rid of FB messenger months ago but for a totally different reason. it was killing my battery life.
Turn off sync??? Turn off location settings??? FOR MY WHOLE PHONE? Just so FB can’t do its dirt?
I *think* the author means turn off those settings in the app. When you install it, one of the steps is to sync your contacts. You can skip this step. You can also turn off the location setting in the Settings portion of the app.
So… just to clarify, you don’t want FB to know your location, but you’re happy for Google (G+) or twitter to have that information.
OK just to clarify… you don’t want FB to know your location, but your happy for Twitter and Google (or foursquared, flickr etc. etc. etc.) to know it.
Thats fine (it’s a pity google cancelled their block permissions per app, feature), but just so you know Google and twitter will use the information for the same thing FB will (to sell add’s to you)
My Cyanogenmod-derived Android 4.4.4 still has “Privacy Guard” 🙂 It’s pretty useful, albeit a biggish hassle to set up sensibly for all apps. You can set individual permissions that have been granted at install time to individual apps to block, allow or ask.
Interesting article. Glad you cleared up alot of things around the permissions. My only concern with you have to agree with the permissions before you can download it, are a bit mis-leading. Of course I can not accept the permissions, but then I can’t download the app.
I understand that to use video messaging I have to let it use my microphone and camera. That doesn’t mean that I want it to have access to my microphone or camera at all times, day and night. The same with other permissions as well.
I guess I would like to see a permission where it is only applicable when I am using the app.
Thanks.
Technically, in all practical terms, to use “video messaging” it has to be able to access a video file – it is a false claim that it has to access the camera and mic. They just want the permission, believing you will fall for the idea that they need to stream video to remote locations,which is actually not needed, but definitely desired BY THEM.
How would you conduct an online “phone call” (i.e. where you talk and your voice is sent immediately, or at least ASAP to the other party) without access to the mic?
Even if you read the audio from a file, you need the ability to fire up a secondary program to record the audio and write it to a file you can read back in – which offers the same possibility for abuse.
In fact, it is arguably worse as it is more likely to lead to security slipups (e.g. a locally-stored, world-readable, not-properly-deleted copy of your side of the conversation in the temporary file) than just accessing the mic yourself.
When I try to send a plain photo it demands access to my mic, explain that?
Android permissions that are requested by and granted to apps up front lump the camera and microphone together…
They wanted a new app that has permission to run in the background at all times reporting location information just like Foursquare has done with swarm. Their app reports location at all time also, but they do give you a choice whether or not to SHARE your location with your friends. Turning of the location reporting completely is not an option in the app. And just like FB messenger if you turn off the phones location or sync services the app crashes.
and don’t forget they do have plans for that mic and camera past what the messenger app is for like listening to your TV and creating on and offline connections using their facial recognition software and location data. Sure they are opt-in, but how many times has FB just changed your permissions without your.. well permission. They are suffering the backlash from being a bully with their app and it is about time if you ask me, but of course no one did 🙂
I didn’t like that I wasn’t given a choice, chat didn’t work for me any more, all I got was a popup screen pleasantly reminding me to “download” the app., so, to keep chatting had to get it. That said, I went in after it installed and turned off all permissions except the SMS stuff and it still works fine, just can’t use any of the features I don’t use anyways.
Google Play does not require you to check everything in the permissions list before you download the app. I only check off what I think is necessary, and the apps work just fine.
First of all,default should be off for the things we find offensive. We should not have to search and destroy permissions,but be asked to be used,like location. When a web site wants my location,I get a pop-up notice,which I denie to most who ask.
And secondly,arent we forgetting their little experiment knot long ago? They DID NOT even ask for permission then,and thus causing a lot more distrust. Its not just one little app now is it? When companies act in a dishonorable way,they have to go out of their way to earn trust back,NOT be handed the keys to the digital kingdom!
I get that the point of the article is to point out that just because the app has permission for something doesn’t mean it uses that permission in the worst way we automatically assume. However, are we forgetting that this is *Facebook*!? This is the same company that has been sued for unauthorized contact sniffing, purchased WhatsApp for way too much money just to further increase their contact ledgers, and is run by the guy that, when asked how he got people to sign up for his beta and give so much private information, responded with “They trust me. Dumb ****s”.
My issue is I only used fb to talk to a couple friends via email and it won’t let me install it as it says no device found which peeved me since I had to sign up for a google account (with all false info except for the cell which they needed for verification which is bs) which I didn’t want. I can only assume that it’s because my version of android is older.
I downloaded the app, then deleted it when I found i couldn’t turn off certain settings in the access it wanted to have. After deleting app, my asus tablet did a factory reset and refused to turn back on! Totally ruined my tablet, I had to buy a new one..very expensive app lesson to learn. I will not try again, can’t afford the expense! Beware of this app
Plausible Scenario:
A businessman uses FB like many to have a business presence on that medium. He uses his iPhone to access it to ensure contact throughout the day. The messenger app requires access to his iPhone contacts and within that are a large number of personal and business people who are perhaps not Facebook users. Of course that information is shared with Facebook.
His business privacy statement states something along the lines, ‘…We will not share your information with any third party outside of our organization…’
By installing the messenger app he has just violated his/his company’s privacy policy!
Why should anybody trust Facebook they are encroaching more and more into peoples lives, They are every where you go on the web and they leave 3rd party tracking cookies in your browsers that send information back to them so they know every web page you visit and you don’t need a Facebook account for them to be able to do this.
Why do Apps of every kind want access to your Facebook friends list or the contacts on your phone to begin with. Nobody has the right to give permission to an app to encroach on somebody elses privacy just because they are using a particular app on their Facebook page or on their phone.
While people continue to use apps that are asking for this type of permission nothing will ever change.
That’s why i have Adblock plus Ghostery and the Firefox privacy add on. on my computer.I believe Ghostery now has one you can use on your phone if you are using the Mozilla Firefox web browser.
Adblock plus is not enough to use on it’s own because all that does is block adds, Ghostery is really very good because it blocks all 3rd party tracking cookies, Facebook connect and also does a host of other things.
You can white list a web page that you visit on a regular basis, but then it is a good idea to remove it from your white list and add it back when you want to visit it again.
If you don’t care about your own privacy, you should care about your friends and families privacy.
By installing the messenger app he has just violated his/his company’s privacy policy! That hit the nail on the head. Messenger is not for me!
Happy sunday
Hi John … first thanks for the informative article.
Can I further inquire about the following … here are the facts ..
1. I have in Facebook my mobile number (mobile 1) registered in my account/profile.
2. I have FB app installed in my Iphone and messenger installed too. In messenger, the phone number I entered during the time of installation is the same as what I have registered in my FB account (mobile 1).
3. In my Iphone, I have a different mobile numbe (mobile 2).
Now this is my question (if you don’t mind, as I search the net for answers and nothing is clear to me even in Facebook Help) :
I am not able to see any suggestion of contact in my messenger if I don’t turn on SYNC. And if I do turn on SYNC, the persons in my addressbook who also has messenger in their phones will appear in my messenger contacts list, right ? My question is – any person who has my mobile number (mobile 2) will they see me in their messenger if I have a different number registered in facebook (mobile 1) ?
Hoping to hear from you … thank you in advance !
I just reinstalled facecrap messenger because I wasn’t able to get any of my messages on facebook and lo & behold right after reinstalling my account was hacked and UGG ads were posted all over my account tagging everyone. I’m sick of Facebook & Google with constant app updates yet the same “improvements” message rather than something telling us they are really updating the apps. How much did Facebook pay for this article? Both Facebook & Google can go to hell for all I care.
Out of principle I will not use it. Cannot turn off notifications. Cant have limited functionality one from browser. Huge memory.
Free Chat Messenger for Android and iPhone
Free Download nandbox chat messenger for Android & Iphone to share photo, video, audio & voice notes with friends and family in the secure environment; nandbox is the only messenger supports multiple profiles to protect user identity and privacy.
Free Chat Messenger for Android and iPhone
Free Download nandbox chat messenger for Android & Iphone to share photo, video, audio & voice notes with friends and family in the secure environment; nandbox is the only messenger supports multiple profiles to protect user identity and privacy.
Yes, you have to repeat the step again & again, because Facebook has assigned a specific expiry period (min 10 secs – max 60 secs) for
every access token.
It depends on different regions.
You know it can be used to spy on you with special apps?
My question is this. Why is it they require to record our audio and video instead of just temporarily recording our audio and video? I understand they record so that if you lose connection you will still receive your message. The apps can delete this information right after it has been received. None of the messenger apps that I have investigated do this. Doesn’t that make all of them big brother apps? Why don’t they do this temporarily? it could be done right in the programming of the app. It all sounds pretty fishy to me.
Turns out, it was.