Facebook caught collecting your Calls metadata and SMSs without you knowing

[GoodBytes]

Ars Technica report that a person from New Zealand found (and confirmed by others) that the Facebook app has been collecting his metadata of his calls and SMS for years. It collect the person names, if the call was incoming or outgoing, phone number, duration of call, SMS messages, and more,  This affects only Android users due to the OS being more open (allowing more things to be possible on the device in exchange)

 

Quote

This past week, a New Zealand man was looking through the data Facebook had collected from him in an archive he had pulled down from the social networking site. While scanning the information Facebook had stored about his contacts, Dylan McKay discovered something distressing: Facebook also had about two years' worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received. This experience has been shared by a number of other Facebook users who spoke with Ars, as well as independently by us—my own Facebook data archive, I found, contained call-log data for a certain Android device I used in 2015 and 2016, along with SMS and MMS message metadata.

 

 

Contacting Facebook about the new finding, Ars received the following answer by a spokesperson:

Quote

The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it's a widely used practice to begin by uploading your phone contacts. 

 

And adds:

Quote

contact uploading is optional and installation of the application explicitly requests permission to access contacts. And users can delete contact data from their profiles using a tool accessible via Web browser. Facebook uses phone-contact data as part of its friend recommendation algorithm. And in recent versions of the Messenger application for Android and Facebook Lite devices, a more explicit request is made to users for access to call logs and SMS logs on Android and Facebook Lite devices.

 

Ars Technica found that if you gave permission to Facebook app to access your contacts on Android pre-4.1 (Jelly Bean), that permission also granted Facebook access to call and message logs by default. The problem is that if Android app is marked to be coded for 4.1 or earlier, despite being on a new phone, Android gives permission to the app as backward compatibility. So there is a way for Facebook to by-pass the new restrictions, and it looks like they are using it. The better news, is that Google cut support for the legacy app support starting in Oct 2017. So assuming your phone is fully updated with security updates, then Facebook SHOULD not have no more access to all this data. And they confirmed this that the last log they found was from that time.

 

Quote

If you granted permission to read contacts during Facebook's installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017—the point at which the latest call metadata in Facebook users' data was found. Apple iOS has never allowed silent access to call data.

 

 

Now, Facebook did mention about this spying that they have being doing in a blog post, saying:
 

Quote

Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. This helps you find and stay connected with the people you care about, and provide you with a better experience across Facebook. People have to expressly agree to use this feature. If, at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only.

 

However, Ars found that this is not true.

Ars says:

Quote

This contradicts the experience of several users who shared their data with Ars. Dylan McKay told Ars that he installed Messenger in 2015, but only allowed the app the permissions in the Android manifest that were required for installation. He says he removed and reinistalled the app several times over the course of the next few years, but never explicitly gave the app permission to read his SMS records and call history. McKay's call and SMS data runs through July of 2017.

In my case, a review of my Google Play data confirms that Messenger was never installed on the Android devices I used. Facebook was  installed on a Nexus tablet I used and on the Blackphone 2 in 2015, and there was never an explicit message requesting access to phone call and SMS data. Yet there is call data from the end of 2015 until late 2016, when I reinstalled the operating system on the Blackphone 2 and wiped all applications.

 

Source: https://arstechnica.com/information-technology/2018/03/facebook-scraped-call-text-message-data-for-years-from-android-phones/?comments=1

 

Now, I don't have Facebook. But with such a news, are you considering switching off your Facebook activity/account, and push your friends to migrate to something else for chatting?

Or will you regardless continue to use Facebook, and if I may ask (for conversation purposes) why?

 

 

[rowlYy]

I mean, does this really, and i mean REALLY surprise anyone? You give them access to so much when you install it, such as calls and text, it would be naive to assume they didn't. Can we Zucc Zuckerberg?

[rowlYy]

4 minutes ago, GoodBytes said:

 

Now, I don't have Facebook. But with such a news, are you considering switching off your Facebook activity/account, and push your friends to migrate to something else for chatting?

Or will you regardless continue to use Facebook, and if I may ask (for conversation purposes) why?

 

 

I try to minimize the information i publicly put into Facebook's Database, and the information they have is information I give out willingly, Metadata harvesting doesn't concern me too much

 

[Jurrunio]

Facebook app chunks on a LOT of battery power back in the past (in the time of iPhone 4), so I got rid of it after about 2 weeks of use.

[mr moose]

4 minutes ago, rowlYy said:

I mean, does this really, and i mean REALLY surprise anyone? You give them access to so much when you install it, such as calls and text, it would be naive to assume they didn't. Can we Zucc Zuckerberg?

It doesn't surprise me, it'st why I never used the facebook app on any phone I have owned,  In fact I will never use any app that asks for permission I do not consider necessary to the function of that app.  Facebook does not need access to my emails, txt or contacts to function. 

[themctipers]

apps in iOS 10 have access to be put in my call logs and have integration with iOS's calling screen

 

 

if I call someone in Telegram, it shows up in my phone app's call log, and it gives me the regular phone call received screen thing..

 

 

 

when I was 11 I allowed facebook to see my contacts, rip.

[straight_stewie]

20 minutes ago, GoodBytes said:

Ars Technica report that a person from New Zealand found (and confirmed by others) that the Facebook app has been collecting his metadata of his calls and SMS for years. It collect the person names, if the call was incoming or outgoing, phone number, duration of call, SMS messages, and more,  This affects only Android users due to the OS being more open (allowing more things to be possible on the device in exchange)

It's not without knowing. When you download the app it asks you for permission to monitor all sorts of things, including calls, texts, microphones, and cameras. You have to select "Allow" or "give app permission" before it will be installed. In addition, any update which changes these permissions re asks you for permission.

[Energycore]

20 minutes ago, GoodBytes said:

Now, I don't have Facebook. But with such a news, are you considering switching off your Facebook activity/account, and push your friends to migrate to something else for chatting?

Or will you regardless continue to use Facebook, and if I may ask (for conversation purposes) why?

I barely use my fb and don't use the Android App (I've only got Messenger Lite, not sure if that app is also compromised).

 

However I do still need my account as it's got some important groups in there.

Can't wait for the last couple of groups to leave the platform so I can live a facebook-less life.

[2FA]

This is why I only turn on the permissions I absolutely need. If I need a permission for some one time use, I'll make sure to turn the permission back off afterwards.

[GoodBytes]

9 minutes ago, straight_stewie said:

It's not without knowing. When you download the app it asks you for permission to monitor all sorts of things, including calls, texts, microphones, and cameras. You have to select "Allow" or "give app permission" before it will be installed. In addition, any update which changes these permissions re asks you for permission.

You want Facebook, hence why you downloaded the app, you WILL click on Allow. Plus, your avg person does not read privacy policies, terms of service, license agreement, and just hit, like on PC, "next", "next", "next", "next" quickly without reading a thing. Same for phones, they hit Allow to use the app. People don't think that Facebook would be tracking them. They don't see Facebook as a malware/spyware, as they are big, trusted and more importantly: theirs friends/family are on it.

[2FA]

Here is the link to the Ruby script for anyone that wants to check their own archive.

https://gist.github.com/dylanmckay/2b191a10068bd87d0fffba242db44b52

[GoodBytes]

2 minutes ago, 2FA said:

This is why I only turn on the permissions I absolutely need. If I need a permission for some one time use, I'll make sure to turn the permission back off afterwards.

But that would be too late, Facebook app (if you did this for the app), can collect all your logs in 1 shot.

[straight_stewie]

1 minute ago, GoodBytes said:

You want Facebook, hence why you downloaded the app, you WILL click on Allow. Plus, your avg person does not read privacy policies, terms of service, license agreement, and just hit, like on PC, "next", "next", "next", "next" quickly without reading a thing. Same for phones, they hit Allow to use the app. People don't think that Facebook would be tracking them. They don't see Facebook as a malware/spyware, as they are big, trusted and more importantly: theirs friends/family are on it

I'm not sure about other countries law, but in the US contractual agreements are generally "buyer beware" if the contractor does not attempt to hide portions of the agreement (and trivially, if the agreement is actually legal to make).

[2FA]

Just now, GoodBytes said:

But that would be too late, Facebook app (if you did this for the app), can collect all your logs in 1 shot.

I was talking in general, I don't give any social media apps any unnecessary permissions ever.

[aselwyn1]

on Android it is very easy for ANY app to collect this data also so be careful

[givingtnt]

[ItsMitch]

Facebook investors must sure do love hearing bad news

[Jito463]

As if I needed yet another reason to never, ever, ever make a Facepuke account (well, apart from the junk one that got blocked).

[Guest]

Who uses a Facebook account anyways apart from your grandma?

[captain_to_fire]

It reminds me that one time, one reason why iPhones are draining battery is because of their excessive background tasks [source here]. Mark Zuckerberg is probably in his office saying "Can you guys give me a break? I have enough problems already. Have you seen the Cambridge Analytica debacle?"

[captain_to_fire]

1 hour ago, GoodBytes said:

Ars Technica found that if you gave permission to Facebook app to access your contacts on Android pre-4.1 (Jelly Bean), that permission also granted Facebook access to call and message logs by default. The problem is that if Android app is marked to be coded for 4.1 or earlier, despite being on a new phone, Android gives permission to the app as backward compatibility.

That sucks because I authorized Facebook at one time to access my contacts way back in 2010 when I owned an Android phone with Android 1.6 Donut and during those times I didn't knew better.

[Mooshi]

Facebook doesn't care about user privacy, this is about as news worthy as saying Microsoft does Windows updates at the most inconvenient times.

[mrchow19910319]

ONLY ON ANDROID LUL

 

[EPENEX]

This has been known for years. If you use Facebook on mobile, and have android, I would recommend MaterialFBook from F-droid. It also has builtin messaging.

[asus killer]

4 hours ago, EPENEX said:

This has been known for years. If you use Facebook on mobile, and have android, I would recommend MaterialFBook from F-droid. It also has builtin messaging.

you can actually remove all those accesses on android, you don't need any app for that.

And it's mostly android OS fault that allows apps to be able to install themselves with all those permissions by default and you have to go through a lot of screens to disable those permissions. Most people obviously just click whatever to install the app and don't even read that and of course will never lose time removing the permissions.