Why Facebook's New Scandal Is the Worst of All

Forget Cambridge Analytica. The latest Facebook scandal is worse.

The social network silently logged Android users' call and text histories, didn't tell anyone about it, got caught and now claims that Android users consented to it all along and that every other online service does it too. (Hint: They didn't and most don't.)

Credit: Frederic Legrand - COMEO/Shutterstock

(Image credit: Frederic Legrand - COMEO/Shutterstock)

Getting the full picture from Facebook about this practice has been like trying to keep up with a game of three-card monte. The company has been telling part of the truth, then another part of the truth, all while reassuring the public that this highly invasive practice exists for the sake of users who, even if they didn't know it was happening, would have been happy about it if they had.

Facebook could be given the benefit of the doubt about the Cambridge Analytica mess, which might charitably be seen as the result of naiveté and shortsightedness. But the deliberate deception that Facebook is currently engaged in regarding the call-logging controversy should persuade users to never trust anything from the company again.

People are asked if they want to upload their contact lists, not their entire call and text histories. There's a big difference between the two.

To catch you up on this brouhaha, several people discovered last week, after downloading their Facebook data in the wake of the Cambridge Analytica publicity, that Facebook had secretly logged calls and texts made from their Android phones. These users didn't remember having given Facebook apps permission to do so.

You didn't know you wanted this

When asked about this, Facebook stated that users had in fact consented to sharing their call and text logs when they agreed to let Facebook see their phones' contact lists. The users weren't informed of that when they installed the apps, but Facebook insists that they should have known.

"The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it's a widely used practice to begin by uploading your phone contacts," read a  statement released by Facebook.

MORE: How to Download Your Facebook Posts

"Contact uploading is optional. People are expressly asked if they want to give permission to upload their contacts from their phone — it's explained right there in the apps when you get started. People can delete previously uploaded information at any time and can find all the information available to them in their account and activity log from our Download Your Information tool."

Frankly, that's bogus. People are asked if they want to upload their contact lists, not their entire call and text histories. There's a big difference between the two.

The police normally go to the phone companies when they want to find out when certain calls or texts were made. If I were a cop, I'd get a warrant for a suspect's Facebook records first.

How this was even possible

Furthermore, Facebook doesn't collect text and call logs on iPhones. The only reason it could do so on Android devices, and in some instances still does, is because Android's privacy policies were initially terrible and apps could do almost anything they wanted.

Under Android's old rules, when you gave an app permission to read your contact list, it could also then read your call and text logs. You just didn't know about it.

Google changed this rule in 2012 with Android 4.1 Jelly Bean, but there was a catch. To keep older apps running properly, Android supported the old permissions model for legacy apps until late 2017.

Facebook has some of the best coders and security experts in the world, but for years it seems to have made sure that updates to its Android apps preserved the older software function that enabled it to read user call and text logs. And indeed, several people with devices that never had run older versions of Android nevertheless found that Facebook had their call and text logs right up until the fall of 2017.

What exactly gets collected

To be clear, logging the calls and texts doesn't mean Facebook has the contents of those communications. It has only when they were made, which phone numbers were involved and how long calls lasted.

But that's plenty. This is metadata, the same kind of information that Edward Snowden revealed the NSA had been collecting from Verizon. Metadata can reveal when you called your mother, when you texted your best friend or when took a call from someone with whom you've been having a secret affair.

The police normally go to the phone companies when they want to find out when certain calls or texts were made. But the phone companies keep such records for only a few months. Facebook seems to have been keeping them for at least three years. If I were a cop and I knew this, I'd get a warrant for a suspect's Facebook records first.

MORE: How to Stop Facebook from Sharing Your Data

Facebook now says that call and text logging is only available, and has only ever been available, for Facebook Messenger and Facebook Lite for Android.

That contradicts what several users have found. Sean Gallagher at Ars Technica, whose article on this issue is well worth reading, is sure he'd never installed either app, because neither shows up in his "Installed" list in Google Play. He had installed the regular Facebook app in 2015, and lo and behold, call and text logs show up in his downloaded Facebook files.

There's an enormous breach of trust here. You don't know what else the company might be doing behind your back.

Dancing around the truth

Sean's article got a lot of publicity over this past weekend, and in response, Facebook put up a blog post that seems to dance around the truth.

"Call and text history logging … helps you find and stay connected with the people you care about, and provides you with a better experience across Facebook," the post said.

"We introduced this feature for Android users a couple of years ago. Contact importers are fairly common among social apps and services as a way to more easily find the people you want to connect with. This was first introduced in Messenger in 2015, and later offered as an option in Facebook Lite, a lightweight version of Facebook for Android."

Contact importers are indeed common among both Android and iOS apps. But as far as we're aware, uploading users' call and text histories is not. And we're pretty sure that this practice was in the regular Facebook app as well.

Facebook also insists that it doesn't share or sell the call and text logs with third parties. But it hasn't answered why — and we've asked — why it needs the logs at all.

How to make sure your calls and texts aren't logged

The good news is that this logging no longer occurs in the regular Facebook app for Android. Users of Facebook Lite and Messenger for Android can opt out of it — here's how to do it for one, and for the other— although in the case of Messenger, stopping the logging will also stop the syncing of contact lists.

But that doesn't come close to mitigating the enormous breach of trust that Facebook has committed here. You don't know what else the company might be doing behind your back.

If you haven't already done so, delete the Facebook apps on your phone. Use the mobile browser to access the Facebook mobile website in an incognito or private browsing tab, and use Signal, Apple Messages or WhatsApp (owned by Facebook, but less intrusive) as your messaging client.

On the desktop, use a private browsing or incognito window to access Facebook. Otherwise, it'll just track your movements across the internet.

You could just delete your Facebook account, but that's impractical. Instead, take the above steps to minimize what you give to Facebook.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.