Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Scraped Call, Text Message Data For Years From Android Phones (arstechnica.com)

Posted by BeauHD on from the book-of-secrets dept.

An anonymous reader quotes a report from Ars Technica: This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received. This experience has been shared by a number of other Facebook users who spoke with Ars, as well as independently by us -- my own Facebook data archive, I found, contained call-log data for a certain Android device I used in 2015 and 2016, along with SMS and MMS message metadata. In response to an email inquiry about this data gathering by Ars, a Facebook spokesperson replied, "The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it's a widely used practice to begin by uploading your phone contacts." The spokesperson pointed out that contact uploading is optional and installation of the application explicitly requests permission to access contacts. And users can delete contact data from their profiles using a tool accessible via Web browser.

If you granted permission to read contacts during Facebook's installation on Android a few versions ago -- specifically before Android 4.1 (Jelly Bean) -- that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017 -- the point at which the latest call metadata in Facebook user's data was found. Apple iOS has never allowed silent access to call data. You are able to have Facebook delete the data it collects from you, "but it's not clear if this deletes just contacts or if it also purges call and SMS metadata," reports Ars. Generally speaking, if you're concerned about privacy, you shouldn't share your contacts and call-log data with any mobile application.

4 of 158 comments (clear)

  1. App permissions by nitehawk214 · · Score: 5, Interesting

    This is why you look at the app permissions before installing and app. I was the only person I know that said, "Hmm, why does Facebook need to read my call history and contact lists?"

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
    1. Re:App permissions by squiggleslash · · Score: 4, Interesting

      People generally ignore what comes up because stock Android until recently didn't let you say "Oh, Facebook wants access to my call history huh? Well, I'll install it but not let it have that. Even now, rather than fail gracefully, Android tells the app that it's been denied a privilege so it can refuse to work until you give it what it demands.

      For Facebook users, the option was no app, or trust Facebook. Which, to be fair, they were already doing, so it's not surprising they installed the app anyway.

      The fact Facebook did use that permission, and does share that information with third parties, means at this point something more than a "Well, a small group of IT professionals interested in privacy who don't use Facebook anyway are doing to close our accounts! That'll fox them!" token gesture needs to be done. Maybe pressure on Google to ban the Facebook app completely?

      Of course, there's a reason Google won't do this. With anti-trust lawyers scrutinizing their every move, the prospect of Google refusing to give rights to a rival that it has for itself - even though it has those rights legitimately, I mean, how's the phone app supposed to work without your call history? - probably means their lawyers will ban any hint of action against Google.

      --
      You are not alone. This is not normal. None of this is normal.
  2. Privacy policy by phantomfive · · Score: 4, Interesting

    The Facebook privacy policy says they will access your address book, but it doesn't say they will access your call data. It seems like they are going beyond what they are saying they will do. That's kind of weird, because you expect their lawyers to be on top of this kind of stuff.

    Not that anyone reads the privacy policy.

    It's really hard for me to feel outrage about this......something that's been a problem for years, and now they went a little farther so you are worried?

    --
    "First they came for the slanderers and i said nothing."
  3. Blame the API... by cob666 · · Score: 3, Interesting

    I'm not a big fan of Facebook, although I do use it at times to keep in contact with some friends and relatives.

    The story makes it sound as though Facebook was doing something underhanded and nefarious. They were ONLY doing what the API allowed them to do. Where is the anger toward Google for allowing this type of access in their API? I'm not sure how the Android version of Facebook works, but when you install the iOS version, it explicitly asks you if you want to give the app access to your contact list, you DO have the option to decline.

    --
    Do what thou wilt shall be the whole of the Law - Aleister Crowley