By now, you're probably used to hearing new information every week about how Facebook has abused users' data and violated their privacy. But even if you think nothing the social network has done could surprise you any more, get ready to be shocked: If you're an Android user and agreed to share your contacts with Facebook, it has been keeping track of every phone call you've made or received, and every text you've sent or gotten.
This information has come to light as growing numbers of Facebook members around the world are canceling their memberships and deleting their data from Facebook. The company encourages departing users to download a zip file of their data on Facebook (posts, comments, photos, etc.) before it's deleted from Facebook's servers. Many who have done so and then looked inside the zip files they received have been stunned to see that Facebook was tracking all their cell phone and text message activity, sometimes for several years. Here are a few questions and their very unsatisfying answers:
1. Did we give Facebook permission to do this?
Probably not on purpose. According to Ars Technica, which first uncovered this tracking, when users downloaded the Facebook Android app and/or Facebook Messenger and granted the apps permission to access their contacts, Facebook also gained access to records of their phone calls and text messages and began gathering and storing this data without telling users it was doing so.
Google is partly to blame since its application programming interface (API) automatically granted apps access to this information if users gave permission for the app to see their contacts. Beginning with the Jelly Bean version of Android, Google's API no longer automatically granted that permission. But developers could circumvent this by simply using an older version of the API. Google finally closed that loophole in 2017. (Apple never allowed Facebook to access iPhone and iPad users' call and text data.)
Meanwhile, newer versions of the Facebook Android app now do ask permission to "continuously upload information like phone numbers and nicknames, and your call and text history." Still, those last six words are pretty easy to miss.
2. Can we get our call and text information away from Facebook?
Probably, but not easily. Sean Gallagher, Ars Technica's IT editor, says he went through the steps to have his call and text data removed from Facebook and two days later it was still there.
Another option is to completely delete your Facebook account, which should also delete all your data on Facebook. You'll have to go through several steps to retrieve your data from Facebook (unless you're willing to abandon it all). Then you have to request that Facebook delete your account and all your data. It will ask you several times if you're really sure and then make you wait several days for the deletion to complete. If you visit Facebook any time during those few days, even by accidentally opening the app, then the whole thing will cancel and you'll have to start over again.
3. Has Facebook apologized?
No. The company, and Mark Zuckerberg in particular, have been good about offering apologies and explanations in response to every new scandal, although it took Zuckerberg a while to respond to reports that Cambridge Analytica had accessed data about millions of Facebook users for political advertising purposes.
This time, the company has issued a statement saying it did nothing wrong. For one thing, it emphasizes that while it may be storing data about every phone call and text, including who contacted whom, what time, and how long the conversation was, it did not actually record the content of those conversations and texts. (Is that supposed to make us feel like our privacy has been respected? Apparently Facebook thinks it should.)
Besides, the blog post says, "Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. This helps you find and stay connected with the people you care about, and provides you with a better experience across Facebook." It adds: "Contact importers are fairly common among social apps and services as a way to more easily find the people you want to connect with."
Contact importers might be common, but tracking and storing data about every call or text users make and receive is pretty uncommon, or at least I hope it is. Facebook appears to be deliberately ignoring the fact that there's a huge difference between these two things.
4. What is Facebook doing with the data it's collecting about our phone calls and texts?
That's the most disturbing thing about all this. Nobody knows, and Facebook isn't saying. But consider that there are more than 2 billion Facebook users, and more than 2 billion Android users. Those numbers don't dovetail, so there are certainly less than 2 billion people who use Android and have given the Facebook app permission to access their contacts. Still, the numbers likely stretch into the hundreds of millions at least. Retaining several years' worth of phone call and text data for hundreds of millions of people takes quite a lot of storage. It seems unlikely that a sophisticated company like Facebook would invest in all that storage unless it planned to do something with that data.
We'll have to wait to find out what that something is. When we do, I have a feeling we won't like it.