Facebook Scraped Call, Text Message Data For Years From Android Phones

An anonymous reader quotes a report from Ars Technica: This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received. This experience has been shared by a number of other Facebook users who spoke with Ars, as well as independently by us -- my own Facebook data archive, I found, contained call-log data for a certain Android device I used in 2015 and 2016, along with SMS and MMS message metadata. In response to an email inquiry about this data gathering by Ars, a Facebook spokesperson replied, "The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it's a widely used practice to begin by uploading your phone contacts." The spokesperson pointed out that contact uploading is optional and installation of the application explicitly requests permission to access contacts. And users can delete contact data from their profiles using a tool accessible via Web browser.

If you granted permission to read contacts during Facebook's installation on Android a few versions ago -- specifically before Android 4.1 (Jelly Bean) -- that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017 -- the point at which the latest call metadata in Facebook user's data was found. Apple iOS has never allowed silent access to call data. You are able to have Facebook delete the data it collects from you, "but it's not clear if this deletes just contacts or if it also purges call and SMS metadata," reports Ars. Generally speaking, if you're concerned about privacy, you shouldn't share your contacts and call-log data with any mobile application.

Facebook is broken

[Pieroxy]

And it has been from the beginning. Zuckerberg called his first few thousand users "dumb fucks" for trusting him with their data, and that's how he's built the whole thing: screw people and their data.

Now it shows.

What surprises me the most is how this did not happen before.

Re:Facebook is broken

[PolygamousRanchKid+]

What surprises me the most is how this did not happen before.

What surprises me the most . . . is that I am NOT surprised at these recent revelations. It's exactly what I suspecting that Facebook was doing, "under the covers" . . .

However, I am certain, that in the coming days, something Facebook is doing WILL be revealed that will surprise me. Oh, and that will probably be something *really* frightening, like:

"Facebook collects data on US military service personnel and sells it to Islamist organizations."

"Facebook tracks location data of Russian dissidents and sells it to the FSB so they can easily find the right person to poison."

Facebook has proven that they will do anything to make a buck, so hey, although those things might sound outrageous . . . they are completely probable in the Facebook universe.

Helping folks hack elections is small fry. Let's just wait and see when the whales get reeled in . . .

It's ever commercial app, not just fb

[magarity]

This is why I had to uninstall my bank's app after a new version demanded access to contact list, etc. I never install the customer loyalty apps from any of the chain stores or restaurants; they all want this stuff and it's too instantaneous to say "oh, just use targeted permissions after installation". Nope; it will suck down your contacts and sms history faster than you can switch over to lock it down.

App permissions

[nitehawk214]

This is why you look at the app permissions before installing and app. I was the only person I know that said, "Hmm, why does Facebook need to read my call history and contact lists?"

Re:App permissions

[squiggleslash]

People generally ignore what comes up because stock Android until recently didn't let you say "Oh, Facebook wants access to my call history huh? Well, I'll install it but not let it have that. Even now, rather than fail gracefully, Android tells the app that it's been denied a privilege so it can refuse to work until you give it what it demands.

For Facebook users, the option was no app, or trust Facebook. Which, to be fair, they were already doing, so it's not surprising they installed the app anyway.

The fact Facebook did use that permission, and does share that information with third parties, means at this point something more than a "Well, a small group of IT professionals interested in privacy who don't use Facebook anyway are doing to close our accounts! That'll fox them!" token gesture needs to be done. Maybe pressure on Google to ban the Facebook app completely?

Of course, there's a reason Google won't do this. With anti-trust lawyers scrutinizing their every move, the prospect of Google refusing to give rights to a rival that it has for itself - even though it has those rights legitimately, I mean, how's the phone app supposed to work without your call history? - probably means their lawyers will ban any hint of action against Google.

Privacy policy

[phantomfive]

The Facebook privacy policy says they will access your address book, but it doesn't say they will access your call data. It seems like they are going beyond what they are saying they will do. That's kind of weird, because you expect their lawyers to be on top of this kind of stuff.

Not that anyone reads the privacy policy.

It's really hard for me to feel outrage about this......something that's been a problem for years, and now they went a little farther so you are worried?

Welcome, all your base are belong to us

[markdavis]

>"Facebook Scraped Call, Text Message Data For Years From Android Phones"

I still fail to understand why this is a surprise to anyone. All this crap has been in the media for years. Can't use fake name, makes links without permission, makes connections with others without asking, sells your data to other companies, sucks up your history from every site you visit, tracks you everywhere you go, watches everything you do, demands your phone number and Email address and other contact information, and demands your face biometric and will just figures it out anyway if you don't give them, tags you in photos- even if you didn't supply them, refuses to actually let you delete things for real, enables bullying, has back doors for government access (and probably without due process), suppresses your free speech, manipulates "news" and data it gives you, takes political stances, annoys you to death, wields unbelievable power, actually depresses and disconnects people from meaningful [real-world] relationships, destroys attention spans, isolates non-participants, etc, etc. Hello people, welcome to Facebook. "All your base are belong to us."

I don't have a FB account. Never have, never will. It is the ultimate in privacy invading spyware. It invades your privacy even if you have never used it. I hope it dies. My advice is disconnect and wipe what you can and and MOVE ON.

Re:Welcome, all your base are belong to us

[burtosis]

Has back doors for government access (and probably without due process)

In the slim chance case it didn't, it does now. Any government from any country now can get it no questions asked.

Re:Nobody forced you to use facebook

[svanheulen]

Do you have friends that use Facebook and do they have your contact info in their phone? If so, I have some bad news for you....

And non-users?

[svanheulen]

I don't even have a Facebook account but plenty of my friends do and I'm sure some of them use Facebook on their phone. So how do non-users get their info removed? This is non-public information that I never agreed to share with Facebook.

but it's not clear if this deletes just contacts

[zdzichu]

If you are not sure what is deleted, just wait 2 months. Then GPDR will come into force and FB will have to DELETE everything upon request. Or cease functioning (the fines are gargantuan).
This is of course if you live in civilised world where the regulation have force. If you live outside EU – tough luck, consider moving.

Corrections... Apple ahead on security from start

[SuperKendall]

Google has been ahead of Apple on this except for control over specific permissions.>

Wrong, they have always been way, way behind, as I will illustrate.

When installing an app on Android, it showed you a list of which permissions the app wanted

How is something that everyone will agree to and you cannot individually control "ahead"? On Apple prior to iOS6 you ALSO knew exactly what an app could or could not access.

If you didn't like how much stuff the app wanted access to, you could choose to cancel the app's install before it ever began. Apple didn't add this capability until 2012.

WRONG. That is true of contacts but even from the start Apple has specific controls around some access, in particular location data. iOS 6 just expanded those permissions to Calendars, Reminders, Contacts, and Photos - a welcome addition as that was just when apps were starting to abuse contact access.

But even before then Apple was still way ahead because they ACTUALLY VETTED APPS. There was far less a chance an app was doing something shady, because Apple was reviewing apps and monitoring network traffic...

But even past THAT point, Apple was way ahead because apps never had phone/SMS access AT ALL until recently, so they could not be monitoring every call or text, period.

Neither will let you deny an app permission to access the Internet (using up your cellular data quota).

WRONG AGAIN. For *any* app on iOS you can specify if it may use cellular data. I forget when that was introduced but I think it was a long time ago.

Another issue has been apps which the carrier installs on your device (I assume they're paid to do it) which you can't uninstall.

Which we should all remember, Apple has never allowed carriers to do...

Also, note that none of these restrictions apply to the OS themselves. e.g. Apple has harvested iOS users' location data in the past>

Well you certainly are on a roll because that is ALSO WRONG. You had to agree to share analytic data with Apple for it to collect any data whatsoever, much less location data.

(they buried the request for permission in the EULA for an iOS update)

Instead of being wrong I'm going to label this bullshit as it's a question that is asked after an iOS update, on a screen with only that question. Hardly "buried".

lets you deny it permission if you want.

Well you seem to be implying Apple does not let you opt out. WRONG. You can always opt out of sharing data with Apple.

The fundamental issue I have with your post is that it paints a picture of Android being in any way acceptable for a non-technical person to use from a security standpoint. It is not now, nor has it EVER been safe to let a non-technical person use an Android device, full stop. If you are pushing your friends and family who are not technically astute to use Android, you are putting them in grave risk - because they WILL do things like install Facebook and have every call/text monitored, and probably they have far more shady apps collecting the same data....