After the recent Cambridge Analytica scandal, many Facebook users started downloading their archived data files, or a copy of what the social network knows about them. Some are finding concerning information, including their contacts, SMS data, and call history.
The troubling behavior was first revealed by Dylan McKay, a software developer from New Zealand who wrote on Twitter last week that Facebook was collecting more of his data than expected.
a historical record of every single contact on my phone, including ones I no longer have pic.twitter.com/XfiRX6qgHl
— Dylan McKay (@dylanmckaynz) March 21, 2018
“Somehow it has my entire call history with my partner’s mum,” he wrote. “A historical record of every single contact on my phone, including ones I no longer have.”
He said the “chilling” discovery also included metadata on every text message he’d ever received or sent and metadata on cell calls, including time and duration. McKay clarified that he doesn’t use Messenger to handle his SMS messages. He then posted a survey in a Google Doc to determine how many users found similar data in their archived files. The results (which he warns should be taken with a grain of salt) show roughly 20 percent of participants, or 245 users found call, text, or SMS messages.
After McKay’s tweet thread went viral, worried users ran their own tests. Author Mat Johnson said the archived files Facebook provided contained every phone call and text he’d made for about a year.
Oh wow my deleted Facebook Zip file contains info on every single phone cellphone call and text I made for about a year- cool totally not creepy.
— Mat Johnson (@mat_johnson) March 23, 2018
On Saturday, Security Editor Sean Gallagher at Ars Technica tried it out himself and found Facebook had been collecting call-log data, SMS, and MMS message data on his Android devices from 2015 to 2016. According to his report, Facebook was using the contact data to improve its algorithms. Tom’s Guide writers also dove into their archived files and found Facebook assembled contact info from each of its staffers, including those who use iOS devices.
Here's some of the logged calls from 2016 in my downloaded Facebook data from the period when I was using my BLACKPHONE as my primary phone. pic.twitter.com/bThbhOpqq4
— Sean Gallagher (@thepacketrat) March 23, 2018
Facebook responded to the allegations that it collects data without permission in a dedicated blog post on Sunday, claiming matter-of-factly “this is not the case.” The company explains the call and text logging is part of an opt-in “feature” for people using Messenger or Facebook Lite. It admits to collecting information about when a call or text was made or received but says the contents of these messages are not stored.
Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. This helps you find and stay connected with the people you care about, and provide you with a better experience across Facebook. People have to expressly agree to use this feature.
If, at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only.
This appears to explain why some users may not be aware of the call and SMS logging; however, Ars Technica claims the response contradicts the experience of users who shared their archived data with them. McKay told the publication that he only gave Messenger the mandatory permissions needed for download, never explicit consent to collect call or text data.
Even more puzzling is that Gallagher didn’t have Messenger installed on his Android device during the period Facebook was collecting his data. He only had the main Facebook app installed on a Nexus tablet and Blackberry phone and was never given a standalone notification about logging call or text messages.
It appears Facebook first started logging info when Android permissions were less strict, so if users accepted Facebook permissions after downloading the app on an Android 4.1 phone or older, they also gave it permission to access call logs and text messages. This may explain why that information isn’t being collected on iOS devices, where it’s more difficult for an app to exploit permissions.
Facebook claims it began asking explicit permission to log this data in 2015 with a prompt that reads, “continuously upload info about your contacts like phone numbers and nicknames, and your call and text history. This lets friends find each other on Facebook and helps us create a better experience for everyone.”
The social network had initially responded to concerns about data logging with a comment that addressed contact details, but not text messages or call logs.
“The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with,” a spokesperson told Ars Technica. “So, the first time you sign in on your phone to a messaging or social app, it’s a widely used practice to begin by uploading your phone contacts.”
There are still a number of questions Facebook has yet to answer. Namely, why the company needs to log call and text data in the first place. It’s also crucial that it addresses whether users were aware of this behavior and what was done to be transparent about its actions.
The revelation comes days after Facebook was publicly shamed for its failure to protect user privacy. It was revealed last week that political data firm Cambridge Analytica harvested the personal information of more than 50 million people. CEO Mark Zuckerberg apologized and said he would be willing to testify in front of Congress.
Per Facebook’s instructions, users can opt out of the data-collecting feature from their settings. If you want to check whether Facebook is harvesting your call and text data, follow these steps to download archived data.
We have reached out to Facebook and will update this article if we hear back.