Facebook Accused of Storing Users’ Call and SMS Data

Last week, Facebook found itself at the center of a major scandal. It was revealed that several years ago, the British company Cambridge Analytica managed to obtain information on 50 million Facebook users without their knowledge. The data was collected under the guise of a simple survey, which required participants to log in via Facebook. About 270,000 people took part in the survey, but at the time, the social network’s API allowed the collection of data on their friends as well, ultimately giving the “researchers” information on 50 million people. This data was then used to create psychological profiles and develop personalized advertising.

Since Cambridge Analytica’s main focus is on algorithms for analyzing voters’ political preferences, the data from 50 million Facebook users was used during dozens of election campaigns in various countries around the world. As a result, Facebook was accused of being careless with user data, negligent, and of covering up the incident. Cambridge Analytica was suspected of having ties to intelligence agencies and influencing election results. The world began to discuss the enormous responsibility companies have when users willingly share their personal data—and how valuable this data is for marketers, political scientists, and many others.

At the end of last week, Facebook broke its prolonged silence, and Mark Zuckerberg began issuing apologies on behalf of the company. However, this did not stop a massive campaign on social media, which adopted the hashtag #deletefacebook. Many well-known figures supported the movement to delete Facebook accounts, including WhatsApp co-founder Brian Acton (note that WhatsApp is owned by Facebook, but Acton no longer works there) and even Elon Musk, who deleted the SpaceX and Tesla accounts from Facebook. Amidst this, Facebook faced a wave of lawsuits, and the company’s stock price dropped significantly.

Discovery of Call and SMS Data Collection

While the Cambridge Analytica story was still dominating headlines worldwide, journalists from ArsTechnica and cybersecurity researchers discovered that Facebook had access to even more personal data than previously thought. As the #deletefacebook campaign gained momentum, many experts recommended that users download an archive of all their Facebook data before deleting their accounts. Soon, numerous reports appeared online from people who did just that and were surprised to find metadata about all their calls, SMS, and MMS messages from the past several years. The archives included contact names, phone numbers, call durations, dates, and more.

When ArsTechnica journalists asked Facebook representatives for clarification, the company responded that a key feature of Facebook’s apps and services is to help users connect with others, making it easier to find people they know. To do this, when first logging into a messaging or social app, users are asked for permission to access the contacts stored on their phone. Users can refuse or later delete uploaded contacts through their browser. Obviously, contacts play an important role in Facebook’s friend recommendation algorithms.

It soon became clear why many users were unaware they had granted Facebook all the necessary permissions to track them. The issue only affected users of Android apps. Only recently did Messenger and Facebook Lite apps begin to clearly warn users about their intention to access SMS logs and call history. On older devices with older versions of Android (such as 4.1 — Jelly Bean), granting access to device contacts also implied access to message and call logs. Worse, ArsTechnica found that even after Android developers changed how permissions worked and updated the Android API, Facebook developers deliberately continued using the old version, allowing them to access call and SMS data without openly notifying users.

In response to the new wave of accusations in the media (this time about tracking users with unclear intentions), Facebook published an official statement. The company again emphasized that all permissions for Android apps were granted voluntarily by users, who understood what they were doing. They also highlighted that contacts, call, and message history shared with Facebook can be deleted. Facebook representatives reiterated that the collected information was used so “users could stay connected with people they care about,” and that the metadata supposedly helped improve the Facebook experience.

Interestingly, ArsTechnica journalists are ready to dispute these claims. The publication cites several user stories from people who insist they never gave Facebook apps permission to access call and message logs, never received clear notifications about it, and had no idea the social network was engaging in such activity.