This should be a non-issue if you use Apple’s privacy settings to limit Facebook to only have access to the photos you want to use.
I’d highly recommend never granting any app full access to your photos.
replies(5):
Facebook mobile is a suboptimal experience, which is fine, it just reminds me to use it less.
Once we deleted the app, the RTB requests went away for good. I've had pihole previously, and she's had the Facebook app previously, and we never seemed to have this issue. Perhaps Facebook is drudging up whatever profits it can since it's mostly cornered the population, and is potentially in decline.
Then I your post and now I realize I’m still in the Meta world. Forgot about whatsapp for a second.
One issue with permissions is that they apply to the entire app, including any third-party dependencies. Lots of apps use libraries given to them by advertising services -- they notoriously exploit permissions given to the app.
What pisses me off, though, is that I didn't find a way to give a contact a name without allowing it access to the phone's contacts.
The truth is, Meta isn’t building community, it’s building a surveillance hellscape where every click, glance, and pause is commodified. If you work there and still believe you're doing something good for the world, you're either delusional or willfully blind.
"Facebook patent uses image recognition to scan your personal photos for brands" https://www.fastcompany.com/90333067/creepy-facebook-patent-...
"faulty pixels, lens scratches, other ‘camera artifacts’ and metadata within the image would be used to associate Facebook users with particular images. " https://www.imaging-resource.com/news/2015/09/18/facebook-wa...
But now Whatsapp retains access to all the photos I added unless I go into settings and revoke access to those photos. Creepy.
And yeah the contacts thing also pisses me off. They know what they are doing.
When a corporate does shady shit the last thing you'd do is trust the tools they provide to limit that. That's just insane.
>"People just submitted it. I don't know why. They 'trust me'. Dumb fucks." -Mark Zuckerberg
Every Galaxy I ever owned came with uninstallable facebook apps, despite paying over 1k for the phone.
On the last one I had, I went in and did the ritual deleting facebook, and going in the settings to disable their other background apps.
I checked the phone 8 months later, and found that they had installed even more facebook apps that were now running without my consent.
That was the end of those phones for me, and I'm amazed that I put up with it for so long.
It won’t work for all use cases, but when it works it’s very practical. I’d love to see apps use that as the default - and request additional access only when the user’s current action actually requires it.
> "WhatsApp" has been able to access your entire photo library for 6 months. Do you want to continue to allow full access?
Screenshots: https://macreports.com/app-has-been-able-to-access-your-enti...
Not really, given whatsapp could be theoretically keeping a local copy and the operating system can't really do anything about it. It would also be a pretty weird case to code. Imagine writing an app where if you tried to save a file, you couldn't immediately access it afterwards.
Apps like Messenger, Telegram and WhatsApp refuse to show me the regular old photo picker. I have to enable "limited access" and select the same photos twice (first add to the set, then select for sharing). It's infuriating.
PS: The exception is media management apps, but those are extremely rare and irrelevant in the context of social media and communications apps.
My guess is that this only affects people who have granted FB the permission already.
It works fine in other apps such as Signal and even Teams.
I don't really want Moxie or MSFT to have persistent access to any part of my personal photo album either, no matter how good they say they'll be.
I know that that’s partially implemented with the limited photo access now, but it’s confusing from a UI perspective and I don’t understand why this isn’t the default.
The only apps that need full access to my camera roll, are apps like Google Photos, Nextcloud or Immich. Everyone else can suck a lemon.
So apps like Google Photos or other alternatives to the Apple made Photos app just shouldn't exist at all, if I understand you correctly?
The only feature request I have is to be able to scope app permissions to an album, since the current flow of selecting individual photos adds a lot of friction.
Zuckerberg: Just ask
Zuckerberg: I have over 4,000 emails, pictures, addresses, SNS
[Redacted Friend's Name]: What? How'd you manage that one?
Zuckerberg: People just submitted it.
Zuckerberg: I don't know why.
Zuckerberg: They "trust me"
Zuckerberg: Dumb fucks
Instant messages sent by Zuckerberg during Facebook's early days, reported by Business Insider (May 13, 2010)
> I don’t understand why apps need access to my photos at all [...] There’s no need for apps to access the entire camera roll [...] The only apps that need full access to my camera roll, are apps like Google Photos, Nextcloud or Immich
Which still make me ask the question: They think no apps should access all photos, there is never any need for that, and these app currently do that and they need that, so are they saying those apps shouldn't exist at all?
Photos -> share photo -> whatsapp
Instead of starting from whatsapp
I agree about the clicks—the UX should be one-shot select and share with the permissions handled implicitly.
[1] https://manualdousuario.net/en/a-less-affectionate-approach-...
Apple actually has a great API for selecting a single photo in a privacy-respecting way which does not give the developer access to the library at all. [0] But oddly, there is no corresponding API for safely saving or updating a photo in the library. So if your app involves editing a photo, you can't use this API.
The only option you're left with is to request photo library access with that scary dialog.
If the user selects the limited access option, it's not just confusing—it's a prohibitively bad user experience. If the user snaps a new photo and wants to edit it in my app, they have to tap a "Select more photos" button in my app, find the photo in the picker, close the picker, and then select the photo again in my UI.
Personally, I evaluate full access on a developer-by-developer basis. Indie app developers are highly unlikely to nefariously scan your entire photo library, as they lack any incentive or motivation to do so. So I give apps like Darkroom or Halide full access.
Meta, on the other hand, has every incentive to scan my whole library, and I assume they would. So even though it makes posting to Instagram much more painful, I selected limited photo library access for Instagram.
Apple really needs to introduce a safe way for developers to access just the photos/videos users select, and then update those assets.
[0]: https://developer.apple.com/documentation/photosui/photospic...
I click “add photo”, the system dialog opens, I select a photo, and then that gets sent to the app. Somehow, Apple managed to screw that up.
The devil cannot take your soul, but if he can get you to agree to a deal... well... good luck with that.
Here, the devil gets you to agree to some nice beneficial feature like "camera sharing suggestions ... for personalized creative ideas, like travel highlights and collages" or "cloud processing" for whatever benefit. AAaand you do, and there goes all your private photos. And the devil can rightly claim "but this is a mere contract dispute and the user agreed to all of this".
The ancient tales were supposed to be warnings, not How-To guides.
And of course now, these modern devils are just flipping the "Agree" button under the software all without your actual consent.
I do not let ANY Meta property or software run on any of my devices. If only everyone did the same.
Imagine if every time you wanted to upload a file online, you first had to allow the one website to access that image first in one menu before you could select the image in the normal file upload menu. That's the UX they're complaining about.
Telegram refuses to work if you provide it with just 1 dummy contact.
Some other clingy apps also get pouty and demand full roll access each time you try to use a photo.
What's even worse: For years, Apple has also allowed many apps including Facebook/TikTok/Tinder to use the "iCloud Keychain" API to store invisible information that tracks you across app reinstalls and EVEN DEVICE RESETS, because it's stored in your iCloud account, and there's no way for you to see what is stored or manually delete it without going through FB/etc and no way to be sure that they are indeed deleting everything.
I've ranted about that a few times but people just shrug it off like wtf (I imagine other people who abuse these APIs want to keep it buried)
That’s exactly how it works for me in iOS at the moment.
In addition, I can see the list of photos each app has been granted access to in Settings > Privacy & Security > Photos.
Any UX other than this is something the app developer has implemented on top. iOS works exactly like you described.
Some apps like WeChat somehow insist on building on their photo picker and they get the copy/paste treatment.
Absolutely not. Saving a photo does not need the full permissions. If an app does that, the developer is either ignorant or malicious. I see multiple apps that only have "Add Photos Only" permission including apps like Duolingo that.
Similarly the use case of allowing the user to pick one photo doesn't require any permissions at all. Just use the system photo picker. I post reviews with photos regularly on Google Maps and the Google Maps app doesn't have any photo permissions.
I think this is good enough. If you consider they do shady stuff with your pictures, you might as well consider that they hold on to anything they get their hands on right away.
I uninstalled Facebook, Meta, MetaQuest, Instagram and deleted my accounts. I’ll never put one of their apps on my phone again.
Immediately removed all permissions, insane to take a photo from my camera roll and do that. Imagine if it was some nsfw picture suddenly being integrated into my feed while scrolling in public or so..
Now I'm not going to install any FB-related app on my new phone to test any other ways, because I'd rather not let them mark that device too if I can help it.
Yeah, that's the "limited access" mode but if the app uses the system photo picker[0], the app doesn't need any photos permission to pick a photo. Blame the app developers for not updating their apps (and this has been available since 2021 - they have no excuse.)
> Apps don’t need to request photo library permission when using either class, so the sample app avoids requesting permission until it’s necessary. A camera app, photo editing app, or library browsing app needs to use much more of PhotoKit‘s functionality, but [[an app that’s only setting a basic profile photo doesn’t need photo library permission]].
[0] https://developer.apple.com/documentation/photokit/selecting...
The solution is just straight up banning apps from the app store which request full photos permissions but only need a picker.
Whatsapp only needs a picker, it's not Google photos. Just make that part of the developer terms and start banning low hanging fruit and the apps will confirm in no time.
True, and this could maybe be solved by better app store review.
Every app submitted to the app store is reviewed by a human for approval. The reviewers could apply more scrutiny to photo permissions and reject apps whose permissions aren't justified.
So you granted Facebook permission to access your files in order to share a photo in some group 3 months ago, but now they secretly abuse that permission to scan your entire library for AI training.
It's my strong opinion that the only methods you've seen to this point[3-7] were deliberately chosen to be ones that don't work, and make things worse in the long run.
It's my hope that things will change for the better, but when I think about what group could lead that change, there's No Such Agency.
[1] https://en.wikipedia.org/wiki/Capability-based_security
[2] https://en.wikipedia.org/wiki/Capability-based_operating_sys...
[3] https://en.wikipedia.org/wiki/User_Account_Control
[4] https://en.wikipedia.org/wiki/AppArmor
[5] https://en.wikipedia.org/wiki/Security-Enhanced_Linux
For example, when you receive an audio message, if you want to listen to it, it will request full media access. Android apps can access media files they have created, so this permission isn't needed. But without granting media access (or tricking it into thinking it has it, like with GrapheneOS' storage scopes), WhatsApp won't let you listen to the audio. Same when trying to open an image full screen instead of just the in-chat preview.
If this were a small developer, I could assume it was done that way accidentally or to cut some corners. Coming from Meta, I can only assume malice.
I wouldn't install work programs directly on my devices without some kind of sandboxing because of cases like this.
Having given it that permission, I can share photos from within Whatsapp as well, without going to the Photos app. I'm not sure if the file picker that pops up is a Whatsapp component (meaning the "Limited" permission is essentially unlimited) or if it's a system component. I mean the latter would make sense, but I'm too cynical to believe it works that well.
So no it doesn't need permission to manage your local photos. Upload to Google and manage the photos on the cloud if you trust Google while increasing privacy for everyone else.
And yes, putting Messenger on my GrapheneOS phone is dumb, but my normal people friends all use Messenger, so that's where our group chats are. Best I can do is fail to convince them to install an XMPP client and join my self-hosted server, or minimize the impact of Messenger.
My question then is, when does this exploitative behaviour become criminal.
And if it isn't criminal, how do we make it so.
If you are working for Meta and you consider yourself a moral person, you should quit your job.
There are more important things in this world than making money. Help build a better world. You can live a comfortable life without helping Mark Zuckerberg ruin the planet. You can even make a lot of money, if that is what you dream of.
I think Facebook is deeply scammy now.
I deleted my accounts a few years ago and never looked back.
If they have access to the last photo ... every photo you ever took was the last photo. Why mess around giving app's permission to surveil/siphon off your photos at all?
Any carte blanche for apps, and apps will go to great lengths to take advantage of that in unexpected ways, and obscure the fact they are doing so.
And privacy losses can never be verifiably reversed.
All most apps need is for you to select photos to upload/import using an Apple supplied photo selector. So they only see and get exactly what you want them to have.
Uninstall is indeed the only option. There is no way in hell this is the last time they do something like this, nor is it the first.
I don't understand why Mark Zuckerberg isn't in jail, or via a "no admission of guilt" agreement, prohibited from being a corporate executive, at this point.
My ungranted personal information should be mine, with force of law, just as much as Meta's trade secrets are theirs.
iOS you can
(1) Choose no permission - Then, if you want you can go to your photos in the iOS Photos app, select a few, pick "Send to App -> Facebook" when you want to give Facebook a few photos
(2) Copy and Paste photos
(3) Choose "only selected photos" - In this case, in the Facebook app, you choose to add photos, the photos you previously gave the app permission to view appear and there's a button "Select more Photos". You can pick that and select more. I use this option peronsally
(4) Choose "all photos" - I give this permission to Google Photos since I use Google Photos to make all my photos visible across all devices.
If you choose 4, that just seems on you. You told them they could access all the photos.
Some apps are specifically for backing up all your photos.
> I want to send a picture now by selecting it.
Go to your photos, select a picture, pick send to app, pick the app
WhatsApp doesn’t use it and Apple doesn’t hold them to account over it. So, um, yay? Apps like Signal do use it.
On your phone, go to Settingd -> Facebook -> photos -> limited access
And you can choose which photos Facebook has access to.
When you first give an app access to your photos, you have the “Limited Access” option.
Set an app like WhatsApp to No Access or Limited Access.
Now try to upload a photo into chat.
Instead of just presenting you with all of your photos so that you can upload one, you first have to click "Manage" -> "Select more photos" -> "Add the photo".
Now you can select that one photo for upload.
That could obviously be trimmed up into Grant + Upload in a single operation, but instead it's so clunky that people grant Full Access just to avoid it.
It doesn't make much UX sense since I want to push one image into the app one time, while priv granting is for future pull operations that don't make sense 99% of the time.
The amount of malware installed on Android just from visiting a website is crazy.
I feel the issue here is apple not enforcing developer guidelines(unless I'm misremembering here too). However, that frequently requires people making a stink. I suspect Apple's legal team has decided not to make an issue off it because of the Epic lawsuit- where public opinion is largely against Apple... even though Apple told Epic to pound sand over issues Epic has paid the FTC _HALF A BILLION DOLLARS_ and counting... to settle. See: https://www.ftc.gov/news-events/news/press-releases/2022/12/...
And to forestall "but apple's cut." Reality check: google's policy is substantially identical, and amazon appstore's was "we'll take 30%, but give 20% back in expiring AWS credit." I'm sure ya'll will let me know of other app stores' policies.
the biggest reason is that probably enough of a ToS violation to get them yeeted from the app store.
It looks like its using metadata to work out when to nagg you.
That's not a OS limitation, this is a UX dark pattern from WhatsApp that they've purposefully added to make the UX terrible to push people into granting "Full Access".
I just tested it with both "Add Photos Only" and "Limited Access" modes with Signal and iOS does exactly what you described as the perfect UX. It's literally the following:
1) Tap Add Photo in a chat
2) System photo picker appears
3) Select which photo you want in your entire gallery (not limited to photos previously granted to Signal)
4) Photo is sent to chat
Again, this is with both non-Full Access modes. I think your beef is with Meta, not Apple.
that made me think, how is it there are groups of political extreme protestors both anti-Trumpers and MAGA-ers, but no group protesting Zuckerberg's shenanigans in such media-covered fashion?
How is money flowing to make this our reality? i don't pretend to know
What do you mean by this? Is it because of the embedded browsers that pop up before Chrome/Firefox? I thought that was your own browser in some special session (that hopefully doesn't retain state).
Photo centric apps may choose more extensive APIs, but those require OS-level permissions (the user explicitly giving access)
I would like to remind you that Facebook got it's start as a sex pest website.
Or same hijack ad shows some bogus virus scan result, convincing grandma to click. Or drive-by download where it redirects to some infected pdf you end up downloading.
Yes, they all require a click, an install, some action. But it’s so cleverly disguised that unless you’re really diligent, someone’s going to get your credit card.
The worst are the drive-by downloads because a user doesn’t have to do anything. Once the pdf is on the phone, the phone access it, releasing the malware.
But I also haven't really tried. I use Photos and the Camera in some of the apps I've written, and fully expect users to be asked. I ask for minimal permissions, as well.
If Meta is bypassing user permission, then that's a truly dire security breach, and Apple needs to bring down the banhammer fast.
Depends on your intentions. Privacy, security?
It looks like there is a separate API for "Private Access to Photos" that is less common than the UX I describe (WhatsApp, Reddit, Twitter, Discord).
Maybe one thing we can agree on is that if apps have to opt-in to the API that's better for users, then we can also blame Apple.
I appreciate your objectiviy but they definitely are.
I never understood why Apple allows access to the full address book including all Apple-specific settings such as "spouse" and "home address" that are useful within iOS. There should be a minimal permission mode: name and phone number only.
It allows you to toggle permissions on a per app per permission basis but sadly this toggle doesn't always work.
Still useful knowing how much you get spied on.
This stuck out to me. How are laws like this typically applied? My guess is it's geo-based only, right? That is, take an Illinois resident who spends 99% of her time in her home state - if she travels to California for a weekend, can Facebook (legally) grab her camera roll data during that time? And vice-versa, myself, as a CA resident who spends 99% of his time at home - if I go to Texas for the weekend, Facebook is gonna have to wait until I return home to (legally) access my camera roll?
And why would you give that app full photo access?
I will say that in the event that an app is not using PHPickerViewController, sometimes it's still possible to emulate it by exiting the app, going into the photos app, selecting the photo, selecting the little "send" arrow in the bottom left, and then picking the app to send it to. I do this all the time with the Slack app. Copy-and-paste may be another route. Sure, it's a silly workaround for a feature that should have been there from day one, but c'est la vie.
[0] https://developer.apple.com/documentation/photokit/deliverin...
NONE of these systems were conceived or built with capability security in mind, none of them are even appreciably moving in this direction. None of them provide their developers or users user friendly interfaces for fine grained control and oversight of file system, networking, computing and memory resource usage.
They don't allow developers to hollow out the attack surface of their programs by compartmentalization and reifying rights as objects as CapSec prescribes; they cannot, due to their fundamentally broken architectures, provide powerful guarantees such as: "this part of the code cannot access any other resources and is restricted to pure computation, its only effect will be the result it returns".
That no one is seeing this, listening and learning, is a disgrace, a collective, civilization-scale failure to apply this knowledge. The exploits will continue until we learn. And until user agents and their creators are forced, by choice and by law, to truly act to the best of their ability in the best interest of their user.
We had caffe2 running a small model on the phone to try and select and propose photos for the user to share.
We were trying to offer an alternative sharing model that both made sharing easier, while offering the user the controls that made them feel comfortable with photo suggestions. (for those who never noticed, we launched Moments, which was an app that allowed automatic private sharing of your camera roll with a close selection of friends and family, but the experience wasn't great because it was centered around group events and sharing photos with the people who were there, not connecting with the ones who weren't)
Ultimately, it was scrapped, because we were paranoid that we hadn't come up with a user experience that made it clear that this was happening only on the phone (I think we even tried a notification model), or that we'd accidentally surface someone's boudoir photos, and we were too worried about the kind of knee-jerk reactions that you're seeing in this thread.
I'm guessing that someone at Meta either had a more successful go at the UX, or they feel that the opinions about AI have shifted enough that there will be less fear.
Upon reading the article, it looks like there are two options, one which is local-only, and similar to what we built, and a second one which tries to make better suggestions using online, and that is only enabled after asking the user.
I would suspect that the cloud processing version also runs a local model to attempt to filter out racy photos before sending them to the cloud, but I don't know for sure.
I think the article is a bit disingenuous in it's presentation, but it's possible that I'm biased because I know how a similar thing was built, but it definitely sounds like fear-mongering.
If I move to a new state, I typically have a grace period to change the state of registration on my vehicle. I'm not immediately penalized for having out of state plates the very next day but if I get pulled over 3 months after I've moved, I might have a tougher time.
Billions unfortunately! Almost everyone I deal with is. I reckon I'm about the only person I know who is not on one form of social media or another and or deeply involved with Google apps/using its Cloud.
I've banned relatives taking my photo because I know it'll end up on Facebook, Google or others despite my wishes to the contrary. No matter what I say I know they can't help themselves (so does Big Tech—that's its modus operandi).
I've come to the conclusion there's no point trying to convince others about privacy, data mining by Meta et al. All I can do is to try to minimize others spilling my personal data onto Big Tech's data collection highways.
[1] https://developer.apple.com/videos/play/wwdc2023/10053/?time...
Limited access isn’t great UX because it’s not reasonable for users to have to manage a list of photos for every app. The new one is much better, but unfortunately app devs have to opt into it for now.
Signal[1] and a bunch of other apps do use the newer iOS 17 picker.
Original title chosen by the author:
Meta might be secretly scanning your phone's camera roll - how to check and turn it off
- no access
- add photos only - can add photos to the library, but not access photos in the library
- limited access- the app can only access the photos you select
- full access - the app can access everything
Canon used to allow limited access. Now it refuses to work without full access to your photo library.
Honestly, it should allow any of those.
Not sure what I’m missing that means so many apps don’t do this, vastly better UX.
https://github.com/signalapp/Signal-iOS/blob/0151cfdee27cb03...
My idea is that if WhatsApp can't be trusted, once it gets access to any file, it will hold on to it. So revoking access to something it already has won't accomplish all that much, since I've already figured that I can share that file with them.
-was rhe main party in the Cambridge analytica saya misuse scandal https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Ana...
- Was responsible for the genocide in Myanmar https://time.com/6217730/myanmar-meta-rohingya-facebook/
- Actually pirated books to train their trash llama AI and lied about it https://arstechnica.com/tech-policy/2025/02/meta-torrented-o...
- Had a sniffer backdoor on Android to track you even through VPN and incognitomodes, an approach shared with Yandex
- The CEO repeatedly lied to congress https://www.independent.co.uk/news/world/americas/us-politic...
- They spent billions on the metaverse which shows how stipid and out of touch they are
And now we are surprised that they are sniffing your photos. Please, I won't be surprised if they sniff your photos even if you don't consent. At this moment it's absolutely clear that they are an adversarial actor which can't be trusted with absolutely anything.
They have been running a sniffer agent on localhost so they can track you over VPN and incognito. Why are people still using Meta crap? They are a surveillance/spyware company.
They have all these amenities on top of their huge paychecks (high cost of living in San Francisco notwithstanding). Do you really think they’d give all that up in service of helping their lessers? Maybe some would, but how much of this extravagant lifestyle would they give up? Even those who identify as liberal, how much would they give up?
The reason why I said this is because its not part of the advertising team. The advertising team can do all sorts of shit because it makes them money. The rest of the company have more constraints.
The ads pricks are not the ones that have to ask the app store to let them back on, when one of the builds gets tagged as non-compliant.
Now, its not impossible, but unlikely. if it was something to with Ads, I'd be less sure.
I send my parents photos of my daughter and they probably just end up being scanned by their meta/google apps and trained. Where as I try take precautions.
You literally can't opt out of face scanning if somebody else has taken or has access to a photo of you. I should be able to delete my facedata or when it detects its me it doesn't train.
We Care About Your Privacy
We and our 924 partners store and access personal data, like browsing data or unique identifiers, on your device.