Ars Technica reports on something not all that surprising considering the Facebook news stories lately. This time it appears for years Facebook has been surreptitiously scraping call, and text message data from Android phones:
If you granted permission to read contacts during Facebook’s installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017—the point at which the latest call metadata in Facebook users’ data was found. Apple iOS has never allowed silent access to call data.
Facebook provides a way for users to purge collected contact data from their accounts, but it’s not clear if this deletes just contacts or if it also purges call and SMS metadata. After purging my contact data, my contacts and calls were still in the archive I downloaded the next day—likely because the archive was not regenerated for my new request.
As always, if you’re really concerned about privacy, you should not share address book and call-log data with any mobile application. And you may want to examine the rest of what can be found in the downloadable Facebook archive, as it includes all the advertisers that Facebook has shared your contact information with, among other things.
Utterly shameful yet entirely unsurprising for one of the most unscrupulous companies on the internet.
Everyone should know the following truism by now: if you are receiving a web-based service for free, you are not the customer but the product. Your data is being monetized, and likely collected in ways you are unaware of, therefore you should be very careful with what data you provide to the platform.