Several Facebook users who downloaded an archive of their Facebook data in the wake of the Facebook-Cambridge Analytica scandal discovered this week that the social network's mobile applications have been recording —in some cases— much more information than most people were expecting.
Logged information includes data on all phone calls made on the phone, the start time o each call, its duration, and the contact's name. The Facebook app did not log phone calls to and from numbers not saved in the phone's address book.
The app also gathered information on all sent or received SMS messages to contact list entries. Facebook did not record the SMS' actual text.
Oh wow my deleted Facebook Zip file contains info on every single phone cellphone call and text I made for about a year- cool totally not creepy.— Mat Johnson (@mat_johnson) March 23, 2018
Download your Facebook account .zip off their site, unzip it, then go to the HTML folder, open the contact_info.htm file. See records of who you've talked to on your cell—not with the app, just on your regular cellphone—and for how long. https://t.co/l9BDEJu3Hx— Mat Johnson (@mat_johnson) March 23, 2018
Downloaded my facebook data as a ZIP file— Dylan McKay (@dylanmckaynz) March 21, 2018
Somehow it has my entire call history with my partner's mum pic.twitter.com/CIRUguf4vD
The phone and SMS scraping behavior was confirmed earlier today by several users on Twitter, Reddit, and HackerNews, but also by this reporter, and an ArsTechnica journalist. In truth, we were all rediscovering something that Zimperium Android security expert Simone Margaritelli had found in January 2017, and detailed in a blog post on Medium (in Italian).
The reason why only now people have noticed this issue is because of the Facebook-Cambridge Analytica privacy scandal that erupted last weekend, and after which many users decided to deactivate or delete their Facebook profiles.
One option during the deletion process is that users can download a backup of all the data Facebook has gathered about the user.
This is the same data that users can download by pressing the "Download a copy of your Facebook data" link that has been recently added to the main Facebook account settings page.
Facebook does not log calls and SMS metadata by default. Not all accounts that Bleeping Computer checked had this information stored in the Facebook account backup archive.
This data was only collected when users allowed the Facebook app to tap into the user's contact list to find new Facebook friends using the phone numbers stored in the phone's address book.
One of the Twitter users who spotted this weird behavior from the Facebook mobile app also created a Ruby script that analyzes the Facebook backup archive and creates nice summaries.
It is unclear, though, why the Facebook app logged metadata for phone calls and SMS messages, as all the data it would need to discover new friends for a user's account was in the contact list alone.
One "theory" would be that Facebook was gathering this information in an attempt to determine what are the people a user likes to keep in contact the most and prioritize updates from that person.
We were on a tight deadline with this story, but we have reached out to Facebook with a request for comment on the exact reasons the company was collecting the timestamps of phone calls and SMS texts and what was its purpose in the grand scheme of things. We'll update the story if we get a response.
UPDATE [March 25]: A Facebook spokesperson responded to our inquiry. We received the same canned statement sent to ArsTechnica. The statement explained why Facebook collected address book info, but not why the company collected phone call and SMS metadata.
But Facebook clarified other things, as well. First, this behavior was only present on the Android version of its mobile app. Second, Facebook specifically asked for permission, albeit people didn't know the app would scrap phone and SMS metadata. Third, the contact list uploading behavior was optional and could be dismissed, so it was never forced on users. Fourth, it appears the phone call and SMS collection mechanism is tied together with the contact list syncing process. Users can learn here how to disable it, and go here to delete their previously synced data.