In mid-2014 Facebook rolled out the Facebook Messenger app, a standalone version of that social network’s instant chat feature which users accessed separately on their mobile devices (i.e., without launching the full Facebook app). That rollout prompted renewed interest in a December 2013 article by Sam Fiorella (circulated widely in August 2014) warned potential Facebook Messenger users that the app’s Terms of Service (TOS) “requires the acceptance of an alarming amount of personal data and direct control over your mobile device”:

Facebook’s Messenger App, which boasts over 1,000,000,000 downloads, requires the acceptance of an alarming amount of personal data and, even more startling, direct control over your mobile device. I’m willing to bet that few, if any, of those who downloaded this app read the full Terms of Service before accepting them and downloading the app.If you’re one of those 1,000,000,000 people who have downloaded this app, take a moment to read the following. I’ve posted, word for word, a few of the most aggressive app permission you’ve accepted. Allows the app to change the state of network connectivity.

Allows the app to change the state of network connectivity.

Allows the app to call phone numbers without your intervention. This may result in unexpected charges or calls. Malicious apps may cost you money by making calls without your confirmation.

Allows the app to send SMS messages. This may result in unexpected charges. Malicious apps may cost you money by sending messages without your confirmation.

Allows the app to record audio with microphone. This permission allows the app to record audio at any time without your confirmation.

Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation.

Allows the app to read you phone’s call log, including data about incoming and outgoing calls. This permission allows apps to save your call log data, and malicious apps may share call log data without your knowledge.

Allows the app to read data about your contacts stored on your phone, including the frequency with which you’ve called, emailed, or communicated in other ways with specific individuals.

Allows the app to read personal profile information stored on your device, such as your name and contact information. This means the app can identify you and may send your profile information to others.

Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.

Allows the app to get a list of accounts known by the phone. This may include any accounts created by applications you have installed.

As others such as the Washington Post noted, however, many of these permission requests are neither uncommon nor unreasonable and aren’t really much different or more onerous than the permissions required by the main Facebook app itself:

In Facebook’s defense, there are plenty of legitimate reasons for requesting these permissions. Messenger needs access to your camera, for instance, so that you can send pictures, and few people would want to confirm microphone access every time they use the app to place a call.These kinds of sweeping permissions are also extremely common — probably to a degree you don’t realize. Even the most vanilla apps collect extraordinary amounts of personal data: WeatherBug requests permission to view your Wi-Fi network and other devices connected to it; RunKeeper wants permission to read your contacts and call log; even the Kim Kardashian game, which is all the rage these days, logs your location, your device ID, and your incoming calls. As with Messenger, the Kardashian game may have a valid reason to know when you get phone calls. (For instance, to save your spot before a call interrupts gameplay.) Yes, [the permission requests are potentially “insidious,” but so are WhatsApp, Viber, MessageMe and virtually every other popular messaging app, all of which request comparably creepy permissions. On my insidiousness scale, at least, that ignorance of the devices and programs we use every day probably ranks higher than one overreaching app.

According to Facebook themselves, “the concerns about its Messenger app are overblown and based on misinformation,” as the Wall Street Journal reported:

Much of the problem, Facebook says, is due to Android’s rigid policy on permissions. Facebook says it doesn’t get to write its own, and instead must use generic language provided to them by Android. The language in the permissions “doesn’t necessarily reflect the way the Messenger app and other apps use them,” Facebook wrote in a Help Center article designed to address what it calls misinformation on the topic.Facebook also says the quotes in the [Sam Fiorella] article are outdated. Facebook says it has more control over the permissions language it uses in Apple iOS operating system, which handles the process differently. Android users must agree to all permissions at once, before using the app, for every feature an app might use. On iPhones, users agree to the permissions when they come up during the normal use of the app. For instance, if an iPhone user never makes a voice call with Facebook Messenger, the app might never ask for permission to use the phone’s microphone. While Android app users must agree to all permissions before using the app, iPhone users can decline to give permission to the app for some features, like access to the address book and microphone, but still use the app to send messages. Due to this, the iPhone version of the app is superior for particularly privacy-conscious users. Regardless of the permissions, both the Android and the iOS Messenger apps are subject to the data use policies and terms that govern all Facebook users and every app within the Facebook family. The bottom line is that, while some users might think it’s a drag to download a separate app for a feature that was once included in a single app, they’re not actually giving up a significant amount of additional privacy in the process.

The brouhaha over Facebook Messenger’s Terms of Service does highlight a couple of important issues with the apps many of us use these days. One is that “free” products are not truly free — someone has to pay for their development, deployment, and maintenance, and that funding is commonly accomplished these days by serving up ads to users. But advertisers want to be able target and personalize their ads to specific groups of viewers, and that targeting requires knowledge of information about users such as their geographic locations, age, browsing habits, and the like. Providing this information is the trade-off we engage in as “payment” for the acquisition and use of free apps.

Another issue is that nearly all of us blindly accept the Terms of Service presented to us when we buy or download software without reading them, and that the TOS are becoming so increasingly lengthy that most of us simply couldn’t read, understand, and process them if we wanted to. A 2008 study found (as summarized by techdirt) that it would take the average person about a month of working time out of each year to just “read all the privacy policies you encounter on a daily basis” (exclusive of Terms of Service):

[A] report notes that if you actually bothered to read all the privacy policies you encounter on a daily basis, it would take you 250 working hours per year — or about 30 workdays. The full study by Aleecia M. McDonald and Lorrie Faith Cranor is quite interesting. They measure the length of privacy policies, ranging from just 144 words up to 7,669 words (median is around 2,500 words) and recognize that at a standard reading pace of 250 words per minute, most privacy policies take about eight to ten minutes to read. They also ran some tests to figure out how long it actually takes people to read and/or skim privacy policies.They put all of this together and estimated that it would normally take a person about 244 hours per year to read every new privacy policy they encountered … and even 154 hours just to skim them. And, here’s the thing: that’s only for privacy policies. Imagine if you read terms of service and end user license agreements too …

Whether Facebook Messenger’s TOS are truly “insidious” or not, Sam Fiorella warned that if users are willing to accept TOS as lengthy and involved as Facebook Messenger’s without reading them, app developers might be “emboldened” to include even more potentially invasive conditions in future TOS:

If this many people have not read the Messenger Terms of Service (or have read it and don’t care), how emboldened will mobile developers be in the future? I understand the nature of “free” mobile apps. I’m prepared to give up some personal data for the right to access a game, content, or social network for free and to have an improved advertising experience while enjoying that free service. However, Facebook has pushed this too far. It’s time we stood up and said “no!”

As exemplified by this comment and answer exchange between Sam Fiorella and a reader, all of this concern highlights a common modern dilemma: In order for apps to do what they need to do efficiently, they need to be granted a variety of accesses and permissions by users. Do we accept that such access will not be used for malicious purposes (by either the developers or unauthorized third parties), or do we give up ease of use in exchange for more cumbersome protections?