Updated March 25 at 10:15 p.m. ET with further comment from Facebook. This story was originally published March 23, and was updated later that day, and twice on March 25.
Facebook's Android app can log calls and text messages, several Facebook users, including one staffer at Tom's Guide, have discovered.
In the wake of the Cambridge Analytica scandal, many Facebook users have been downloading their Facebook posts. Some of them are finding call and text-message logs from 2015 through 2017, although not the actual content of the calls or texts.
It's not clear why no calls or text from 2018, or before 2015, show up on the list. It's also not clear why only some people seem to have their calls and texts logged. We've asked Facebook about this and will update this story when we receive a response. (Update: Some possible explanations are below.)
The issue was brought to light by Dylan McKay, a New Zealand software developer who tweeted Wednesday (March 21) that he'd downloaded his Facebook posts.
MORE: How to Stop Facebook From Sharing Your Data
"Somehow it has my entire call history with my partner's mum," McKay wrote, "a historical record of every single contact on my phone, including ones I no longer have, metadata about every text message I've ever received or sent and the metadata of every cellular call I've ever made, including time and duration."
McKay pointed out that he didn't use Facebook Messenger to handle his text messages.
Sean Gallagher, the IT and national security editor at Ars Technica, replicated it himself, finding calls made when he was using a presumably super-secure Silent Circle Blackphone as his main phone.
Among three Tom's Guide staffers with the Facebook app installed on their phones, only one had call and text logs included in her Facebook data download.
However, all three users got lists of all their contacts from their Android phones. So did users of the iOS Facebook app who'd downloaded their Facebook files.
MORE: How to Delete Your Facebook Account
So far, we can't tell whether the call and text logging is enabled by default.
The technology-news website Boy Genius Report said that users had to opt into a feature called Sync Your Call and Text History in the App Settings section of the Android Facebook App. But we found no such option in two instances of the Facebook app, one freshly installed on a phone running Android 8.0 Oreo and another long installed on a phone running Android 7.1.1 Nougat.
If you are able to find the Sync Your Call and Text History setting on your Android Facebook app, we suggest you make sure it's turned off.
UPDATE Sunday March 25: Facebook responded to our initial query on March 23 with a statement that addressed the uploading of contacts from all Facebook apps, but skirted around the issue of uploading call and text logs to Facebook's servers.
The official Facebook statement we received said:
"The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it’s a widely used practice to begin by uploading your phone contacts.”
That part of the statement's undeniable. However, the statement goes on to deliberately confuse the issue of giving an app permission to read contacts, which is indeed routine, and the issue of giving an app permission to sync the phone's call and text history with the app's parent company's servers, a practice which is not routine.
"Contact uploading is optional. People are expressly asked if they want to give permission to upload their contacts from their phone -- it's explained right there in the apps when you get started."
It also does not explain why BGR, and a still-extant Facebook help page, explain how to enable or disable text and call logging using the option called Sync Your Call and Text History in the regular Facebook Android app. There does not appear to be such an option in Facebook Lite or Facebook Messenger.
After we asked for clarification, a Facebook representative told us that only the Facebook Lite and Messenger apps had ever uploaded logs of calls and texts. No one we encountered whose text and call logs had been uploaded could remember having given any Facebook app explicit permission to do so.
On Saturday (March 24), Sean Gallagher at Ars Technica posted a story in which he may have found why the call and text logs were uploaded without explicit user permission, and also why Facebook can still legitimately insist that users gave its app permission to do by simply enabling the syncing of contacts:
We asked Facebook to comment on Sean's findings. On Sunday, we received an email from a Facebook rep pointing us to a Facebook blog post that begins:
"You may have seen some recent reports that Facebook has been logging people's call and SMS (text) history without their permission. This is not the case."
The blog post reiterates that call and text logging is part of the contact-syncing permission on Facebook Lite and Messenger, and that it's there only to "help you find and stay connected with the people you care about, and provide you with a better experience across Facebook."
It's really not clear why Facebook would ever need a user's call and text logs; why the logs we've seen end right about when Google deprecated the old Android API; or why, if uploading call and text logs is so crucial to the "better experience across Facebook," this helpful feature isn't available to iOS users.
We've asked Facebook for further comment.
Best Identity Theft Protection Services
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
Best Data Monitoring
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.
Good point. We don't know -- we haven't tried that one.
People are just so naive to think that there are real people at the other end of the programs.
System Admins that have access to every bit of information you put on Facebook.
System Admins at any Business have complete control of the Computer and information on them.
I am a System Admin and know what I am talking about as we are the ones that make Group Policy and control how and what can be done on any computer connected to the Server.
There is no such thing as privacy when you use a server connected App, in other words any App that another person can connect to online has to go through a server, the Cloud is not a real cloud it's a server farm not much different to the desktop computer you have at home just larger with terabytes of storage and normally a few more Gigabytes of Memory.
Anything you put to the cloud is there for the world to see, so pictures of your last trip to a nudist Beach or those happy snaps of your children running around with no clothes on in your secluded back yard area are there for any pervert or Paedophile to access with simple hack programs.
Go to any Usenet server and you will find photos hacked from Facebook and Snap chat and all the other Apps that people use on their phones.
I am no hacker never been interested in hacking but there are children with computers connected to the internet that are curious and push the envelope on what should or shouldn't be done.
I have worked for large Companies as a System Admin and also as a Help Desk provider that has remote access to all those that called for help as at times we need to take control of those systems to fix them as the majority of people are pretty stupid and can't follow simple step by step instructions.
When we have remote access it's no different to us being in front of your computer and have total access to everything on your computer, Bank details, your secret photos that you think are hidden in a renamed folder or every Document in your My Documents folder.
Just lucky people don't have anything embarrassing on their personal computers at home isn't it ;)
I don't give my cellphone number out to anybody I don't personally know