The recent news that Facebook has been collecting call records and SMS data from Android devices for years has left a number of Facebook users spooked by the recent Cambridge Analytica privacy scandal, prompting individuals to download all the data that Facebook stores on their account. The results have been alarming for some.

Ars Technica reports that Facebook has been requesting access to contacts, SMS data, and call history on Android devices to improve its friend recommendation algorithm and distinguish between business contacts and your true personal friendships. Facebook appears to be gathering this data through its Messenger application, which often prompts Android users to take over as the default SMS client. Facebook has, at least recently, been offering an opt-in prompt that prods users with a big blue button to “continuously upload” contact data, including call and text history.

It’s not clear when this prompt started appearing in relation to the historical data gathering, and whether it has simply been opt-in the whole time. Either way, it’s clearly alarmed some who have found call history data stored on Facebook’s servers.

While the recent prompts make it clear, Ars Technica points out the troubling aspect that Facebook has been doing this for years, during a time when Android permissions were a lot less strict. Google changed Android permissions to make them more clear and granular, but developers could bypass this and continue accessing call and SMS data until Google deprecated the old Android API in October. It’s not yet clear if these prompts have been in place in the past.

Facebook has responded to the findings, but the company appears to suggest it’s normal for apps to access your phone call history when you upload contacts to social apps. “The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with,” says a Facebook spokesperson, in response to a query from Ars Technica. “So, the first time you sign in on your phone to a messaging or social app, it’s a widely used practice to begin by uploading your phone contacts.”

The same call record and SMS data collection has not yet been discovered on iOS devices. While Apple does allow some specialist apps to access this data in limited ways like blocking spam calls or texts, these apps have to be specifically enabled through a process that’s similar to enabling third-party keyboards. The majority of iOS apps cannot access call history or SMS messages, and Facebook’s iOS app is not able to capture this data on an iPhone.

Facebook may need to answer some additional questions on this data collection, especially around when it started and whether Android users truly understood what data they were allowing Facebook to collect when they agreed to enable phone and SMS access in an Android permissions dialogue box or Facebook’s own prompt.

In a blog post published Sunday, Facebook clarified how the data collection works and that the feature is opt-in, but the company did not say why it needs the data or what it uses it for. The blog post also fails to address why the data is collected under the auspices of a contact upload.

The data collection revelations come in the same week Facebook has been dealing with the fall out from Cambridge Analytica obtaining personal information from up to 50 million Facebook users. Facebook has altered its privacy controls in recent years to prevent such an event occurring again, but the company is facing a backlash of criticism over the inadequate privacy controls that allowed this to happen. CEO Mark Zuckerberg has also been summoned to explain how data was taken without users’ consent to a UK Parliamentary committee.

Mark Zuckerberg has taken out full-page adverts in several UK and US Sunday newspapers to apologise for the firm’s recent data privacy scandal.

He said Facebook could have done more to stop millions of users having their data exploited by political consultancy Cambridge Analytica in 2014.

“This was a breach of trust, and I am sorry,” the back-page ads state.

It comes amid reports Facebook was warned its data protection policies were too weak back in 2011.

The full-page apology featured in broadsheets and tabloids in the UK, appearing on the back page of the Sunday Telegraph, Sunday Times, Mail on Sunday, Observer, Sunday Mirror and Sunday Express.

In the US, it was seen by readers of the New York Times, Washington Post and Wall Street Journal.

In the advert, Mr Zuckerberg said a quiz developed by a university researcher had “leaked Facebook data of millions of people in 2014″.

“I’m sorry we didn’t do more at the time. We’re now taking steps to make sure this doesn’t happen again,” the tech chief said.

It echoes comments Mr Zuckerberg made last week after reports of the leak prompted investigations in Europe and the US, and knocked billions of dollars of Facebook’s market value.

Mr Zuckerberg repeated that Facebook had already changed its rules so no such breach could happen again.

“We’re also investigating every single app that had access to large amounts of data before we fixed this. We expect there are others,” he stated.

“And when we find them, we will ban them and tell everyone affected.”

The ads contained no mention of the political consultancy accused of using the leaked data, Cambridge Analytica, which worked on US President Donald Trump’s 2016 campaign.

The British firm has denied wrongdoing.

What is the row about?

In 2014, Facebook invited users to find out their personality type via a quiz developed by Cambridge University researcher, Dr Alexsandr Kogan called This is Your Digital Life.

About 270,000 users’ data was collected, but the app also collected some public data from users’ friends without their knowledge.

Facebook has since changed the amount of data developers can gather in this way, but a whistleblower, Christopher Wylie, says the data of about 50 million people was harvested for Cambridge Analytica before the rules on user consent were tightened up.

Mr Wylie claims the data was sold to Cambridge Analytica which then used it to psychologically profile people and deliver pro-Trump material to them during the 2016 US presidential election campaign.

Facebook has said Dr Kogan passed this information on to Cambridge Analytica without its knowledge. And Cambridge Analytica has blamed Dr Kogan for any potential breach of data rules.

But Dr Kogan has said he was told by Cambridge Analytica everything they had done was legal, and that he was being made a “scapegoat” by the firm and Facebook.

Did Facebook get a warning seven years ago?

As first reported in the Sunday Telegraph, Ireland’s Data Protection Commissioner (DPC) warned Facebook’s security policies were too weak to stop abuse in 2011, some three years before the breach took place.

Following an audit, the DPC said relying on developers to follow information rules in some cases was not good enough “to ensure security of user data”.

It also said Facebook processes to stop abuse were not strong enough to “assure users of the security of their data once they have third party apps enabled”.

Facebook said it strengthened its protections following the recommendations and was told it had addressed the DPC’s original concerns after a second audit in 2012. The tech firm also said it changed its platform entirely in 2014 with the regulator’s recommendations in mind.

Protect yourself and your business from the threat of cyber attack. Get a FREE on-site, non-intrusive, deep network analysis to determine how effective your existing Cyber Security measures are.

Call us on 0345 644 2245 or click here to fill in our enquiry form and a member of the team will be in touch.

 

 

 

 

 

 

Articles courtesy of BBC & The Verge