Updated March 25 at 10:15 p.m. ET with further comment from Facebook. This story was originally published March 23, and was updated later that day, and twice on March 25.
Facebook's Android app can log calls and text messages, several Facebook users, including one staffer at Tom's Guide, have discovered.
In the wake of the Cambridge Analytica scandal, many Facebook users have been downloading their Facebook posts. Some of them are finding call and text-message logs from 2015 through 2017, although not the actual content of the calls or texts.
It's not clear why no calls or text from 2018, or before 2015, show up on the list. It's also not clear why only some people seem to have their calls and texts logged. We've asked Facebook about this and will update this story when we receive a response. (Update: Some possible explanations are below.)
The issue was brought to light by Dylan McKay, a New Zealand software developer who tweeted Wednesday (March 21) that he'd downloaded his Facebook posts.
"Somehow it has my entire call history with my partner's mum," McKay wrote, "a historical record of every single contact on my phone, including ones I no longer have, metadata about every text message I've ever received or sent and the metadata of every cellular call I've ever made, including time and duration."
McKay pointed out that he didn't use Facebook Messenger to handle his text messages.
Among three Tom's Guide staffers with the Facebook app installed on their phones, only one had call and text logs included in her Facebook data download.
However, all three users got lists of all their contacts from their Android phones. So did users of the iOS Facebook app who'd downloaded their Facebook files.
So far, we can't tell whether the call and text logging is enabled by default.
The technology-news website Boy Genius Report said that users had to opt into a feature called Sync Your Call and Text History in the App Settings section of the Android Facebook App. But we found no such option in two instances of the Facebook app, one freshly installed on a phone running Android 8.0 Oreo and another long installed on a phone running Android 7.1.1 Nougat.
If you are able to find the Sync Your Call and Text History setting on your Android Facebook app, we suggest you make sure it's turned off.
UPDATE Sunday March 25: Facebook responded to our initial query on March 23 with a statement that addressed the uploading of contacts from all Facebook apps, but skirted around the issue of uploading call and text logs to Facebook's servers.
The official Facebook statement we received said:
"The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it’s a widely used practice to begin by uploading your phone contacts.”
That part of the statement's undeniable. However, the statement goes on to deliberately confuse the issue of giving an app permission to read contacts, which is indeed routine, and the issue of giving an app permission to sync the phone's call and text history with the app's parent company's servers, a practice which is not routine.
"Contact uploading is optional. People are expressly asked if they want to give permission to upload their contacts from their phone -- it's explained right there in the apps when you get started."
It also does not explain why BGR, and a still-extant Facebook help page, explain how to enable or disable text and call logging using the option called Sync Your Call and Text History in the regular Facebook Android app. There does not appear to be such an option in Facebook Lite or Facebook Messenger.
After we asked for clarification, a Facebook representative told us that only the Facebook Lite and Messenger apps had ever uploaded logs of calls and texts. No one we encountered whose text and call logs had been uploaded could remember having given any Facebook app explicit permission to do so.
On Saturday (March 24), Sean Gallagher at Ars Technica posted a story in which he may have found why the call and text logs were uploaded without explicit user permission, and also why Facebook can still legitimately insist that users gave its app permission to do by simply enabling the syncing of contacts:
We asked Facebook to comment on Sean's findings. On Sunday, we received an email from a Facebook rep pointing us to a Facebook blog post that begins:
"You may have seen some recent reports that Facebook has been logging people's call and SMS (text) history without their permission. This is not the case."
The blog post reiterates that call and text logging is part of the contact-syncing permission on Facebook Lite and Messenger, and that it's there only to "help you find and stay connected with the people you care about, and provide you with a better experience across Facebook."
It's really not clear why Facebook would ever need a user's call and text logs; why the logs we've seen end right about when Google deprecated the old Android API; or why, if uploading call and text logs is so crucial to the "better experience across Facebook," this helpful feature isn't available to iOS users.
We've asked Facebook for further comment.
Best Identity Theft Protection Services
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
Best Data Monitoring
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.