When you think there's something lurking in the dark, you turn on the lights. And, now that Facebook's data harvesting, hoarding, and exploitation is being lit up by the internet version of the Bat Signal, more and more problems are being discovered. Most recently: That Facebook was scraping call and SMS logs of Android phone users.
And yes, this is what happens when neither your operating system nor your app care about your privacy.
This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received.
Others reported finding the same, and Ars was able to independently verify the data collection.
If you granted permission to read contacts during Facebook's installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017—the point at which the latest call metadata in Facebook user's data was found. Apple iOS has never allowed silent access to call data.
People began looking into the records because of the #DeleteFacebook movement, which followed the revelation that the Facebook data of 50 million users was abused by political data firm Cambridge Analytica.
It's unclear whether Facebook's tool to delete contact information would also delete the call and SMS logs. It's also unclear why this was happening, whether Facebook was intentionally scraping the information for exploitation, or whether it was an unforeseen side-effect of the contact sharing implementation. What is clear, though, is that repeated problems like this form a pattern and a pattern of problems makes negligence indistinguishable from malice.
More recent versions of Android should prevent this kind of data collection.
The salient point is, of course, that iOS never allowed it. This type of abuse was simply never possible if you used an iPhone. Apple built it that way on purpose and it protected its users from privacy violations like this before they ever happened.
Google and Facebook's business model allow them to give you a lot of great, convenient services for free. Apple's business model allows them to give you great privacy protections by default.
If you're concerned about any of this, consider how much, if at all, and in what way you want to continue using Facebook or Android. Everything is a tradeoff. Everything has advantages and disadvantages. But for many, those cost of free-as-in-your-data is becoming too high a price to pay.