A new report has suggested that Facebook "surreptitiously" harvested contact lists, phone numbers, and call and text history of millions of users who used their Android phones to log in to the platform before Google strengthened Android's privacy settings.
Facebook is in the midddle of a huge privacy debate after it was revealed last week that Facebook profiles of millions of users in the US and in the UK were harvested by a data analytics firm to serve the needs of its politicial clients.
According to a whistleblower who was once employed by data analytics firm Cambridge Analytica, the firm used such profiles to build a sophisticated software that could determine voting behaviour and personality traits of citizens. Facebook CEO Mark Zuckerberg has since admitted that "mistakes were made" and has apologised to Facebook users across the world.
Years of data harvesting
While previous allegations were about firms using the Facebook platform to harvest personal information of millions of people, a new report from Ars Technica has revealed that Facebook may have been collecting sensitive personal information such as contact lists, phone numbers, and call and text history of millions of users itself. The company managed to obtain so much information by exploiting poor privacy settings in old Android operating systems that allowed apps to access call logs in Android devices.
Several Facebook users from across the world told Ars Technica that after viewing their Facebook archives, they observed that the social media behemoth harvested years' worth of phone call metadata from their Android devices, including "names, phone numbers, and the length of each call made or received".
"If you granted permission to read contacts during Facebook's installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default.
"The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017—the point at which the latest call metadata in Facebook users' data was found. Apple iOS has never allowed silent access to call data," wrote Sean Gallagher, Ars Technica's IT and National Security Editor.
In response, Facebook said that access to contact logs helped it make it possible for users to find people they wanted to connect with, and that the concept of requesting access to contacts is "a widely used practice".
"People have to expressly agree to use this feature. If, at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only," the firm added.
Was it really "opt-in"?
According to Gallagher as well as several Facebook users he spoke to, Facebook's claims are not accurate as even though some users never gave Facebook the permission to read SMS records and call history, they still found detailed records of calls made from their phones in their Facebook archives.
According to him, the "opt-in" requirement was part of Facebook's installation package and not a separate notification of data collection, thereby giving users an impression that their data was not being collected. While the data collection has stopped because Google no longer allows apps to access contact lists of Android device users, it is still unclear why Facebook collected detailed call and SMS logs of millions of users.