MediaTech Law

By MIRSKY & COMPANY, PLLC

Granting Access: Real and Imagined Threats Regarding Terms of Service

Posted by Rob Ellis in Blog, Uncategorized 1

Introduction

The latest Nielsen data show that the average smartphone owner uses approximately 26 apps in a given month. (Median use is probably quite a bit lower, but the numbers are still impressive.)  Marketplaces for apps, like Apple’s App Store and Google Play, have standardized how apps are distributed. Users are informed of an app’s features, as well as the extent to which the app may function on a particular smartphone. From taking pictures and recording video, to collecting GPS and location data, to accessing contact lists, apps have access to larger and larger sets of personal information. For all practical purposes, each of those apps employs some type of Terms of Service (“TOS”) agreement and privacy policy outlining its required permissions before it may be installed and used.

Practically, it is oftentimes unlikely that users downloading an app fully read and comprehend the terms of service or privacy policy, but instead give the app’s list of requested permissions no more than a cursory glance. A 2008 study by Aleecia M. McDonald and Lorrie Faith Cranor found that – based on the median length of privacy policies and the standard reading pace of 250 words per minute – it would take an individual approximately 30 work days to read all of the privacy policies encountered on a daily basis. The study only accounted for privacy policies, and not terms of service agreements or user agreements. Due to the length and ubiquity of these terms and policies, it is reasonable to think that many users do not take the time to fully understand the terms and policies to which they agree. This explains why users may not know exactly what permissions and capabilities they’ve approved for the apps they use.

While it may be practically unreasonable to expect every user to read every privacy policy, end user license agreement and TOS encountered on a mobile, tablet or desktop device on a daily basis, it is important that users understand the different ecosystems they agree to join. Whether it’s via a music app like Pandora on a mobile device and desktop, or through a messaging system like WhatsApp, users grant an ever-broadening list of permissions to the app creator, the cellular data provider and grant ever-growing access to the smartphone or device itself.

Facebook Messenger

Facebook has been rolling out its new stand-alone Messenger App since April 2014, allowing users to use the messaging service separate from the Facebook app. In the past month, however, due to the resurgence of a December 2013 Huffington Post blog post by Sam Fiorella, a call to arms has ensued espousing the “insidious” nature of the Facebook Messenger App (e.g. 1 and 2).

Why did it take over 6 months for the December blog post to go viral? Because in April of 2014 Facebook began requiring that mobile users of its standalone Facebook app install the new Messenger app. Facebook achieved this by removing the instant messaging feature from within the existing Facebook app, recommending to its hundreds of millions of users that they install the new app for a better experience. This type of “forced” adoption, coupled with users’ wariness of the required permissions, resulted in greater public awareness of the issue, and renewed attention in the 2013 Huffington Post blog post.

At issue is the claim that the app’s Terms of Service (TOS) “requires the acceptance of an alarming amount of personal data and direct control over your mobile device.” These items include allowing the app to: change the state of network connectivity; call numbers without user prompt; send SMS messages; and record audio with the microphone. It has been noted  that the permissions requested on Android smartphones exceeded those required on an Apple iPhone. The online chatter regarding the app became so prevalent that Facebook released a blog post detailing how the app requests permissions on an Android device, and what those permissions entail.

Two main facets of the attention garnered by the Huffington Post blog post were:

  1. The Messenger App appeared to have stricter permissions requirements on Android devices than on Apple devices; and
  2. The list of required permissions was (in Fiorella’s view) onerous and exceeded the bounds of what is normal.

Android Permissions v. Apple Permissions

It turns out the reason Facebook Messenger appears more invasive regarding the requested permissions on Android devices than on Apple devices is not because of the permissions requested, but how each platform requires apps to inform users of the required permissions. Apple’s approach is that once a user installs an app, the particular permission requested appears at the time the permission is first accessed – not at the time of installation. For example, a user who has installed Facebook Messenger who initiates a video chat through the app for the first time will see a dialogue box appear stating that the app wants to make use of the phone’s camera and microphone. Approval of the request allows the app to access that feature in the future.

(Note: A wonderful exchange on the technology message board Stack Exchange breaks down what Apple does and does not allow in terms of the claims made about the Messenger app. It also details how the language of the December Huffington Post blog is “clearly Android”and does not apply to Apple developers.)

Android, on the other hand, requires the app to list all permissions required by the app at the time of installation. What results is a wall of text listing all of the permissions required, which must be accepted by the user. Furthermore, the language displayed to the user is set by the Android device, and not by the app. This results in statements like “[the app may] Record audio, and take pictures and videos, at any time.” While this statement may be true, in practice, the app will only record audio and take pictures and videos when the user initiates the action.

Are the Permissions Requested Too Onerous?

Several critics of the app (see above linked posts), however, stated that even if the permissions are the same on both Android and Apple devices, Facebook is requesting an oppressive amount of personal information. On the other hand, a recent Tech Republic blog post by Jack Wallen compares the permissions of the Facebook Messenger with those of Google’s Hangout app, which is a comparable app allowing users to chat, share and take images, and conduct video calls. It turns out that when listed side-by-side, the Google Hangout app requires more permissions than the Messenger app. More importantly, however, Wallen points out that these permissions for both apps are standard and required. “In order for the app to do [what it is designed to], it must have access to those services or input methods.”

The recent dust-up around the Facebook Messenger app highlights the importance not only of understanding what is required by apps to function, but of the importance of users understanding what they agree to when accepting a terms of service.

An argument could be made that stating “users must understand the consequences” is really a false choice. That users do not really have many alternatives and the only options include either using a ubiquitous service like Facebook’s Messenger app or eschewing technology altogether and living off the grid. Although, in a literal sense, this just is not true. A quick search for “free chat apps” on the Google Play store results in over 100 viable alternatives. While some effort would be required to get a particular set of friends to also download an alternative app as to make the product personally useful, nonetheless a multitude of alternatives are available.

More to the point, even if the Facebook Messenger TOS is onerous, and allows Facebook the ability to record user’s conversations with no prompting whatsoever, some responsibility does lie with the user who willingly agrees to the contract governing use of the app. When willingly accepting a TOS, the user must understand there are consequences.  (And indeed that’s the way things basically stand with how contract law in the United States is structured.)

This is particularly important because…

Google Really is Reading Your Email…

It is fairly common knowledge that as a condition of use of Google’s Gmail service, the company scans the content of an email to better serve up ads within the window. While the ads are surreptitious and usually text base, this means then when a user is reading an email thread discussing upcoming DIY home repair tasks, Google can serve up a relevant ad for latest special at Home Depot or Lowes. As has been recently reported (Washington Post, The Verge, PCMag), however, the company is also scanning user’s accounts for illegal activity. In particular, Google matches “images in emails against its known database of illegal and pornographic images of children.”

This practice was reported in late July after the arrest of John Henry Skillern, a registered sex offender who was convicted of sexually assaulting an 8-year-old boy in 1994. Google contacted the National Center for Missing and Exploited Children regarding images Skillern had in his Gmail account. That tipoff led to the man’s arrest.

While it is hard to criticize the outcome here, questions arose as to whether Google had crossed the line. In the Washington Post coverage of the arrest, Chester Wisniewski, a senior security researcher at the security firm Sophos, pointed out the difference between scans conducted by security firms and those conducted by Google. While security firms often come across child pornography among the files scanned for clients, Google actively looks for these images in their routing scanning for ad keywords and malicious software.

According to The Verge’s coverage of the arrest, however, Google goes out of its way to note that it’s reporting on email activity stops at child pornography. Google goes so far as to state that a user could even orchestrate a blatantly criminal plot over Gmail, and the company would do nothing about it. It may well not even have technology set up to identify such a thing. A Google spokesperson told the Associated Free Press, “It is important to remember that we only use this technology to identify child sexual abuse imagery — not other email content that could be associated with criminal activity (for example using email to plot a burglary).”

Regardless of the privacy implications inherent in the scanning of user emails, users of Gmail willingly accept these practices when they actively accept the TOS.

Conclusion

The only thing that is clear is that users are often un-aware of exactly what they are permitting when accepting a TOS. Facebook’s Messenger app exemplifies an instance where users expressed misplaced outrage at permissions and features that are no more onerous than similar apps in the marketplace. The instance of the Google-initiated arrest of Skilern, however, depicts an instance where the scanning of emails is hard to vilify because of the nature of the crime, but which is difficult to swallow because of the possible negative “Big Brother” implications of such practices. Regardless of the situation, the public must take pains to understand exactly what they are allowing when they accept a TOS for an app or server, because the ramifications are complex and wide-ranging.

Share this article: Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email

Add Comment

Your email address will not be published. Required fields are marked *

Copyright 2022 Mirsky & Company, PLLC