Facebook Scraped Call, Text Message Data For Years From Android Phones

An anonymous reader quotes a report from Ars Technica: This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received. This experience has been shared by a number of other Facebook users who spoke with Ars, as well as independently by us -- my own Facebook data archive, I found, contained call-log data for a certain Android device I used in 2015 and 2016, along with SMS and MMS message metadata. In response to an email inquiry about this data gathering by Ars, a Facebook spokesperson replied, "The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it's a widely used practice to begin by uploading your phone contacts." The spokesperson pointed out that contact uploading is optional and installation of the application explicitly requests permission to access contacts. And users can delete contact data from their profiles using a tool accessible via Web browser.

If you granted permission to read contacts during Facebook's installation on Android a few versions ago -- specifically before Android 4.1 (Jelly Bean) -- that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017 -- the point at which the latest call metadata in Facebook user's data was found. Apple iOS has never allowed silent access to call data. You are able to have Facebook delete the data it collects from you, "but it's not clear if this deletes just contacts or if it also purges call and SMS metadata," reports Ars. Generally speaking, if you're concerned about privacy, you shouldn't share your contacts and call-log data with any mobile application.

Re:Welcome, all your base are belong to us

[burtosis]

Has back doors for government access (and probably without due process)

In the slim chance case it didn't, it does now. Any government from any country now can get it no questions asked.

but it's not clear if this deletes just contacts

[zdzichu]

If you are not sure what is deleted, just wait 2 months. Then GPDR will come into force and FB will have to DELETE everything upon request. Or cease functioning (the fines are gargantuan).
This is of course if you live in civilised world where the regulation have force. If you live outside EU – tough luck, consider moving.

Re: Blame the API...

When you visit your aunt's house for Thanksgiving dinner you are given full access to her house. That doesn't mean you should sneak into her bedroom during the football game after dinner and dig through her dresser drawers. That's essentially what you are saying it is okay for Facebook to do.

Re:no great suprise

[iamhassi]

I find ANDROID'S behavior to be weird and creepy, and that is why I have always avoided them. And the whole thing just seems completely useless and pointless.

Fixed that for you because really this is a Android problem, not Facebook, because Android is the one that allows developers to request all this and store it. Apple didn't have this problem. How many other apps are still stealing android user data?

Corrections... Apple ahead on security from start

[SuperKendall]

Google has been ahead of Apple on this except for control over specific permissions.>

Wrong, they have always been way, way behind, as I will illustrate.

When installing an app on Android, it showed you a list of which permissions the app wanted

How is something that everyone will agree to and you cannot individually control "ahead"? On Apple prior to iOS6 you ALSO knew exactly what an app could or could not access.

If you didn't like how much stuff the app wanted access to, you could choose to cancel the app's install before it ever began. Apple didn't add this capability until 2012.

WRONG. That is true of contacts but even from the start Apple has specific controls around some access, in particular location data. iOS 6 just expanded those permissions to Calendars, Reminders, Contacts, and Photos - a welcome addition as that was just when apps were starting to abuse contact access.

But even before then Apple was still way ahead because they ACTUALLY VETTED APPS. There was far less a chance an app was doing something shady, because Apple was reviewing apps and monitoring network traffic...

But even past THAT point, Apple was way ahead because apps never had phone/SMS access AT ALL until recently, so they could not be monitoring every call or text, period.

Neither will let you deny an app permission to access the Internet (using up your cellular data quota).

WRONG AGAIN. For *any* app on iOS you can specify if it may use cellular data. I forget when that was introduced but I think it was a long time ago.

Another issue has been apps which the carrier installs on your device (I assume they're paid to do it) which you can't uninstall.

Which we should all remember, Apple has never allowed carriers to do...

Also, note that none of these restrictions apply to the OS themselves. e.g. Apple has harvested iOS users' location data in the past>

Well you certainly are on a roll because that is ALSO WRONG. You had to agree to share analytic data with Apple for it to collect any data whatsoever, much less location data.

(they buried the request for permission in the EULA for an iOS update)

Instead of being wrong I'm going to label this bullshit as it's a question that is asked after an iOS update, on a screen with only that question. Hardly "buried".

lets you deny it permission if you want.

Well you seem to be implying Apple does not let you opt out. WRONG. You can always opt out of sharing data with Apple.

The fundamental issue I have with your post is that it paints a picture of Android being in any way acceptable for a non-technical person to use from a security standpoint. It is not now, nor has it EVER been safe to let a non-technical person use an Android device, full stop. If you are pushing your friends and family who are not technically astute to use Android, you are putting them in grave risk - because they WILL do things like install Facebook and have every call/text monitored, and probably they have far more shady apps collecting the same data....