How Facebook Has Been Harvesting Android Call History And SMS Text Data For Years

The last thing Facebook needs right now is yet another controversy, though one is starting to brew anyway. Already reeling from privacy concerns over the misuse of user data by Cambridge Analytica, a political data research company, it is now coming to light that Facebook has been collecting call history and SMS text messaging data from Android phones for the past several years as well. How and why did this happen?

It all boils down to Android permissions, and how Facebook's mobile app was taking advantage of an earlier versions of Android to collect a surprising amount of sensitive information. Dylan McKay, a software developer in New Zealand, brought the issue to light on Twitter saying he downloaded his Facebook data as a ZIP file and "somehow it has my entire call history with my partner's mum." In looking at his grandmother's data dump, he also discovered that Facebook had been collecting SMS records from 2015 to 2017.
Other Twitter users corroborated his findings, as did Arstechnica's Sean Gallagher, who said his own downloadable data archive contained call log data and text messages "for a certain Android device I used in 2015 and 2016." When Gallagher asked Facebook to explain the situation, he was basically told it's a normal part of the social networking experience designed to make it easier to connect with relevant friends and family members.

"The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it's a widely used practice to begin by uploading your phone contacts," a Facebooks spokesperson said.

Facebook's spokesperson also pointed out that uploading contact information is optional and that the mobile app explicitly requests permissions to access contacts. What's more, users can delete contact data from their profiles using a tool that is accessible on a web browser.

Fair enough, but what is concerning is how Facebook went about getting these permissions. In earlier versions of Android, and specifically Android 4.1 Jelly Bean and prior, granting permission to read contacts during Facebook's installation also gave it the ability to access call data and messaging logs by default. Google changed this in a later Android API, but even then, Android applications written to earlier versions of the API could continue to harvest data by specifying an earlier Android SDK version. That is what Facebook did up until Google squashed the workaround in version 4.0 of the Android API in October 2017.

This never affected iOS devices because of tighter controls over call and messaging histories, only Android phones. While it doesn't seem to be an issue anymore, it is concerning that Facebook ever did this in the first place, and over a two-year period.


If you want to check your own data archive on Facebook, click on Settings on the top-right of any Facebook page, select Download a copy of your Facebook data at the bottom of the General Account Settings section, and click Start My Archive. 

It will take some time for this process to complete. When finished, Facebook will email you with a link to your download.