Facebook Apparently Collected Some Android Users' Call Records For Years
Last week, in the wake of Facebook's Cambridge Analytica scandal, a New Zealand developer named Dylan McKay downloaded all of his personal data from Facebook and made a disturbing discovery:
That tweet inspired Ars Technica reporter Sean Gallagher to go digging to see if Facebook was collecting people's call records as a matter of course, and how Facebook could gather this data in the first place.
Gallagher downloaded his own Facebook data archive — which anyone can do from their Facebook settings page — and found that Facebook had "call-log data for a certain Android device I used in 2015 and 2016, along with SMS and MMS message metadata."
Facebook has long asked users for access to their phone contacts, in order to make relevant friend recommendations. But monitoring who you call and text, and when, goes way beyond scraping your contacts list to find out who you know.
Gallagher found out that lax Android standards allowed Facebook to scrape the call records of anyone who downloaded the Facebook mobile app and allowed it to read their contacts for years. And even after Google updated its operating system to prevent apps from gathering call and text records by default, a loophole allowed Facebook to continue scraping those records until last fall.
If you granted permission to read contacts during Facebook's installation on Android a few versions ago — specifically before Android 4.1 (Jelly Bean) — that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017 — the point at which the latest call metadata in Facebook users' data was found. Apple iOS has never allowed silent access to call data.
Now, if you download Facebook Messenger on Android, you'll get a message asking if you want to "Continuously upload info about your contacts like phone numbers and nicknames, and your call and text history." It looks like this:
When Ars Technica asked Facebook about its history of scraping call records, a spokesperson pointed out that these days, call logging is opt-in. But in that statement, and in a blog post responding to Ars Technica's reporting, Facebook didn't address its alleged history of collecting people's call and text records by default when they allowed the app to read their contacts.
Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. This helps you find and stay connected with the people you care about, and provides you with a better experience across Facebook. People have to expressly agree to use this feature. If, at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only.
[Facebook]
Ars Technica's reporting pretty clearly indicates that this information has not always been opt-in only. By refusing to clearly explain why unwitting Facebook users unwittingly found their call records in their personal data archives, Facebook seems to be falling back on its habit of responding to data concerns in face-saving, but not entirely transparent, ways.
To be fair, Google also bears some blame for this controversy — as Business Insider's Shona Ghosh points out, "it isn't clear why Android ever allowed this level of data tracking to begin with."
