Facebook: You said we could have that Android data

Facebook has pushed back at reports that it scraped call and SMS text message history on Android phones, arguing that users gave them permission to save the contentious logs. The controversy began when Facebook users requested exports of the data the social network had on them; when they opened the download, they discovered years of metadata including call history and more.

Several other Android users have confirmed the findings. Not only were the phone numbers contacted through the Android phone client included, but the names of the contacts, the length of the calls, and whether they were outgoing, incoming, or missed. The log also included text history, despite that not being made through a Facebook app.

Unsurprisingly, given the heightened attention currently around Facebook's approach to privacy, the discovery did not reverberate well among Android users. Facebook was already under attack over earlier policies around its third-party apps API, which had been used to extract the personal data not only of individuals using those apps but, as a surprise to many, all of those individuals' friends on the site too. A cache of such data – amounting to around 50m people – was passed to Cambridge Analytica, the British research firm that has become controversial for its voter targeting work with both the Trump campaign in the 2016 US election and the earlier Brexit vote in the UK.

Now, Facebook insists, it didn't actually do anything wrong with the call and text history logging – indeed, Android owners would've known all about it, had they only read the fine print. "Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android," the company said in a "fact check" today. "Contact importers are fairly common among social apps and services as a way to more easily find the people you want to connect with. This was first introduced in Messenger in 2015, and later offered as an option in Facebook Lite, a lightweight version of Facebook for Android."

The feature in question is used to quickly populate Facebook Messenger or Facebook Lite on Android devices, based on a user's contacts. When an Android user signs up for Messenger or Facebook Lite, or logs into Messenger on their device, they're presented with the option to upload contacts, call, and text history. "This lets friends find each other on Facebook," the company suggests.

Certainly, the option is given to skip that step. In Messenger, as well as enabling it, there are options to "learn more" about the tool, or "not now"; choosing the latter skips to the next step in the configuration process. On Facebook Lite, it can be turned on or skipped.

"If, at any point, you no longer wish to continuously upload this information, you can easily turn this feature off in your settings," Facebook points out today. "You can also to turn off continuous call and text history logging while keeping contact uploading enabled."

Facebook does not, however, give explicit reasons as to why it collects the text and call history data. While it is true that, as the company points out, many messaging apps and social networks use uploaded contacts to speed the process of populating a new friends list, using call and messaging logs is arguably far less common. It also does not make clear during the setup process that contacts upload can be used but without also enabling call and text logging as well, and doing so requires sifting through the settings after the fact.

Certainly, from an End User Licensing Agreement (EULA) standpoint – the contract which Android phone owners agree to when they use the app – Facebook seems to be in the clear. After all, the nature of the contacts uploading system have been detailed there, should anybody care to read through it. From a user-friendliness point of view, however, it's hard to imagine that even a fraction of Facebook users ever went to the effort of reading through the EULA, and it's questionable whether the information the company offered during its setup process was comprehensive enough to make clear to users what, exactly, they were agreeing to.

Facebook insists that the information it stores does not include the contents of calls or messaging, and it promises that the data wasn't sold to third party firms. It's also possible to see what contact data you've uploaded, and delete them through Facebook's site. If, however, you haven't also turned off the continuous uploading setting in the Messenger app or Facebook Lite on your phone, of course, then it will repopulate those contacts. Update: Facebook has told us that deleting those contacts also deletes the call and messaging logs, even though they're not explicitly referred to on the page.

Arguably, though Facebook may well be in the clear legally, the Cambridge Analytica saga has toppled over beyond just the laws around data collection. For all that the EULA details what users can expect in terms of their personal data being uploaded, stored, and shared, lawmakers and privacy advocates have now begun to question whether even that is sufficient given the potential for misuse that data, in aggregate, presents. In Europe, such concerns prompted the passing of the General Data Protection Regulation (GDPR) which will be enforced in May 2018 and that enacts legal requirements for privacy, breach notifications, and more.