Facebook is in the news right now. Perhaps you’ve heard. The social network is currently under extreme scrutiny for the way it has been both gathering and handling user data, wearing away at what was already a frayed trust of the gigantic company. The latest surprise, coming from people downloading their cache of Facebook data, has been that many Android users have unknowingly been providing Facebook access to their call logs and SMS messages for years — and the company was holding onto it all.
Though I’d be happy to be able to expose some unsavory plot, the explanation here is pretty simple: Facebook was just taking advantage of Android’s relaxed permissions model, and we didn’t know any better.
Google has been surfacing app permissions since the Android Market days, but for a majority of its lifetime Android pulled all of these permissions into a single blob that had to be accepted or rejected at the time of installing the app. Accepting the permissions gave apps broad access to what they declared, and denying the permissions meant you just didn’t get to install the app. At the time it was good that Google was at least showing users these permissions, but in hindsight it was clearly too broad and rife with situations where apps could take advantage of the model.
Android let apps broadly access data, so naturally Facebook just declared that it wanted everything.
Enter Facebook, which naturally just declared that it wanted everything. So if you installed the Facebook app and logged in on an early version of Android — this was particularly easy on Jelly Bean and earlier — you were giving access to your call logs and messages by grating access to the “contacts” permission. (You also immediately gave it access to far more, like your microphones and location.) It made sense for Facebook to have access to your contacts, and most apps asked for this permission for one reason or another, but of course this now meant that you had given access to far more than you realized. And so, Facebook kept logs of your calls and messages, because it had your permission to do so, and it wasn’t going to turn away an opportunity to collect more data.
Google made a huge move to fix this with Android Marshmallow in 2015, introducing an on-use permission model. This new system, which we all now benefit from, doesn’t let an app have any permissions at the time of install, and instead prompts the user to grant access to specific areas explicitly when they go to do the action that requires it. Individual permissions can also be revoked at any time, for example if you happen to accidentally tap “allow” for access to the microphone.
But here’s the extra wrinkle that makes this all frustrating: even though that was introduced in 2015, apps were still allowed to target an older version of Android up until mid-2017 that didn’t play by the on-use permission rules. This wide window of backward-compatibility is used to help apps target the widest audience of people, which in this case made sense as throughout 2016 there was still a good number of people using Android Lollipop. But it also meant that even though Marshmallow and later devices were capable of handling the new permissions system, some apps targeted older versions of Android in order to use the old declare-at-install system. Including Facebook.
Permissions are better and easier to understand now, but the emotional damage is done.
So this confluence of issues meant there was a multi-year period in which Facebook was collecting call log and message information from Android users, even those using Android Marshmallow and Nougat. What we don’t yet know is how exactly Facebook used the information, but you can see how knowing who you spoke with most frequently could just be added to the continuously refined network of connections Facebook maintains. I could easily argue that knowing my call history from 2015 is among the least-valuable of the massive troves of data I’ve poured into Facebook over the years, but it sure is some of the creepiest to collect. But for what it’s worth, my own Facebook data archive contained no call history. So it certainly was possible to have missed this collection window depending on what devices and apps you used.
Thankfully, the current landscape of Facebook apps is far easier to manage in this respect. The main Facebook app has to ask for permission to use your camera and microphone at the time you’re attempting to use them, or to access your contacts list to import phone numbers or share. Facebook Messenger also can’t read your SMS messages unless you explicitly give it access. Theoretically, you can use both of these apps without giving Facebook access to your contacts, calendar, calls and messages today. That’s a good thing.
Facebook didn’t ‘steal’ anything, it just used Android permissions to the fullest extent possible.
But that’s what this all comes back to in the end: you gave Facebook access to that information. Android’s shaky and overly broad permissions settings gave Facebook a massive helping hand to accomplish this, but you installed the app and you pushed the button to allow the permissions as part of the installation. Facebook didn’t “steal” anything or operate outside of the parameters set by the Android Market and Google Play, it just used them to their fullest extent.
Facebook could have — and should have — been clearer about the fact that it wanted to collect your call and message history, but then again it hasn’t been very forthcoming about any of the data it wants to collect. It was kind of an unspoken accepted exchange of your personal information for a tool that let you connect with friends and family. This is just another example of how Facebook perhaps benefited from that exchange more than we did.