After going through the major Cambridge Analytica scandal for the entire last week, Facebook has also been accused of storing call and text history by users who downloaded their account data and noticed that such information was also being stored. Facebook published a post in which it said that contacts, as well as call and text history, are only stored with users’ permission. This seems to happen primarily on Android, but not on iOS, because Google's permission system seems to be allowing it while iOS' doesn't.
How Facebook Stores Contacts And Call/Text History
Many users seem surprised that Facebook uploaded their contacts as well as call and text history from their phones. However, it is likely that they simply didn’t notice when they installed Facebook Messenger that the company was asking them for permission to obtain those details.
After Messenger is installed, Facebook gives you the option to also use SMS text with your contacts. In essence, this makes Facebook Messenger your default SMS application, too. Before you agree, you are given the options of "turn on," “learn more,” or “not now,” as pictured below:
If you chose to turn on the feature, then Facebook will also “continuously upload info your contacts like phone numbers and nicknames, and your call and text history.”
Facebook also said that if you no longer wish to continuously upload that information, you can turn that data sharing off in your settings. You can also turn off continuous call and text history logging while keeping contact uploading enabled.
Facebook is providing users a page where they can also see which contacts you have uploaded to Facebook; you can also delete all the contact data you’ve uploaded to the company’s servers there.
Google’s Role In Facebook’s Data Collection
Facebook’s collection of call and text history so far appears to be happening only on Android, not on iOS. Android has always had a much more lax permission system that has allowed third-party app developers such as Facebook to collect more data than their apps or services require to function.
Starting with Android 8.0, Google required all developers targeting Android 8 devices to specifically name all the permissions they require at runtime:
Prior to Android 8.0 (API level 26), if an app requested a permission at runtime and the permission was granted, the system also incorrectly granted the app the rest of the permissions that belonged to the same permission group, and that were registered in the manifest.For apps targeting Android 8.0, this behavior has been corrected. The app is granted only the permissions it has explicitly requested. However, once the user grants a permission to the app, all subsequent requests for permissions in that permission group are automatically granted.
This may be why Facebook has recently started prompting users with this permission request for call and text history on newer versions of Messenger. It’s possible the company didn’t need to specifically ask for permission to upload call and text records with the old permission system.
However, the fact that Facebook hasn’t yet implemented this data collection feature on iOS, because iOS doesn’t allow most apps to capture call and text history, means that Android’s permission rules may still be too lax. As we saw earlier, Cambridge Analytica was able to gather so much data from Facebook’s platform because of the lax rules the company put in place. This confluence of apathy could pose a danger to many people's privacy.
Platforms Share The Bulk Of Responsibility
There’s no denying that users share some of the blame for allowing their contacts and call and text history to be collected with their own permission, just as they did when they allowed Cambridge Analytica to get not just their data but their friends’ data, too.
However, we ultimately work with what we’re given, which is why the party that should take the bulk of the responsibility for data leaks should be the platform that set the rules for how data can be shared with others.
This applies not just to data gathering, but also to security, encryption, and other software policies. People (and developers) will do what they’ve been enabled by the platform to do, and their data will also be as secure as the platform’s default policies allow it to be.