If you've ever given Facebook access to your phone contacts, ostensibly as a way to help you find your friends, you may have given away more information than you bargained for. As a New Zealand-based developer discovered, the social media giant collected massive amounts of phone data on some of its users, including call logs with phone numbers and contact info, and metadata like time and location for SMS messages sent and received. As Ars Technica subsequently discovered, the troubling data collection practice extended—for years—to just about any Android user, as long as they gave Facebook access to their contacts at some point.
According to Ars Technica, the data-sharing was the result of a lax feature in Android's API (application program interface) that granted Facebook access to call and message logs by default. Because of a loophole, Facebook was able to keep scraping that data without explicitly asking for permission even once an updated Android API that fixed the issue was released in 2012. It seems this was only an issue with Android's API, and iPhone users were unaffected by the issue.
To see what kind of data Facebook has on you, whether you're an Android user or not, you can download your full Facebook archive by going into your settings and clicking on the link at the bottom of the "General" tab. Once you download the ZIP file, open the file named index.htm and navigate to "contact info" in the sidebar. In the future, don't say yes if Facebook asks for permission to access your contacts.
In a blog post on March 25, Facebook denied that it inappropriately scraped call and text data from users' phones, saying that those logs were part of an opt-in feature that Android users had to explicitly agree to. According to Ars Technica, this contradicted the experiences of several Android users whom reporter Sean Gallagher spoke to.
Facebook's privacy practices have been under intense scrutiny lately, for good reason. The company recently took out full-page ads in several major newspapers apologizing for the ongoing Cambridge Analytica scandal, in which Facebook's data-sharing rules allowed the political consulting firm to inappropriately gather data on tens of millions of users. The company is now being investigated by the FTC, and CEO Mark Zuckerberg has been invited to testify before Congress about the site's privacy practices.
In general, if you don't want Facebook to share data on your every online move with third parties, you'd be wise to limit the amount of information you give it in the first place. Refrain from telling it things like where you went to school, where you work, what your birthday is, and who your siblings are. Remove your phone number or use a Google Voice number in place of your cell phone number, and again, certainly don't let the service comb through your contact list. If you like to get creative, this is one situation where it's perfectly ethical to lie. (Avoiding sharing real data with the company can also double as a good way to foil hackers combing the site for information on you.)
After you download your Facebook archive, it would also be worth it to check out which advertisers have your data from the site. You can turn off targeted advertising by going to your ad settings and unchecking all of the different interests Facebook labels you as having, disassociating yourself from that time you "liked" the Dr. Pepper fan page or clicked on an ad for a cute t-shirt you saw on the site. And for more about how to limit the information about you that Facebook gives to third-party apps, read on here.
[h/t Ars Technica]