Results 1 to 6 of 6

Thread: Facebook scraped call, text message data for years from Android phones

  1. #1
    Administrator Aragorn's Avatar
    Join Date
    17th March 2015
    Location
    Middle-Earth
    Posts
    20,240
    Thanks
    88,437
    Thanked 80,968 Times in 20,254 Posts

    Thumbs Down Facebook scraped call, text message data for years from Android phones

    Source: Ars Technica


    Maybe check your data archive to see if Facebook’s algorithms know who you called.




    This screen in the Messenger application offers to conveniently track all your calls and messages. But Facebook was already doing this surreptitiously on some Android devices until October 2017, exploiting the way an older Android API handled permissions.



    [Update, March 25, 2018, 20:24 Eastern Time]: Facebook has responded to this and other reports regarding the collection of call and SMS data with a blog post that denies Facebook collected call data surreptitiously. The company also writes that it never sells the data and that users are in control of the data uploaded to Facebook. This "fact check" contradicts several details Ars found in analysis of Facebook data downloads and testimony from users who provided the data. More on the Facebook response is appended to the end of the original article below.



    This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years' worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received.




    This experience has been shared by a number of other Facebook users who spoke with Ars, as well as independently by us—my own Facebook data archive, I found, contained call-log data for a certain Android device I used in 2015 and 2016, along with SMS and MMS message metadata.



    Calls I made to my office number to check my voicemail, and from my office number to find my phone, found in my Facebook data archive. In total, there were two years of call data, from the period I used my Blackphone as my primary phone.





    To retrieve a .zip file of your Facebook data, go to your Settings page on Facebook and click the link circled in this screenshot.

    In response to an email inquiry by Ars about this data gathering, a Facebook spokesperson replied, "The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it's a widely used practice to begin by uploading your phone contacts."

    The spokesperson pointed out that contact uploading is optional and installation of the application explicitly requests permission to access contacts. And users can delete contact data from their profiles using a tool accessible via Web browser.

    Facebook uses phone-contact data as part of its friend recommendation algorithm. And in recent versions of the Messenger application for Android and Facebook Lite devices, a more explicit request is made to users for access to call logs and SMS logs on Android and Facebook Lite devices. But even if users didn't give that permission to Messenger, they may have given it inadvertently for years through Facebook's mobile apps—because of the way Android has handled permissions for accessing call logs in the past.

    If you granted permission to read contacts during Facebook's installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017—the point at which the latest call metadata in Facebook users' data was found. Apple iOS has never allowed silent access to call data.

    Facebook provides a way for users to purge collected contact data from their accounts, but it's not clear if this deletes just contacts or if it also purges call and SMS metadata. After purging my contact data, my contacts and calls were still in the archive I downloaded the next day—likely because the archive was not regenerated for my new request. (Update: The cached archive was generated once and not updated on the second request. However, two days after a request to delete all contact data, the contacts were still listed by the contact management tool.)

    As always, if you're really concerned about privacy, you should not share address book and call-log data with any mobile application. And you may want to examine the rest of what can be found in the downloadable Facebook archive, as it includes all the advertisers that Facebook has shared your contact information with, among other things.



    Update, March 25, 2018, continued:

    Facebook responded to reports that it collected phone and SMS data without users' knowledge in a "fact check" blog post on Sunday. In the response, a Facebook spokesperson stated:


    "Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. This helps you find and stay connected with the people you care about, and provide you with a better experience across Facebook. People have to expressly agree to use this feature. If, at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only."

    This contradicts the experience of several users who shared their data with Ars. Dylan McKay told Ars that he installed Messenger in 2015, but only allowed the app the permissions in the Android manifest that were required for installation. He says he removed and reinistalled the app several times over the course of the next few years, but never explicitly gave the app permission to read his SMS records and call history. McKay's call and SMS data runs through July of 2017.

    In my case, a review of my Google Play data confirms that Messenger was never installed on the Android devices I used. Facebook was installed on a Nexus tablet I used and on the Blackphone 2 in 2015, and there was never an explicit message requesting access to phone call and SMS data. Yet there is call data from the end of 2015 until late 2016, when I reinstalled the operating system on the Blackphone 2 and wiped all applications.

    While data collection was technically "opt-in," in both these cases the opt-in was the default installation mode for Facebook's application, not a separate notification of data collection. Facebook never explicitly revealed that the data was being collected, and it was only discovered as part of a review of the data associated with the accounts. The users we talked to only performed such reviews after the recent revelations about Cambridge Analytica's use of Facebook data.

    Facebook began explicitly asking permission from users of Messenger and Facebook Lite to access SMS and call data to "help friends find each other" after being publicly shamed in 2016 over the way it handled the "opt-in" for SMS services. That message mentioned nothing about retaining SMS and call data, but instead it offered an "OK" button to approve "keeping all of your SMS messages in one place."

    Facebook says that the company keeps the data secure and does not sell it to third parties. But the post doesn't address why it would be necessary to retain not just the numbers of contacts from phone calls and SMS messages, but the date, time, and length of those calls for years.


    Source: Ars Technica
    = DEATH BEFORE DISHONOR =

  2. The Following 5 Users Say Thank You to Aragorn For This Useful Post:

    Dreamtimer (26th March 2018), Dumpster Diver (26th March 2018), Elen (26th March 2018), enjoy being (26th March 2018), palooka's revenge (26th March 2018)

  3. #2
    Retired Member United States
    Join Date
    7th April 2015
    Location
    Patapsco Valley
    Posts
    14,610
    Thanks
    70,673
    Thanked 62,025 Times in 14,520 Posts
    Grrrr!

  4. The Following 5 Users Say Thank You to Dreamtimer For This Useful Post:

    Aragorn (26th March 2018), Dumpster Diver (26th March 2018), Elen (26th March 2018), enjoy being (26th March 2018), palooka's revenge (26th March 2018)

  5. #3
    Retired Member
    Join Date
    6th August 2015
    Posts
    1,853
    Thanks
    4,608
    Thanked 11,685 Times in 2,094 Posts
    This is just an issue for people with facebook accounts right?
    Last edited by enjoy being, 26th March 2018 at 08:41.

  6. The Following 5 Users Say Thank You to enjoy being For This Useful Post:

    Aragorn (26th March 2018), Dreamtimer (26th March 2018), Dumpster Diver (26th March 2018), Elen (26th March 2018), palooka's revenge (26th March 2018)

  7. #4
    Administrator Aragorn's Avatar
    Join Date
    17th March 2015
    Location
    Middle-Earth
    Posts
    20,240
    Thanks
    88,437
    Thanked 80,968 Times in 20,254 Posts
    Quote Originally posted by Nothing View Post
    This is just an issue for people with facebook accounts right?
    Yes, and specifically, for those who use the Facebook Messenger app for Android. I know a few people who've installed that on their Android smartphones — my brother being one of them.
    = DEATH BEFORE DISHONOR =

  8. The Following 3 Users Say Thank You to Aragorn For This Useful Post:

    Dumpster Diver (26th March 2018), Elen (26th March 2018), palooka's revenge (26th March 2018)

  9. #5
    Retired Member Norway
    Join Date
    2nd July 2015
    Location
    Scotland
    Posts
    5,065
    Thanks
    73,935
    Thanked 23,318 Times in 5,067 Posts
    I was "tricked" to join facebook by getting e-mails from my family to look it up on FB. Well the account is and has been dead and unused ever since...so there it is.

  10. The Following 4 Users Say Thank You to Elen For This Useful Post:

    Aragorn (26th March 2018), Dreamtimer (26th March 2018), Dumpster Diver (26th March 2018), palooka's revenge (26th March 2018)

  11. #6
    Retired Member United States
    Join Date
    2nd December 2015
    Location
    American Southwest (currently)
    Posts
    2,602
    Thanks
    12,814
    Thanked 13,156 Times in 2,620 Posts
    Right. We trust them to have it totally turned off. Oh, and how about the GoogleGestapo boys? We trust them too.

    Robert David Steele sez both of these outfits were financed by the CIA...I wonder why?

  12. The Following 3 Users Say Thank You to Dumpster Diver For This Useful Post:

    Aragorn (27th March 2018), Dreamtimer (26th March 2018), Elen (26th March 2018)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •