Android users who installed Facebook’s Messenger app on their devices may have had their call and text histories logged for approximately two years, according to a report in Ars Technica.
Ars Technica reported that the issue occurred when certain Android users downloaded Messenger in 2015. Apparently, Facebook started chronicling information related to phone calls and text messages made from their Android devices. Users discovered the data use after they downloaded an archive of their Facebook account data.
One user, Dylan McKay, claimed Facebook had information on the names of his phone contacts, their phone numbers, and the length of time of each call he made with those contacts. He also said Facebook had metadata pertaining to his text messages.
Facebook maintains that users voluntarily opted to grant Facebook permission to access their information.
In a “Fact Check” posted the day after the Ars Technica report, Facebook claims users have been given the option to opt-in (or opt-out) of syncing their Messenger contacts with their phone contacts.
Facebook provided a screencap of the prompt Messenger users are instructed to answer when they download the app. Users are told they can “Text anyone in your phone.” The screenshot also explicitly shows users had to agree to “Continuously upload info about your contacts like phone numbers and nicknames, and your call and text history.” According to Facebook, this “This lets friends find each other on Facebook and helps us create a better experience for everyone.”
The choices are to turn on the option or hit “not now.” For Facebook Lite users on Android, instead of “not now,” they are told they can “skip” the feature.
Facebook’s press release also says that the continuously upload feature can be “easily” turned off by going to users’ “settings” page.
A Facebook spokesperson told Ars Technica it is “a widely used practice to begin by uploading your phone contacts.”
But as Ars Technica cautioned, it may not be that simple:
But even if users didn't give that permission to Messenger, they may have given it inadvertently for years through Facebook's mobile apps — because of the way Android has handled permissions for accessing call logs in the past.
Ars Technica explained that if users gave permission for Facebook to read their contacts before the Android 4.1 (Jelly Bean) update, Facebook could have potentially been able to scrape their call and message information until 2017 “by default.”
However, as Android Center, a website devoted to news about Android, noted:
But that's what this all comes back to in the end: you gave Facebook access to that information. Android's shaky and overly broad permissions settings gave Facebook a massive helping hand to accomplish this, but you installed the app and you pushed the button to allow the permissions as part of the installation. Facebook didn't "steal" anything or operate outside of the parameters set by the Android Market and Google Play, it just used them to their fullest extent.
As the Facebook news release states, users have the ability to delete their contact data by clicking a few button.
The apparent news about Facebook’s data scraping techniques comes as the company’s net favorability rating dropped 28 points since October, according to a Axios survey. Facebook’s raw favorability stands, as of last week, at 48 percent. This decline has mirrored a drop in the firm’s stock price, which peaked at roughly $190 per share in January and is now down about $34 per share -- a nearly 18-percent drop.