Facebook scraped call, text message data for years from Android phones

Users downloading their Facebook histories have been startled to find that the company has been collecting call and SMS data. The company has responded by saying users are in control of what's uploaded to Facebook. However, the company also says it's a widely used practice when users first sign in on their phones to a messaging or social media app to begin by uploading the phone's contact list. That data then becomes part of the company's friend recommendation algorithm. On versions of Android before 4.1 (Jelly Bean), the permission to upload the contact list included call and message logs by default; since then the two permissions are separate. As many as half of Android users worldwide are still on older versions of the operating system.

Facebook says the company keeps the data secure and does not sell it to third parties, but doesn't explain why it feels the need to retain the numbers, dates, times, and lengths of calls for years.

Writer: Sean Gallegher
Publication: Ars Technica

What is Privacy International calling for?

People don’t know or control what data is on devices and how it is used by others, and how this can be used against them. In the future, individuals’ data held on technologies and devices can be exploited beyond the control of the individual, to anybody with the authority and capability.

The era where we were in control of the data on our own computers is nearly over. We were once able to access, process, and delete our data on our devices, with few exceptions. Now industry is building an era where devices and services are

  • generating data we cannot control,
  • storing data we cannot access,
  • using systems we cannot monitor, and
  • accessing and sharing data without our knowledge.

Often, there is more data being generated than is necessary for the provision of a service, the functionality of a device, or the clearly-stated business purpose. This excessive generation of data, often done beyond our control, leads to excessive processing, often done without our knowledge, and may exceed the reasonable expectation of users.

Data beyond our control, invisible to the individual

People must be able to know what data is being generated by devices, the networks and platforms we use, and the infrastructure within which devices become embedded.  People should be able to know and ultimately determine the manner of processing. 

Principle 1. People must know