iPhone protected you from Facebook call scraping. Android, not so much.

When you think there's something lurking in the dark, you turn on the lights. And, now that Facebook's data harvesting, hoarding, and exploitation is being lit up by the internet version of the Bat Signal, more and more problems are being discovered. Most recently: That Facebook was scraping call and SMS logs of Android phone users.

And yes, this is what happens when neither your operating system nor your app care about your privacy.

From ArsTechnica:

This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received.

Others reported finding the same, and Ars was able to independently verify the data collection.

If you granted permission to read contacts during Facebook's installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017—the point at which the latest call metadata in Facebook user's data was found. Apple iOS has never allowed silent access to call data.

People began looking into the records because of the #DeleteFacebook movement, which followed the revelation that the Facebook data of 50 million users was abused by political data firm Cambridge Analytica.

It's unclear whether Facebook's tool to delete contact information would also delete the call and SMS logs. It's also unclear why this was happening, whether Facebook was intentionally scraping the information for exploitation, or whether it was an unforeseen side-effect of the contact sharing implementation. What is clear, though, is that repeated problems like this form a pattern and a pattern of problems makes negligence indistinguishable from malice.

More recent versions of Android should prevent this kind of data collection.

The salient point is, of course, that iOS never allowed it. This type of abuse was simply never possible if you used an iPhone. Apple built it that way on purpose and it protected its users from privacy violations like this before they ever happened.

Google and Facebook's business model allow them to give you a lot of great, convenient services for free. Apple's business model allows them to give you great privacy protections by default.

If you're concerned about any of this, consider how much, if at all, and in what way you want to continue using Facebook or Android. Everything is a tradeoff. Everything has advantages and disadvantages. But for many, those cost of free-as-in-your-data is becoming too high a price to pay.

○ Video: YouTube
○ Podcast: Apple | Overcast | Pocket Casts | RSS
○ Column: iMore | RSS
○ Social: Twitter | Instagram

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • "It's also unclear why this was happening, whether Facebook was intentionally scraping the information for exploitation, or whether it was an unforeseen side-effect of the contact sharing implementation" Of course it is intentional. How come every time Facebook, Google, Twitter etc… are caught stealing/invading the privacy of users - the invasion always benefits them and not the user. If these liars claim unintentional one would think at least ONCE it would be in the users side. NEVER ONCE. Goggle didn't "intentionally" scoop up peoples private WIFI passwords using they self driving cars. Nope, our software engineers just made a mistake! Facebook, Google, Twitter etc… are evil companies. And Facebook Zuckerberg is the face of evil. He really is. People stop using these corrupt sites.
  • The sites start out as a good idea, to benefit users. Then when they get too much power and too much money, they realise they can make loads more money by scraping as much user data as physically possible. How many new features have come to Facebook/Twitter to benefit users? I can barely think of any. Twitter's increase in character count was nice, but Facebook now just has these annoying auto-playing videos. Facebook modifies their "privacy" settings every now and again, but this isn't a new feature, and I think is just done to make users feel like their privacy is being protected, when it's actually being exploited. Both their mobile apps never tell you what is included in an update, just that "we provide updates to make your experience better". I'm pretty sure most of the time, the app store updates are just to reset the bad ratings.
  • Android fan: "Oh yeah? Well maybe I WANTED Android+Facebook to steal my phone call and SMS data for years, and NOT know that this was happening... Yeah, that's the ticket!"
  • They will always find some argument, even when there are none
  • Android hasn't allowed this to happen in the past few iterations of its software. So what's the point of this article again?
  • Do you know how many people are not running the past few iterations of Android, because of Android's version fragmentation?
  • But... who? On what phones? If your friends and family use 5+ years old phones, you should tell them to upgrade. Also, you cannot take an open-source system and group all devices using it together into one big pile. That's like claiming that Linux is horrible and insecure because you know how many routers and car systems run on an outdated Linux kernel?
  • You're exactly right, matus201.
  • It still happened at some point, though, which was the point that was made. This never happened on iOS
  • Apple users haven’t had a reason to be smug recently. It must be driving them crazy. Let’s just give them his moment. Don’t ruin it for them by using logic.
  • Good thing I responded with logic as well, and didn't resort to crude comments such as yours
  • This last happened on JellyBean--Android 4.1, which is a 5-year-old OS. Android is up to O right now--8.0/8.1.
  • It still happened at some point, though, which was the point that was made. This never happened on iOS.
  • This just highlights the improvements iOS and Android did in the recent years. Finally both systems are catching up to each other (although iOS notifications probably need one more iOS version upgrade to get there). Although I am very happy that my Android phone is finally as secure as other platforms, it's embarrassing how long it took. It's only in the past 3 years that I have full control over permissions. And thanks to Samsung's Knox I can completely isolate any app I want into a secure encrypted container - I can keep using Facebook app, allow it even SMS and Call access, and it won't know what I do with my phone. I can also block any access to Facebook servers system-wide thanks to Knox firewall. Now that is real security, one that you cannot achieve on any other (unrooted and not jailbroken) mobile OS. So yea, it used to be really bad in the Android land, but now the tides completely shifted ;)
  • "Now that is real security, one that you cannot achieve on any other (unrooted and not jailbroken) mobile OS." But you just said Android has caught up to iOS in security, i.e. iOS has already achieved this
  • This is unbelievable.
    This means the police or other prosecuting attorney can subpoena your Facebook data. And they will fine EVERY PHONE CALL you ever made on your Android Phone - including the names of people you called and how long you spoke with them! It is a treasure trove! Even the phone company doesn't have this data.
  • The phone company should have SMS and call logs, since everything that you do in those sectors go through their network. I'm not sure on the legalities behind collecting this data to be used in a court of law, I guess that would require trawling through the T&Cs or privacy policy, but if Facebook says that they do not have a certain piece of data about you, or aren't collecting that data (even if they do have it), they shouldn't be able to provide that data to the court. Otherwise they'd be committing an offence in court by showing evidence that wasn't supposed to exist, or that you weren't informed of that it exists
  • So are you going to update this article with the correct information, or no?
  • Nah, that would require competent journalism instead of fanboyism....
  • What part of this article isn't correct?
  • The incorrect part, according to Facebook, is that the metadata was not gathered by the Facebook app, but by Facebook Messenger. And that it came from and opt-in permission for contact sharing.
    That Rene hasn't provided an update says a lot about the objectiveness of his journalism.
    But we all knew that anyway.
  • I think the point was that there was no need to provide an "opt-in" for contact sharing, hence why iOS didn't allow this. You could say details were omitted because they were superfluous, or because it's objective journalism, but the article is still valid either way
  • "iPhone protected you from Facebook call scraping... by accident" as in not intentionally. That's like saying "Walking protected me from a plane crash". Apple wasn't proactively stopping Facebook from getting this data, Facebook couldn't. Of Android vs iOS, only one of the two comes with it baked in to the OS in the settings app...
  • Where does it say "by accident"? The iPhone protected you on purpose to prevent organizations such as Facebook from doing things like this. Foresight is a wonderful thing, shame Google didn't have it with Android
  • Bah! *shrugs* I guess I'm too cynical of all the tech companies to feel some sense of "shock and betrayal".. I mean, privacy and tech just just seems like such oxymoron to me anyway. I don't trust any company fully because, well, they lie. Maybe that's why I'm just not that surprised. Rene, please consider tempering your choice of words. Apple is no angel, either. The sun hasn't yet fully set on their battery throttling scandal. No company is above missteps.
  • Where can I download the data apple is housing on me like I can with Facebook or see for myself in Google's dashboard?
  • Indeed! If you find out, please let me know. I've had this iPad since December and can't find a trace of transparency on the data Apple has housed on my account.
  • iOS 11.3 made big improvements to data transparency, and you're going to say that?
  • Has 11.3 been released? I just checked and I'm on 11.2.6 and there's no update available as of today.
  • Not yet, I should've said "will make" instead of "made" (I'm too used to being on the Public Betas!), but still Apple are working on making themselves more transparent, and iOS 11.3 will be released very soon.