If you read the TechCrunch article you wouldn't have to guess where it was shown. There is a screenshot of the prompt that shows that the prompt and explanation "Continuously upload info about your contacts like phone numbers and nicknames, and your call and text history." Your solution of hiding this information in a minimal terms of service is strictly worse.

My take away is that you can tell users exactly what you're doing and they'll still be outraged. So don't do creepy stuff.

I got my contacts uploaded at some point despite always making sure to reject their prompt. I'm sure people will claim it was just a "bug" or I must have just mistapped (which I have no reason to believe was the case, but how would I prove this), but either way, it's oddly convenient how it works out for them.

That is worrying. The iOS security model would have served you better; Facebook could never accidentally forget you’d said no.

Facebook probably knows if the user is drunk.

Ask for permission at 3am on Sunday. People will press Allow just to get done whatever they thought they were doing, and forget they ever pressed it.

> That is worrying.

Indeed. :\

> The iOS security model would have served you better; Facebook could never accidentally forget you’d said no.

Interesting, so you mean this is the case even if I uninstall and reinstall the app? What if I wipe the OS and reinstall (as "cleanly" as is possible)?

In the iOS security model there's no fixed grab-bag of permissions you accept when an app is installed. Instead the app must explicitly ask for access to each credential on an as-needed basis while the app is running. The request must happen when you request to use that particular feature. And the app is expected to continue working if you say no; just with the corresponding features disabled. So for example, on iOS whatsapp only requests camera access when you try to take a photo in the app.

If you say no, facebook can't access the data. Facebook can't conveniently forget that you said no and access the data anyway - if you say no at the system prompt, the OS won't give the app access to that data in the first place.

The system isn't perfect - it turns out my mum wasn't getting chat notifications on her iphone because she doesn't know what notifications are and she's been saying no to the prompts. But I find it somewhat refreshing to see beginner users erring on the side of saying no, rather than always saying yes to every random prompt the computer spits out. Fail-private is better than fail-public.

I don't think Facebook ever "forgot" what I said, rather it was that I was reinstalling the app for whatever reason, so it really didn't have that information. That's why I asked what would happen if something similar happened on iOS.

Also note that Android's new security model (version 6+?) is pretty similar to what you described, but yes, I do believe this incident occurred on an older version.

Privacy is like eating your vegetables. Or doing those push ups eery morning. Given any excuse people will ignore common sense and the lizard brain takes over. Facebook knows this like no other. The outrage too comes from the lizard brain once it realizes the dangers of the situation it is now in.

I think this should be amended to "don't do creepy stuff" in the cloud.

This is why encryption on our phones is so important. I want my phone knowing all sorts of "creepy" things about me (medical records, etc) so that it can be more useful. What I don't want is that information anywhere except under my immediate control.

Storing encrypted in the cloud is OK as well, I suppose, as long as the encryption key is only available to me.

In the article is mentioned people that did not get that prompt and still have the contacts and calls uploaded, could this prompt been added later so people that used FB before it was added did not had the chance to opt out?

I did not see in the screenshot an OS permission prompt, so if the app had the access locally a bug in the settings could have reset/flip the options and upload the data anyway, like how Windows forgets about your privacy settings on updates.

One man's creep is another man's crop.

I don't know... are they not written in blood, so to speak?

For example, I assume all warranty disclaimers include "not even the implied warranty of merchantability or fitness for a particular purpose" because somewhere, in a legal dispute, "no warranty" was not enough.

And if the warranty-disclaimed item had been sold and depending on the nature of the sale, such term probably wouldn't hold up in many jurisdictions. Otherwise such a term can be carte blanche to fraud.

> nobody wants to waste time reading them

How about a law that requires the party presenting legal paperwork to show that the recipient could have read the document. Use an algorithmic method to estimate the reading time, take off ~33% to account for variance in reading ability, and declare that the minimum time that must be spent with the document.

If you cannot show that e.g. someone clicked "I Agree" at lest 5 minutes (or whatever) after they received the ToS text, then the court will assume prima facie that the have not read the ToS and are not responsible for anything in it. The friction this would add to the checkout/signup process grows with the document size, creating an incentive to write short and simple ToS.

No thank you.

How about present your TOS in a form that is understandable by the average user in a span of 2 minutes? Without being a lawyer...(and I doubt you have 2 minutes at all)

The OP point was that the app creator will be forced to consider how many lines of text will he put in the EULA, if adding such a law with a force timeout and your EULA means the user has to wait 10 minutes you have to think about removing some crap.

Don't do creepy things should be a different law

I think that’s a good way to create an incentive to write short TOSs. They shouldn’t be legally enforceable unless people are actually reading them. Nothing good can come out of that.

Various ToSes already attempt this. Either by forcing you to scroll to the end, timing you, or by putting verification next to each paragraph. Still, no one reads them. The problem is putting a legal contract before a leisure app. I'd rather see legislation that requires the reading level and length of the ToS to match the reading level and attention span of the average user.

The problem, as I’m sure you’re aware, is that the reading level and attention span in this case are minimal. People click through ToSes just as they click through installers. Even if the ToS was 5 words on the screen in 36pt bold font saying “WE COLLECT: Text, call, and contact data”, people would still not take the time to read or understand or care about what that actually means. They want to see cat / friend / baby photos, and will mash buttons until that happens, onboarding processes and tutorials be damned.

And, what happen if some big comp asks you to 'polish' a bit ToS, to make it more 'lawyer style', because otherwise they didn't spent additional $ 10m on you business?

This is the real bullshit.

Other people's lawyers are the worst.

Just for the record; your lawyers are other people's other people's lawyers.

Statistically speaking, they're probably not the same "other people's lawyers." As in, you're probably small and they're probably big.

Big firms acting for small clients generally doesn't work out so well for the small client.

I got this objection once for a mere 100k. The most enterprisey client stalled negotiations for quite some time because we didn’t have long enough TOS. There was no issue with the content just length.

Wtf, this is a thing?

Personally, I'd say no because I value the trust of my users over corporate money.