Facebook collected call data for years via “Synchronize contacts”
The Facebook Messenger Android app has been collecting metadata about calls and text messages for several years. This was apparently made possible by an older interface of Android, which has since been shut down. Users had activated this with “Synchronize contacts”
Dylan McKay was surprised when he downloaded his personal information on Facebook and looked more closely: It turned out that Facebook had recorded metadata of his calls for two years.
“Somehow Facebook has my entire call history “, the New Zealand developer wrote in a tweet that was retweeted almost 40,000 times and got more than 50,000 likes. In addition to the metadata, Facebook has also stored all of Dylan McKay’s phone contacts, “including those I do not have anymore.”
Downloaded my facebook data as a ZIP file
Somehow it has my entire call history with my partner's mum pic.twitter.com/CIRUguf4vD
— Dylan McKay (@dylanmckaynz) March 21, 2018
Although McKay did not use the Facebook Messenger for SMS, the social network also secured the metadata for sent and received SMS. Other users then also scanned their data archives and discovered metadata about calls and text messages.
Everything is voluntary, everything opt-in
Although Facebook is facing major problems with its data scandal , the company responded rather quickly and wrote in a blog post: “You may have recently seen some reports that Facebook has logged the call and SMS history of people without their permission. That’s not the case.”
Facebook explains that there is a feature on Messenger and Messenger Lite on Android that stores phone data. This “synchronization” helps to find people better and to stay in contact with them. In addition, the “user experience” is improving. But all this happens on an opt-in basis: The users “must expressly agree to use this feature,” said Facebook.
The function can be switched off again at any time. All data collected would be deleted, the company promises. However, Dylan McKay told the Ars Technica that he never allowed the app to access his SMS and call data. He had the Messenger 2015 installed and deleted in between every now and then.
When the sync feature is enabled, Facebook “can also use information by uploading contacts, such as when a call or text message was made or received,” the network writes at the end of its explanation. “This feature does not collect the content of your calls or text messages, your data will be securely stored and will not be sold to third parties.”
In the past, messenger apps could read the calls and messages even if the app’s user had only read access to their phone contacts. By default, Facebook also had access to call and SMS protocols, Ars Technica explains.
Affected are older Android versions up to version 4.1 (Jelly Bean), the permission structure was changed in the Android API later. However, app developers could use the old API to continue capturing metadata. In October 2017, Google has finally turned off the interface, as far as the metadata that Facebook has collected is apparently enough. iOS users were never affected. Silent access to call data is not possible now.
Social apps love address books
Facebook had introduced the optional contact import a few years ago. It’s not uncommon for a social app to import users’ address books so they can find their friends on the platform faster. In Messenger, there is this function since 2015 and also available in Messenger Lite as well.
When a user installs one of the two apps on Android, a note about the feature appears. As an Notification “Your contacts are synchronized continuously, so you can see who is still using the messenger.” A blue button with the text “Activate” switches the function on. If you do not want to, you have to tap on a gray “Not now”.
On an overview page, all logged in Facebook members can see all contacts who have imported the network. Click on “Delete all” to remove the entries. In Android Messenger you can also switch the synchronization on and off later: In the settings menu (accessible via the profile button in the start screen on the top right) under “People” you will find the entry “Synchronize contacts” with the options “Off” or “On”.
Users can download their personal information via the options of Facebook in the “General Account Settings” (“Download a copy of your Facebook data.”). The ZIP archive contains all posts, photos, videos, news, chats, profile info and more.