Privacy: When the Application Exceeds its Brief

The recent imbroglio surrounding Facebook and its Android application exceeding its brief caught the attention of all users. In other words, the application was requesting access to information on your device that really wasn’t necessary for the application to function. The information was collected to allow the recipient (Facebook, in this instance) to paint a more complete digital image of you, your contacts and your/their interaction.

Facebook’s Role

Facebook, in its defense, noted that there was nothing surreptitious in the collection of the information from Android users of the Facebook application. As noted in a recent ARS Technica piece on the situation, Messenger and Facebook Lite explicitly request permission to access SMS and call data “to help friends find each other.”

Here’s the text of the message shared by ARS Technica:

Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. This helps you find and stay connected with the people you care about, and provide you with a better experience across Facebook. People have to expressly agree to use this feature. If, at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only.

From the Facebook optic, you opted-in when you clicked OK. This is simply a matter of not paying attention to what you’re clicking.

Class Action Suit Shows More Privacy Concerns

Then we have a gaggle of application developers, all of whom were accused of violating users’ privacy and sued as part of a class action that was settled in late March.

The applications caught up in the class action?

  • Foodspotting Inc. (“Foodspotting”),
  • Foursquare Labs Inc. (“Foursquare”),
  • Gowalla Inc. (“Gowalla”),
  • Instagram LLC (“Instagram”),
  • Kik Interactive Inc. (“Kik”),
  • Kong Technologies Inc. (formerly known as Path, Inc.) (“Path”),
  • Twitter Inc. (“Twitter”), and
  • Yelp! Inc. (“Yelp”)

The application developers and providers were accused with “unlawfully uploading their [users] address book data without their knowledge or consent.” This case, filed in March 2012, settled with the application defendants agreeing to pay $5.3 million. The settlement does not include pending claims against Apple for “misrepresentation and false advertising.”

What can an eligible user expect to receive? Somewhere between $10.70 and $39.

Some may speculate that the settlement was propelled forward as the companies and their legal teams saw the writing on the wall when the court of public opinion swung like a guillotine against applications and personal privacy infringement. But, such was not the case, as the settlement was reached in 2017, before the Facebook privacy brush fire.

Do their applications continue to ask for more than they need? Sadly, yes.

Hootsuite, as an Example

Security Boulevard - Hootsuite-Burgess
Burgess Example

Let’s look at Hootsuite. It has a stellar application (disclosure, I love it and have been using it regularly from the day the application launched), but not with LinkedIn. Why? Because, in my opinion, Hootsuite oversteps the level of information the company desires versus what is required.

As you can see in the image, when I connected LinkedIn to my Hootsuite dashboard, the application displayed all the interactions/information with respect to my LinkedIn account that the application desired.

You’ll notice the application wants to harvest all the “first- and second-degree connections.”

I paused. I went to Twitter and asked the question of Hootsuite, why?

Hootsuite’s Helpers jumped right in to help me complete the connection.  A more pleasant and affable group would be difficult to find. That said, the group didn’t quite understand, at first, that I didn’t want to give Hootsuite all the permissions requested so that I could connect LinkedIn to my account.

Please, I asked, could they explain why first- and second-degree connections were required? After many iterations, the final answer: It’s LinkedIn’s fault.

“However, it is necessary for us to request all these permissions in order to be able to post to LinkedIn. We comply with a strict privacy policy and our intention is to make sure that our user’s information is not compromised, so rest assured that we comply 100% with whatever restriction or rule is set by the social networks themselves (in this case LinkedIn). Thank you for your understanding!”

Now, I’m not a technologist, but I have spent a bit of time trying to garner a better understanding of authentication and OAuth specifically. This just didn’t ring right in my ear.

I checked with LinkedIn and noted how Linkedin gives applications wishing to use the OAuth 2.0 protocol a minimalist capability. How to is detailed in LinkedIn’s “Authenticating with OAuth 2.0” information page and SDK. Clearly, Hootsuite needs more than just name and contact data to post and retrieve information from a person’s feed. The app very well may need your first-degree connections to populate your feed, but that is not clear.

(Update: Hootsuite reached out to provide clarification. The company advised it requires the first- and second-level data to calculate the aggregate reach of postings for the Hootsuite users. Assurance was provided that the company “do(es) not capture, nor show the personal information of those first and second-degree connections.”)

What to Do When the Application Seems to Exceed its Brief

When authorizing OAuth permissions across applications, understand what it is that you are sharing. As painful as it may be, take the time to read the accompanying permission chart (like the one’s in the LinkedIn example above).

In the above example, Hootsuite is 100 percent upfront that it wants to access your LinkedIn data. If you click yes, you agree, if you cancel out, you don’t. I opt not to use the application with LinkedIn for this reason; your mileage may vary.

If you can’t remember, go back into Google, Twitter, Facebook, LinkedIn, etc. and review the applications you’ve given permission to connect and what is being shared with the application.

Knowledge is power. Now, go exercise that power.

Christopher Burgess

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher