in Meddling, X-Geek

Is Facebook secretly snooping on my photos to serve ads?

I’ve been taking part in an experimental drug study at the local Veterans Administration hospital. Now that the study is wrapping up, I thought it might be wise to take a photo of my medicine bottle for future reference. So, during a break in traffic on my way to my appointment the other day, I picked up my work Android phone and snapped some photos of my medicine bottle, like this one.

Until this blog post I hadn't shared this photo with anyone.

Until now I hadn’t shared this photo with anyone.

All seemed well until I logged into Facebook on the same phone yesterday. That’s when I was astonished to see this targeted ad show up in my Facebook feed.

Holy shit! What are the odds that Facebook would just happen to serve up an ad that matched a photo I took less than 24 hours earlier, a photo that I hadn’t shared with anyone? Call me paranoid but I can’t even fathom the odds that this is coincidental. I don’t post any medical stuff on Facebook, have never mentioned medicine or bottles or … anything. No keywords. There is nothing I’ve shared voluntarily on Facebook that could have summoned an ad that just happens to match a photograph I had just taken but never intended to share.

Did my Facebook app spy on my private photo to serve me this ad?

Did my Facebook app spy on my private photo to serve me this ad?

The simplest explanation is that Facebook is snooping on my phone’s photos and using them without my knowledge to send me targeted ads. There is just no way this can be coincidental.

This makes me furious. That Facebook monetizes the content that I willing share isn’t the issue, after all I’ve long understood that if something is free then that makes me the product. The issue is whether Facebook may be making use of the content that I am not willing to share, behind my back! It certainly looks like it is.

So, can Facebook do this? Certainly Facebook Messenger has raised privacy issues, one of the many reasons I don’t use it. Back in November, Facebook added a feature to Messenger called “Photo Magic,” which automatically scours your phone’s photos, allegedly to automatically tag and alert any Facebook friends it finds. Says Yahoo Business News:

In a bit of “Photo Magic,” Facebook is testing a new feature to make it easier to share your photos with friends — before you even upload them to the social network.

Using facial recognition, Facebook Messenger will look through your newly taken photos in your phone’s camera roll to identify your friends in them.

If Photo Magic recognizes one of your friends, Messenger will immediately send you a notification to send it to the person in the photo, so you don’t have to go the extra step to message or text them later.

Is tagging friends the only thing Facebook is doing when it’s snooping through your photos, or is it also using your photos to send you targeted ads? And what about the regular Facebook app? Did Photo Magic get quietly slipped into it as well?

To double-check what permissions I granted the Facebook app, I checked the listing on Google Play:

This app has access to:
Device & app history: retrieve running apps

Identity: find accounts on the device, read your own contact card, add or remove accounts

Calendar: add or modify calendar events and send email to guests without owners’ knowledge, read calendar events plus confidential information

Contacts:
find accounts on the device, read your contacts, modify your contacts

Location:
precise location (GPS and network-based), approximate location (network-based)

SMS: read your text messages (SMS or MMS)

Phone: read phone status and identity, write call log, read call log, directly call phone numbers

Photos/Media/Files: modify or delete the contents of your USB storage, read the contents of your USB storage

Storage: modify or delete the contents of your USB storage, read the contents of your USB storage

Camera: take pictures and videos

Microphone: record audio

Wi-Fi connection information: view Wi-Fi connections

Device ID & call information: read phone status and identity

Other: adjust your wallpaper size, receive data from Internet, download files without notification, control vibration, reorder running apps, run at startup, draw over other apps, send sticky broadcast, connect and disconnect from Wi-Fi, create accounts and set passwords, change network connectivity, prevent device from sleeping, set wallpaper, install shortcuts, expand/collapse status bar, read battery statistics, read sync settings, toggle sync on and off, read Google service configuration, view network connections, change your audio settings, full network access

Pretty all-encompassing list, isn’t it? For comparison, I looked up the permissions to Facebook Messenger:

This app has access to:

Identity:
find accounts on the device, read your own contact card, add or remove accounts

Contacts: find accounts on the device, read your contacts, modify your contacts

Location: precise location (GPS and network-based), approximate location (network-based)

SMS: edit your text messages (SMS or MMS), receive text messages (SMS), send SMS messages, read your text messages (SMS or MMS), receive text messages (MMS)

Phone: read phone status and identity, read call log, directly call phone numbers, reroute outgoing calls

Photos/Media/Files: modify or delete the contents of your USB storage, read the contents of your USB storage

Storage: modify or delete the contents of your USB storage, read the contents of your USB storage

Camera: take pictures and videos

Microphone: record audio

Wi-Fi connection information:
view Wi-Fi connections

Device ID & call information: read phone status and identity

Other: receive data from Internet, download files without notification, control vibration, run at startup, draw over other apps, pair with Bluetooth devices, send sticky broadcast, create accounts and set passwords, change network connectivity, prevent device from sleeping, install shortcuts, read battery statistics, read sync settings, toggle sync on and off, read Google service configuration, view network connections, change your audio settings, full network access

You can see that Messenger has a few extra things that one would expect for a messenger app, such as more SMS rights, but look at the storage and camera rights:

Facebook:

Photos/Media/Files: modify or delete the contents of your USB storage, read the contents of your USB storage

Storage: modify or delete the contents of your USB storage, read the contents of your USB storage

Camera: take pictures and videos

Messenger:

Photos/Media/Files: modify or delete the contents of your USB storage, read the contents of your USB storage

Storage: modify or delete the contents of your USB storage, read the contents of your USB storage

Camera: take pictures and videos

As you can see above, the rights both the standard Facebook app and Facebook Messenger use to read your photos, videos, and camera are identical, thus there is nothing from Android’s point of view that prevents the Facebook app from spying on your private photos the same way Messenger’s Photo Magic does.

So, am I being paranoid? Perhaps, but I am highly suspicious that something underhanded is going on here. The chances of this ad being shown to me are just too high not to be nervous. Further investigation is warranted.

A few parting thoughts:

  • I never opted in to allow Facebook access to photos I did not explicitly share (i.e., Photo Magic).
  • I cannot find any settings in the Facebook mobile app that might disable this feature.
  • If Facebook has access to my private photos, then state security organizations can, too.
  • Android 6.x offers the ability to fine-tune app permissions. It can’t get deployed to my phones fast enough.