Facebook have been collecting call logs and SMS metadata for several years

Last week, a New Zealand man, @dylanmckaynz dragged back his data archive from Facebook and was surprised to find that the social network has been collecting a lot of information on Android devices. Dylan McKay looked at the stored contacts section before learning that Facebook had been collecting call-related data on his mobile phone for about two years, including names, phone numbers, and the length of time the call was being played.

As shown in the above figure, in order to easily track the user’s phone and messages, Facebook secretly did so before October 2017, using the permission processing of the old Android API.

In addition, many people encountered the same problems as Dylan McKay and discussed with them.

Downloaded my facebook data as a ZIP file

Somehow it has my entire call history with my partner's mum pic.twitter.com/CIRUguf4vD

— Dylan McKay (@dylanmckaynz) March 21, 2018

Foreign media ArsTechnica editor Sean Gallagher, after viewing his profile, found that the included call records (and short MMS, etc.) data even contained some of the Android devices he had used in 2015-2016.

In response to a question from ArsTechnica about the data collection email, a Facebook spokesperson replied that this was to make it easier for apps and service users to make it easier to find the people they wanted to contact.

“The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it’s a widely used practice to begin by uploading your phone contacts.”

However, the spokesperson pointed out that contact uploads are optional and that this permission is explicitly listed during app installation. If you want to delete contact data in your profile, you can use a tool on your web browser.

It is reported that the phone address book is part of the Facebook friend recommendation algorithm. In the recent Messenger app for Android and Facebook Lite devices, it has made more explicit requests to users to access calls and SMS logs.

Even if the user did not grant permission, Facebook’s mobile apps have been doing this unintentionally for years, because the default permissions handling of old versions of Android (especially before 4.1 Jelly Beans) was flawed.

Up until version 16, the permission structure of the Android API changed. Unfortunately, if the Android application is written to an earlier version of the API, this restriction can be bypassed and Facebook deliberately does so.

Google deprecated Android API 4.0 in October 2017, which is the deadline for the call metadata found in Facebook user data. In contrast, Apple iOS has never allowed silent access to user data.

Update:

Facebook has responded to this and other reports regarding the collection of call and SMS data with a blog post that denies Facebook collected call data surreptitiously.