Facebook app

Several Facebook users who downloaded an archive of their Facebook data in the wake of the Facebook-Cambridge Analytica scandal discovered this week that the social network's mobile applications have been recording —in some cases— much more information than most people were expecting.

Logged information includes data on all phone calls made on the phone, the start time o each call, its duration, and the contact's name. The Facebook app did not log phone calls to and from numbers not saved in the phone's address book.

The app also gathered information on all sent or received SMS messages to contact list entries. Facebook did not record the SMS' actual text.

The phone and SMS scraping behavior was confirmed earlier today by several users on Twitter, Reddit, and HackerNews, but also by this reporter, and an ArsTechnica journalist. In truth, we were all rediscovering something that Zimperium Android security expert Simone Margaritelli had found in January 2017, and detailed in a blog post on Medium (in Italian).

How to download this data and verify yourself

The reason why only now people have noticed this issue is because of the Facebook-Cambridge Analytica privacy scandal that erupted last weekend, and after which many users decided to deactivate or delete their Facebook profiles.

One option during the deletion process is that users can download a backup of all the data Facebook has gathered about the user.

This is the same data that users can download by pressing the "Download a copy of your Facebook data" link that has been recently added to the main Facebook account settings page.

Link in Facebook settings where users can download all their data

Facebook does not log calls and SMS metadata by default. Not all accounts that Bleeping Computer checked had this information stored in the Facebook account backup archive.

This data was only collected when users allowed the Facebook app to tap into the user's contact list to find new Facebook friends using the phone numbers stored in the phone's address book.

One of the Twitter users who spotted this weird behavior from the Facebook mobile app also created a Ruby script that analyzes the Facebook backup archive and creates nice summaries.

Summary of Dylan McKay script
Script output [Image credit: Dylan McKay]

Reasons unknown why Facebook collected this data

It is unclear, though, why the Facebook app logged metadata for phone calls and SMS messages, as all the data it would need to discover new friends for a user's account was in the contact list alone.

One "theory" would be that Facebook was gathering this information in an attempt to determine what are the people a user likes to keep in contact the most and prioritize updates from that person.

We were on a tight deadline with this story, but we have reached out to Facebook with a request for comment on the exact reasons the company was collecting the timestamps of phone calls and SMS texts and what was its purpose in the grand scheme of things. We'll update the story if we get a response.

UPDATE [March 25]: A Facebook spokesperson responded to our inquiry. We received the same canned statement sent to ArsTechnica. The statement explained why Facebook collected address book info, but not why the company collected phone call and SMS metadata.

But Facebook clarified other things, as well. First, this behavior was only present on the Android version of its mobile app. Second, Facebook specifically asked for permission, albeit people didn't know the app would scrap phone and SMS metadata. Third, the contact list uploading behavior was optional and could be dismissed, so it was never forced on users. Fourth, it appears the phone call and SMS collection mechanism is tied together with the contact list syncing process. Users can learn here how to disable it, and go here to delete their previously synced data.

Related Articles:

Scammers Use Facebook Sharer Page to Push Tech Support Scams

Private Messages for 81k Hacked Facebook Accounts Being Sold Online

Apple's New Data & Privacy Portal Lets You Download Your Data

Signal Upgrade Process Leaves Unencrypted Messages on Disk

DuckDuckGo Is Now Receiving More Than 30 Million Searches in a Single Day