Facebook told Computerworld that the Android OS controls how the permissions are worded and its language won't necessarily reflect the way each app uses them.
Android users at any time can call up an app in the Play Store and scroll down to "permissions" to click on "view details" to learn more. For this information on the Messenger app, the Android permissions listed don't even mention the phone or camera and now only refer to "find accounts on the device," "read your own contact card," "read your contacts" and find your approximate and precise location.
Computerworld on Monday loaded the Messenger app onto a review unit of the new Samsung Galaxy S Sport that was supplied by Sprint and received a number of permissions that seemed at times to revert to the more draconian privacy warnings of December. For the camera, the permission (in a pop-up) said, "Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation." (see screenshot on previous page) For the phone, it simply said, "Uses one or more of phone, call log. Charges may apply."
For its part, Google said it does not allow developers, including Facebook or others, to adjust such permissions wording because permissions are designed only to address what an app will have access to. Exactly how an app uses the camera or phone is up to each developer and they are allowed to include links to their privacy policies on their app's Play Store listing page. It's there that developers can list how they plan to use the information, according to Google. Google also lays out the process that developers should follow in its Android Developers pages.
The concerns raised over Facebook Messenger privacy caused some analysts to wonder how exactly Messenger and other apps, such as Skype, Line and Snapchat, will use a person's phone or camera without their knowledge.
"I'm in a group that likes to protect my privacy, so I am very wary of clicking yes on permissions when I don't understand why they need permission," said Jack Gold, an analyst at J. Gold Associates. "With the camera, there may be a legitimate reason for the app to use the camera to scan a bar code or to scan a Passport as United Airlines does for international check-ins, but I'm still leery about doing so."
Gold agreed with Facebook that Android's general purpose permission wording is too vague about what the permission is for or what will be done. "Having access to the microphone for VoIP and chat sessions is fine, but having it monitor you surreptitiously is not," Gold added. He urged Google to have a more granular permission policy, but noted that Google and Android are making an attempt to define permissions when a user tries to download an app. With iOS, the permissions are often much more vague and general, he noted.
Ultimately, the Facebook Messenger privacy flap is another warning to app users to beware, but also to the mobile industry and developers to find ways to explain to users the permissions for many hundreds of thousands of apps.
"The app has to build a trusted partner relationship with the user," Gold said. "If you inherently trust the app maker, in this case Facebook, and are interested in using the app, then you'll likely click yes. But should you trust the app? If you don't click yes to permissions, then the app won't load. That's the dilemma users face, and it's all or nothing. Having granular permissions against what an app is actually doing is the next step in OS development."