Facebook on Android collected call and text message data for years [UPDATE]

In the wake of the latest Facebook scandal, specifically its user data being collected and mis-used by Cambridge Analytica, it's been discovered that the social network's Android app was able to harvest an alarming amount of call and text message data from users without their explicit knowledge. This took place over several years, even before Facebook's apps offered to track call and text history, thanks to an exploit in one of Android's older permissions APIs.

Dylan McKay of New Zealand was one of the first to discover Facebook's collection of call and text records. He used the social network's option to download a copy of its archive of his data, finding that there was roughly two years of call history from his Android phone, with metadata including contact names, phone numbers, and the length of calls made and received.

Ars Technica confirmed this with its own Facebook data archive, as well as with several Facebook users who had the app installed on Android devices for several years, finding call and message data dated as far back as 2015.

While recent versions of Messenger and Facebook Lite on Android devices have made specific requests for access to call and SMS logs — part of the social network's efforts to improve its friend recommendation algorithm — Facebook may have already been able to access the data for years. Prior to Android 4.1 Jelly Bean, Facebook's Android app asked for contacts permission, and if granted, it also allowed access to call and message data automatically. Android eventually changed the way this permission worked in version 16 of its API.

However, it appears that apps could get around this change by specifying an older version of the Android SDK. This allowed Facebook's API to continue collecting call and SMS logs up until October 2017, when Google retired Android API version 4.

A Facebook spokesperson told Ars Technica that Facebook's apps explicitly ask permission to access contacts and other logs, and that it's entirely optional, with users able to delete their contact data using a tool on Facebook's website via web browser. Unfortunately, it's not made clear if choosing to erase this contact data also deletes the metadata from calls and texts.

UPDATE: Facebook has just released a statement to clarify and, in essence, refute the damning report. The gist of its explanation is that it has been an opt-in feature that users have to explicitly agree to and can opt out at anytime. This feature, which Facebook says it users to help users find who in their contacts are on Facebook, doesn't crawl through the content of messages nor does the company sell the information. Whether uploading your friends' number to Facebook's server without their knowledge, much less their constent, is probably still legally debatable. Facebook's setup process, however, pretty much makes it clear what it prefers you to do.

SOURCE Ars Technica