"The documents also reveal that, in 2015, a permissions update for Android devices, which users were required to accept, included a feature that continuously uploaded text messages and call logs to Facebook."
Wow, that's some sleazy wording. While users were required to accept the permissions update for the simple reason that Android at the time didn't offer any way to pick and choose what permissions to grant, the very email they're basing this claim on says that actually accessing and uploading call logs was opt-in. Ironically, the coverage of this has demonstrated exactly why this was (as the released email put it) a high PR risk.
No, I think the parent comment is making the distinction that the Android permissions model at the time wasn't very granular, so Facebook's app had to request more permissions than it intended to use, and that FB offered a separate opt-in within their own app.
I don't use the FB app, and I have no idea how this was presented to users and whether it was a legitimate choice or a "dark pattern" to trick users into handing over everything.
Pretty much, though the problem isn't that the permissions weren't granular - reading the call log has been its own permission since Android 4.1, and apps targetting that version have to request it separately even if they support older versions - but that there simply wasn't any way for users to grant only some permissions. So Facebook had to request all the permissions they might want to use from every single user, regardless of whether those users ever opted into the features that required them.
The first official version of Android that allowed users to turn individual permissions off was Marshmallow, released in October 2015 with the first beta in May 2015 - the email in question is dated the start of February 2015 and says they planned to ship it by the end of the month.
And FB's platform permission stuff itself was not very granular for a long time - still might not be.
Years ago, building basic 'login with facebook' things for apps, the minimum my app could do was to have access to your email, name, and your friends list. Whether the friends list was used or wanted or not, it was always part of basic permission requests.
Actually, the email only indicates that they intended it to be opt-in at some point. I don't remember whether they actually did implement that prompt for call records - and it certainly seemed like a surprise to everyone when it was discovered that they were doing that. Do you think that would be the case if people had knowingly gave permission for facebook to upload all that data?
This is ridiculous. They uploaded my private messages because "Android didn't offer any way to pick and choose what permission to grant". Why didn't their app simply asked this in a pop up? Are we seriously gonna pretend this was a valid reason for people's text messages to be stolen by Facebook?
Wow, that's some sleazy wording. While users were required to accept the permissions update for the simple reason that Android at the time didn't offer any way to pick and choose what permissions to grant, the very email they're basing this claim on says that actually accessing and uploading call logs was opt-in. Ironically, the coverage of this has demonstrated exactly why this was (as the released email put it) a high PR risk.