Facebook knows when you copy a link, even if the app is closed.
Now accidentally posting an embarrassing or private link is as easy as a couple of clicks. This program runs in the phone’s background, allowing the data-hungry social media site to keep tabs on users’ activity even when the app is not running.
The feature, likely rolled out during Facebook’s latest mobile update on Oct. 7, is not available on all devices.
“This feature is currently testing with a small percentage of people who use Facebook for iPhone,” Facebook spokesperson Daniel Harrison told The Daily Beast.
I am among this sample group, a fact I noticed when Facebook suggested I post the link to a recipe for “30-minute quinoa chili” for all my friends. I had copied the link with little intent of sharing it with my high school classmates, coworkers, and cousins. But more troubling was the single-use password I had copied earlier that day, information Facebook might have been privy to given their new snooping powers.
Harrison says Facebook’s access to copied text is neither new nor troubling.
iOS, Apple’s operating system for the iPhone, allows to apps access the clipboard, where copied text is stored. Facebook’s new feature takes the technology a step further, pulling copied text from the clipboard into your browser.
“Facebook is not able to see what the link is, only that there is text that fits the standard URL format,” Harrison said, adding that Facebook does not save users’ information after it has been removed from the clipboard.
This recognition software prevents the app from scraping text that does not look like a URL, like passwords or emails, Harrison said. It’s not a perfect system, though: broken or fake links like “FacebookHasAccessToMyData.com” are still automatically recommended for posts.
Facebook may be the newest app to spy on your clipboard but it is not the first.
“Many iOS apps can access the clipboard and do something similar to what you’re describing. For instance, Flipboard,” cybersecurity blogger Graham Cluley said. “Doesn’t sound untoward to me.”
Other privacy experts aren’t as nonchalant, especially because the option was implemented without warning, requests for permissions, or options for users to disable it.
“...Other stuff I’m likely to copy and paste is content I can’t remember, things like passwords (from a password management app) or one-time PINs,” Christian Frichot wrote in a blog post. “To assume that the Facebook app would do something malicious with this content is silly. But the fact that their app (and any other app) can access that content without user-interaction or permission is slightly unnerving.”