Last night I saw a tweet that said something like “I just talked to someone for the first time ever. How the hell did Facebook suggest adding her as a friend a second later?” The language was a bit stronger, but you get the gist: it was anger mixed with a sense of unease, that a line had been crossed. The user was surprised by the way information was used, and not int a good way.
It boils down to how much users understand the product, information they are allowing access to, and what is actually done with that information. Users grant permissions without really understanding what data they are allowing access to. On Android, permissions are lumped into categories that many times don’t directly explain what the app will do with the data. The permissions are worded broadly, group several functions where not all may be used by the app and, since they are not written by the app developer but by Google, they don’t adequately describe what the app is used for. For example, in the Facebook app’s permissions, there’s a request for “Phone. Uses one or more of: phone, call log. Charges may apply.” Does that tell the user that Facebook will correlate their phone log with other users’ phone numbers? No, and Facebook doesn’t elaborate on their Play Store page, the one place they can add their own text.
It’s worth to note that some app developers do provide this information for their users but it’s usually on their web site, not part of the Play Store profile. SoundCloud is an example of an app that has a great permission explanation page, explaining each permission, why they need it and what they use it for. They also direct users to this page from their Play Store page. Facebook, on the other hand, hasn’t updated their Android app permission explanation page for over a year (as far as I can tell) and Android made significant changes to how permissions were grouped in June 2014.
Given this wide gap between the data access users grant and what it ends up being used for, it would help users if Facebook, instead of just suggesting a new contact, added a reason why it’s suggesting it? Would it be less surprising if the user was presented with “Would you like to connect with Julie? You just talked with her and she allowed his phone number to be used to find her.” Would that be less creepy? Reading it, I’m not sure.
It’s not just Facebook that makes these connective leaps, LinkedIn does them as well, basing suggestions off my email address books of my various accounts. Would it be better if instead of the vague “do you know Tom?” LinkedIn would state where they found Tom’s contact information. Most of the messaging apps also make smart use of contact and phone data.
I’ve written about this before and I’m sure I don’t have half the reasons Facebook, LinkedIn or any other app chooses what data to use and how to use it. But I do know that Facebook did face a “permissions backlash” after the launch of the Messenger app which might have been mitigated where users less suspicion. I think that the best practice in this case is closer to what SoundCloud is doing: explain every permission, what it is and how the app uses it.