Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Facebook Privacy Android Cellphones Operating Systems Social Networks Software

Facebook Scraped Call, Text Message Data For Years From Android Phones (arstechnica.com) 158

An anonymous reader quotes a report from Ars Technica: This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received. This experience has been shared by a number of other Facebook users who spoke with Ars, as well as independently by us -- my own Facebook data archive, I found, contained call-log data for a certain Android device I used in 2015 and 2016, along with SMS and MMS message metadata. In response to an email inquiry about this data gathering by Ars, a Facebook spokesperson replied, "The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it's a widely used practice to begin by uploading your phone contacts." The spokesperson pointed out that contact uploading is optional and installation of the application explicitly requests permission to access contacts. And users can delete contact data from their profiles using a tool accessible via Web browser.

If you granted permission to read contacts during Facebook's installation on Android a few versions ago -- specifically before Android 4.1 (Jelly Bean) -- that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017 -- the point at which the latest call metadata in Facebook user's data was found. Apple iOS has never allowed silent access to call data.
You are able to have Facebook delete the data it collects from you, "but it's not clear if this deletes just contacts or if it also purges call and SMS metadata," reports Ars. Generally speaking, if you're concerned about privacy, you shouldn't share your contacts and call-log data with any mobile application.
This discussion has been archived. No new comments can be posted.

Facebook Scraped Call, Text Message Data For Years From Android Phones

Comments Filter:
  • Facebook is broken (Score:5, Insightful)

    by Pieroxy ( 222434 ) on Sunday March 25, 2018 @09:39AM (#56322769) Homepage

    And it has been from the beginning. Zuckerberg called his first few thousand users "dumb fucks" for trusting him with their data, and that's how he's built the whole thing: screw people and their data.

    Now it shows.

    What surprises me the most is how this did not happen before.

    • by PolygamousRanchKid ( 1290638 ) on Sunday March 25, 2018 @10:00AM (#56322853)

      What surprises me the most is how this did not happen before.

      What surprises me the most . . . is that I am NOT surprised at these recent revelations. It's exactly what I suspecting that Facebook was doing, "under the covers" . . .

      However, I am certain, that in the coming days, something Facebook is doing WILL be revealed that will surprise me. Oh, and that will probably be something *really* frightening, like:

      "Facebook collects data on US military service personnel and sells it to Islamist organizations."

      "Facebook tracks location data of Russian dissidents and sells it to the FSB so they can easily find the right person to poison."

      Facebook has proven that they will do anything to make a buck, so hey, although those things might sound outrageous . . . they are completely probable in the Facebook universe.

      Helping folks hack elections is small fry. Let's just wait and see when the whales get reeled in . . .

    • by Anonymous Coward

      Yes, but also, Android is broken. At least in iOS its easy to see what apps have access to what, and turn off and on the hook they have into the address book, sms, mic, camera, GPS etc etc etc etc.

      Glad I deleted the Facebook apps off my devices several years ago, I never had a good feeling about the apps or what else they might be up-to. If I really want to Facebork from my phone I do it in the browser, yeah its clunky in some places, but also stops me from using it a whole lot.

      • Exactly this. This is mostly Androids fault, not Facebooks
      • by epine ( 68316 )

        Yes, but also, Android is broken.

        I quickly figured out that the hassle of finding an Android app without obnoxious permission structures (and which remained stable over time) generally exceeded the value of the resulting app.

        I only ever installed two or three apps with access to my contacts (this eliminated most applications). One of those was Google, another was the Pebble watch application. Google probably didn't leak the whole caboodle to a third party (they are too greedy to share). I don't know abou

      • It is *not* broken - you need to give the FB app permission to read contact and SMS data - which most people do because they're stupid. Do we need to add stupidity protection in there too now? Maybe yes...
        • by pjt33 ( 739471 )

          What's broken is that until Android 5 (I think) there was no fine-grained permission control: either you gave an app all of the permissions it asked for, regardless of whether or not they were needed for its core function, or you didn't install the app. It's true that it was functioning as designed, but that doesn't mean that the design wasn't broken.

    • Now it shows.

      What do you mean "Now it shows"? Literally the first thing Facebook messenger says after you open it for the first time is that it wants to take over your calling and SMS functionality on the phone.

      The only thing that is happening "now" is that people see something in the news and suddenly freak out about their phone which they don't understand because they never read a single thing that was displayed to them. This isn't a Facebook problem, it's a retards using Facebook problem.

      Permissions requested, blah b

  • by magarity ( 164372 ) on Sunday March 25, 2018 @09:46AM (#56322799)

    This is why I had to uninstall my bank's app after a new version demanded access to contact list, etc. I never install the customer loyalty apps from any of the chain stores or restaurants; they all want this stuff and it's too instantaneous to say "oh, just use targeted permissions after installation". Nope; it will suck down your contacts and sms history faster than you can switch over to lock it down.

    • by Anonymous Coward

      Fun fact, read my banks TOS on their "new" mobile app. Two things were particularly disturbing - First, demanding access to addressbook etc, but second was including language that effectively barred any other user from accessing your device. I kid you not. When I asked why this was needed, I was simply told it's the way the banking industry is going. The TOS was a boilerplate from some other bank and the address book requirements were to "make it easier to send funds". ......

      To make matters worse, I d

    • by c ( 8461 )

      Nope; it will suck down your contacts and sms history faster than you can switch over to lock it down.

      LineageOS (formerly Cyanogenmod) with Privacy Guard enabled by default... I don't worry much about apps grabbing by address book anymore.

      That being said, installing the Facebook app is a bad idea. The mobile web site works okay, and I care about my battery life and data usage.

      • That being said, installing the Facebook app is a bad idea. The mobile web site works okay, and I care about my battery life and data usage.

        The mobile website won't do messaging. I'm willing to live without messaging while on my phone, but it's still an annoyance.

        • by c ( 8461 )

          The mobile website won't do messaging.

          Yes, that's one of my favorite features.

        • by Rastl ( 955935 )

          The mobile website won't do messaging. I'm willing to live without messaging while on my phone, but it's still an annoyance

          Request the desktop site and you get your messaging back in the browser.

    • by amiga3D ( 567632 )

      I never use my phone for anything I want private. No banking especially. I don't have a FB account but I do have twitter but had to take the app off my phone. I'm not really especially paranoid but a lot of these apps want to just about take over your phone. I get tired of struggling to make them behave after a while and just delete them. There's no way I'm going to use android for anything I consider sensitive though, I have no way of getting rid of the malware my carrier installed without putting a custom

    • it's too instantaneous to say "oh, just use targeted permissions after installation". Nope; it will suck down your contacts and sms history faster than you can switch over to lock it down.

      Where are you installing apps from? When you install an app from the Google Play store, it doesn't launch automatically and you can set the permissions before you launch it for the first time. There is no "faster than you can switch over."

    • This is why I had to uninstall my bank's app after a new version demanded access to contact list

      Having access to the contact list is how many bank apps "Split the bill" functionality works. The cleverer apps even integrate with WhatsApp knowing that in some countries SMSes are useless.

      Personally I prefer to have legal protections of my privacy rather than having to carefully curate my experience with every company out there.

  • App permissions (Score:5, Interesting)

    by nitehawk214 ( 222219 ) on Sunday March 25, 2018 @09:48AM (#56322805)

    This is why you look at the app permissions before installing and app. I was the only person I know that said, "Hmm, why does Facebook need to read my call history and contact lists?"

    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Sunday March 25, 2018 @10:12AM (#56322901)
      Comment removed based on user account deletion
      • by Mitreya ( 579078 )

        People generally ignore what comes up because stock Android until recently didn't let you say "Oh, Facebook wants access to my call history huh? Well, I'll install it but not let it have that. Even now, rather than fail gracefully, Android tells the app that it's been denied a privilege so it can refuse to work until you give it what it demands.

        So what you are saying that the problem isn't fixed even now? Your first sentence makes it sound like Android has recently fixed this error -- but notifying the app causes the same problem.

        For Facebook users, the option was no app, or trust Facebook.

        True for all apps. I don't have Facebook app, but there other apps (Uber/Lyft/WhatsApp) that I actually needed.
        It's an outrage that my options are still trust the app or no app at all.

      • The fact Facebook did use that permission

        Except the Facebook right up front tells you why it used that permission and doesn't even try to hide that it wants to take over as the primary Call and SMS provider on your phone.

        This is pure outrage by people who don't read the first screen that pops up when they hit the little message button.

        • Comment removed based on user account deletion
        • by shilly ( 142940 )

          You're being too kind to FB and too harsh on users. The FB app asks users if they will let it *access* their contacts, and links this request to *helping them find their friends on FB*. It allows them to assume that this is *all* it wants to access their contact for. They assume good intent, and more or less that means "FB wants to look through my contacts *once* to find my friends who are on FB". That is completely reasonable, and completely different from what FB actually was saying, which was "we want yo

          • Facebook does not need 'regulating' because that just hardens up the market they are in, making it harder for competing services to enter.

            Facebook needs to be broken up. If they want to be an 'identity' company that indexes everybody, that is a service they can provide so long as they are open, and other Social Network companies can plug into their identity services.

            The social network part of Facebook should be split away into a separate company.

            If the Identity entity can't be self-sustaining without the So

            • by shilly ( 142940 )

              I see "breaking up FB" as just a pretty dramatic example of regulation.

              • Oh, I would certainly agree. It's not the kind of 'regulation' that Mark wants. But seriously, Facebook bills itself as an authentication service for all kinds of third parties. In some ways they are THE authentication service. Which is a monopoly situation that makes what Microsoft has done in the past look like a bunch of pikers.

          • and too harsh on users.

            No. I can never be too harsh on users. Users should be repeatedly bashed over the head until they stop blindly clicking "next" or okay to every dialogue that pops up, or worse, on windows, that little X in the top right meaning they've now got no idea what they system did in response.

            Facebook isn't the problem, and if we punish Facebook they'll just be replaced by yet another thing that has the same problem. Case in point: I gave my girlfriend a real earful after she installed a crappy little Disney game th

            • by shilly ( 142940 )

              Users should be repeatedly bashed over the head until they stop blindly clicking "next"

              I appreciate the purity of your position, but I suspect you may be waiting quite a long time...

              • I fully expect to die before it happens. I hope it's ironic like my next of kin clicks the X button when presented with "Are you sure you wish to turn off life-support."

    • They'd try to get around permissions.

      I had fake honeypot contacts when I first installed the app. The installer at the time had no option to disable contact collecting. There was an option in the app. So the app collected that info during install before you could get to the option based on honeypot hits. At least a few updates reset the app to allow max info collection. With auto updates, FB would again begin grabbing info silently and transparently.

      I must say I'm stunned, just stunned to hear allegation
      • It's not just Facebook. Google has been doing this for quite a while. The first time you turn on your phone, it wants to sync your contacts to google. I found this very annoying. Your contacts will get synced so fast, before you have a chance to do anything, it's already there.

        Then remember Google plus? The damn thing started suggesting for me contacts from reading my emails, contacts and phone history. It even picked out phone numbers that were not on my contacts list as suggested people I add from Google

        • by shilly ( 142940 )

          Apple servers know which devices (and associated phone numbers) are iOS devices. There's no scraping going on.

      • Comment removed based on user account deletion
  • Privacy policy (Score:5, Interesting)

    by phantomfive ( 622387 ) on Sunday March 25, 2018 @09:56AM (#56322835) Journal
    The Facebook privacy policy says they will access your address book, but it doesn't say they will access your call data. It seems like they are going beyond what they are saying they will do. That's kind of weird, because you expect their lawyers to be on top of this kind of stuff.

    Not that anyone reads the privacy policy [facebook.com].

    It's really hard for me to feel outrage about this......something that's been a problem for years, and now they went a little farther so you are worried?
    • It seems like they are going beyond what they are saying they will do.

      Really? Because when I installed the app it said it wanted to outright become the call and SMS app on the phone. I'm not sure how you imagine this would work if they don't have access to call / message history.

      Someone didn't read the first screen presented to them. I assume all these people who are upset at this were too busy clicking "next" trying to get to their Facebook feed because they were desperate to see how many likes their stupid share had gotten.

  • by Anonymous Coward on Sunday March 25, 2018 @09:59AM (#56322851)

    To be fair, this is well known. If you install the Facebook App on your phone you are granting Facebook carte blanche to hoover up everything on your phone - and even listen to your calls. If people choose to ignore the "advisory" notes that go with the installation and select grant permissions to access everything anyway...then what else do they expect?

  • Blame the API... (Score:4, Interesting)

    by cob666 ( 656740 ) on Sunday March 25, 2018 @10:02AM (#56322863)
    I'm not a big fan of Facebook, although I do use it at times to keep in contact with some friends and relatives.

    The story makes it sound as though Facebook was doing something underhanded and nefarious. They were ONLY doing what the API allowed them to do. Where is the anger toward Google for allowing this type of access in their API? I'm not sure how the Android version of Facebook works, but when you install the iOS version, it explicitly asks you if you want to give the app access to your contact list, you DO have the option to decline.
    • by Anonymous Coward

      The permissions were fixed in the app store and sideloaded/preloaded apps, like facebook often was had whitelisted access by default.

      Most of the major carriers not only preloaded facebook, but in some cases made it an internal app, meaning you couldn't delete it off your device unless it was jailbroken (you could disable it, but carrier updates or other changes seemed to cause it to reenable itself.)

      I spent a great deal of time upon making the transition to smartphones replacing stock firmware images precis

    • Re: Blame the API... (Score:2, Informative)

      by Anonymous Coward

      When you visit your aunt's house for Thanksgiving dinner you are given full access to her house. That doesn't mean you should sneak into her bedroom during the football game after dinner and dig through her dresser drawers. That's essentially what you are saying it is okay for Facebook to do.

    • Google has been ahead of Apple on this except for control over specific permissions. When installing an app on Android, it showed you a list of which permissions the app wanted [androidforums.com]. If you didn't like how much stuff the app wanted access to, you could choose to cancel the app's install before it ever began. Apple didn't add this capability until 2012.

      2012 (iOS 6) was also when Apple added the ability to decline giving an app a specific permission. So you could install an app but deny it a certain permiss
      • by SuperKendall ( 25149 ) on Sunday March 25, 2018 @01:09PM (#56323737)

        Google has been ahead of Apple on this except for control over specific permissions.>

        Wrong, they have always been way, way behind, as I will illustrate.

        When installing an app on Android, it showed you a list of which permissions the app wanted

        How is something that everyone will agree to and you cannot individually control "ahead"? On Apple prior to iOS6 you ALSO knew exactly what an app could or could not access.

        If you didn't like how much stuff the app wanted access to, you could choose to cancel the app's install before it ever began. Apple didn't add this capability until 2012.

        WRONG. That is true of contacts but even from the start Apple has specific controls around some access, in particular location data. iOS 6 just expanded those permissions to Calendars, Reminders, Contacts, and Photos - a welcome addition as that was just when apps were starting to abuse contact access.

        But even before then Apple was still way ahead because they ACTUALLY VETTED APPS. There was far less a chance an app was doing something shady, because Apple was reviewing apps and monitoring network traffic...

        But even past THAT point, Apple was way ahead because apps never had phone/SMS access AT ALL until recently, so they could not be monitoring every call or text, period.

        Neither will let you deny an app permission to access the Internet (using up your cellular data quota).

        WRONG AGAIN. For *any* app on iOS you can specify if it may use cellular data. I forget when that was introduced but I think it was a long time ago.

        Another issue has been apps which the carrier installs on your device (I assume they're paid to do it) which you can't uninstall.

        Which we should all remember, Apple has never allowed carriers to do...

        Also, note that none of these restrictions apply to the OS themselves. e.g. Apple has harvested iOS users' location data in the past>

        Well you certainly are on a roll because that is ALSO WRONG. You had to agree to share analytic data with Apple for it to collect any data whatsoever, much less location data.

        (they buried the request for permission in the EULA for an iOS update)

        Instead of being wrong I'm going to label this bullshit as it's a question that is asked after an iOS update, on a screen with only that question. Hardly "buried".

        lets you deny it permission if you want.

        Well you seem to be implying Apple does not let you opt out. WRONG. You can always opt out of sharing data with Apple.

        The fundamental issue I have with your post is that it paints a picture of Android being in any way acceptable for a non-technical person to use from a security standpoint. It is not now, nor has it EVER been safe to let a non-technical person use an Android device, full stop. If you are pushing your friends and family who are not technically astute to use Android, you are putting them in grave risk - because they WILL do things like install Facebook and have every call/text monitored, and probably they have far more shady apps collecting the same data....

    • Where is the anger toward Google for allowing this type of access in their API?

      Why would we be angry about an API that enables so many apps to work exactly as intended?

      They were ONLY doing what the API allowed them to do.

      More importantly the API enabled Facebook to take over phone and SMS functionality, something that it flat out says it wants to do when you first install the app. It would make for a pretty shitty SMS app if it didn't store a message history.

  • by Anonymous Coward on Sunday March 25, 2018 @10:08AM (#56322885)

    it's all your fault for being a fool.

    It's OK though, you can close your account now and move to a more reliable and open alternative. It's been in use for about 100 years and is better in every way. It is called....

    ---> Ham Radio.

    Just got a new antenna, by the way. 6 band cobweb 20-17-15-12-10-6 , it's working great and still have my vertical for 80/40 meters.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Sunday March 25, 2018 @10:35AM (#56322983)
      Comment removed based on user account deletion
      • Yep, that happened to me.

        I have done the obvious thing though. Plant a bunch of false information for them to hoover up as well. Poisoned stalker database is best database.

        When will someone make a web plugin that uses peer to peer to randomize FB cookies between users to screw up all the web metrics?
      • by mohsel ( 2505642 )
        Just like that other crap truecaller.com which is basically a phone contact sharing app. if somebody has your number and uses the app, your contact info will be searchable by all it's users, and will be shared as your dumbass contact wrote it.
        It's really sad.
    • GAP Titan DX, and 256' center fed dipole...

  • by markdavis ( 642305 ) on Sunday March 25, 2018 @10:16AM (#56322915)

    >"Facebook Scraped Call, Text Message Data For Years From Android Phones"

    I still fail to understand why this is a surprise to anyone. All this crap has been in the media for years. Can't use fake name, makes links without permission, makes connections with others without asking, sells your data to other companies, sucks up your history from every site you visit, tracks you everywhere you go, watches everything you do, demands your phone number and Email address and other contact information, and demands your face biometric and will just figures it out anyway if you don't give them, tags you in photos- even if you didn't supply them, refuses to actually let you delete things for real, enables bullying, has back doors for government access (and probably without due process), suppresses your free speech, manipulates "news" and data it gives you, takes political stances, annoys you to death, wields unbelievable power, actually depresses and disconnects people from meaningful [real-world] relationships, destroys attention spans, isolates non-participants, etc, etc. Hello people, welcome to Facebook. "All your base are belong to us."

    I don't have a FB account. Never have, never will. It is the ultimate in privacy invading spyware. It invades your privacy even if you have never used it. I hope it dies. My advice is disconnect and wipe what you can and and MOVE ON.

  • by Balial ( 39889 ) on Sunday March 25, 2018 @10:26AM (#56322947) Homepage

    Seriously. Google and Facebook are on the same side. Google wants themselves and others to make money from your data.

    Part of Appleâ(TM)s lockdown policy is so that these apps canâ(TM)t hoover every little bit of personal data from your phone. Unlike google, Apple have far more to gain by protecting your privacy.

    • Seriously. Google and Facebook are on the same side. Google wants themselves and others to make money from your data.

      Part of Appleâ(TM)s lockdown policy is so that these apps canâ(TM)t hoover every little bit of personal data from your phone. Unlike google, Apple have far more to gain by protecting your privacy.

      Apple has less fine-grained security than Android does now, and they do steal all your data regardless of how little they gain from it.

  • Can you disable the data harvesting and still install the app to use it? I doubt it. Genuinely curious. I'd try it on my phone to test it but I've got more sense than to use the Facebook app.
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Sunday March 25, 2018 @10:44AM (#56323015)
    Comment removed based on user account deletion
    • >"I don't even have a Facebook account but plenty of my friends do and I'm sure some of them use Facebook on their phone. So how do non-users get their info removed? This is non-public information that I never agreed to share with Facebook."

      Answer: You can't

    • This is non-public information that I never agreed to share with Facebook.

      Did you have your friends sign an NDA when you gave them your telephone number? No? In which case your friends made it public information. It's up to you to get them to delete it.

  • by zdzichu ( 100333 ) on Sunday March 25, 2018 @10:49AM (#56323039) Homepage Journal

    If you are not sure what is deleted, just wait 2 months. Then GPDR will come into force and FB will have to DELETE everything upon request. Or cease functioning (the fines are gargantuan).
    This is of course if you live in civilised world where the regulation have force. If you live outside EU – tough luck, consider moving.

  • Maybe you should read and think about what applications are asking for what permissions before you go and just click allow. Lets ignore the fact that no one should actually be using unencrypted SMS and unencrypted voice applications.
    • Or... maybe there should be ethical standards (or any existing ones should be enforced) - instead of putting it ALL on the user?
      • There are standards, such that you have to click allow / deny ... very, very, tricky wording. If you don't know why an application wants access to X, don't allow it. I have a few pages worth of application that aren't allowed on any of my phone due to permission based issues, because they could not need access to X.
    • Comment removed based on user account deletion
      • If you granted permission to read contacts during Facebook's installation on Android a few versions ago -- specifically before Android 4.1 (Jelly Bean) -- that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017 -- the point at which the latest call metadata in Facebook user's data was found. Apple iOS has never allowed silent access to call data.

        Users had to allowed access to contact data. If you don't know exactly why an application needs to have access to X, don't allowed it, flat out. They're many, many, many, application that I won't allow on my phone because they simply ask for permissions that they couldn't need access to, for a practical reason. Extending this, who uses unencrypted message application, even for SMS? This entire issue breaks down to users whom don't understand what they were doing and why they shouldn't of just clicked al

  • This must be pretty good from the anti-terrorism point of view if you're trying to work out who is a member of a terror network.

  • Damn it, I've never had a Facebork account, so I missed out on getting all my data harvested by shady companies.

    Is there any way that I could send it to them in bulk so I can catch up?

  • by b0s0z0ku ( 752509 ) on Sunday March 25, 2018 @12:26PM (#56323501)
    Do you really need Facebook notifications? If you just want to read FB, go to m.facebook.com on your favorite browser. No snooping app required for it to work, and they don't block messaging and try to get you to install Messenger if you use Opera on Android.
    • by rizole ( 666389 )
      Or just request desktop access on other browsers.
      • Or just request desktop access on other browsers.

        doesn't work anymore on brave. someone told me you can manually go to home.php though.

  • Comment removed based on user account deletion
  • I barely ever check Facebook notifications, however I recently adopted Opera Mini on my mobile phone. This app is preset to show Facebook notifications. That’s how I discovered that a person whom I only contacted by phone and SMS (no mention of them on any file of my computers or tablets) was suggested to me as friend. I always carefully avoid to give access to my address book, and anyway this person is only on my phone (used for tethering).
  • So how do you delete this data without deleting your account? What is the link to the "tool accessible via Web browser?"
  • I predict that the next outrage will be when everyone realises that the FB and messenger apps also slurp WhatsApp messages from that app... (Possibly under the pretext of permission to read SMS Messages....). Remember that WhatsApp messages are only encrypted 'end-to-end' - if you are at one 'end' then you can read them in plaintext.

Keep up the good work! But please don't ask me to help.

Working...