Monday, 2 April 2018

The Guardian/Alex Hern: Facebook logged SMS texts and phone calls without explicitly notifying users

The Guardian

Facebook
Facebook logged SMS texts and phone calls without explicitly notifying users

Users complain of phone and text data collected by the company despite never having agreed to practice

Alex Hern and agencies @alexhern

Thu 29 Mar 2018 15.36 BST
Last modified on Thu 29 Mar 2018 22.00 BST

Shares
906
facebook
Facebook issued a ‘Fact Check’, in which the company repeatedly noted ‘people have to expressly agree to use this feature’ and ‘uploading this information has always been opt-in only’. Photograph: Dominic Lipinski/PA

Facebook began logging the text messages and phone calls of its users before it explicitly notified them of its practice, contradicting the company’s earlier claims that “uploading this information has always been opt-in only”.

In at least one previous version of the Messenger app, Facebook only told users that the setting would enable them to “send and receive SMS in Messenger”, and presented the option to users without an obvious way to opt out: the prompt offered a big blue button reading “OK”, and a much smaller grey link to “settings”.

Nowhere in the opt-in dialogue was it made clear that text histories would be uploaded to Facebook’s servers and stored indefinitely.

Other users have similarly disputed ever seeing explicit notification from Facebook that their communication logs would be uploaded. Sean Gallagher, a writer for Ars Technica, had never installed Messenger, and maintains that “there was never an explicit message requesting access to phone call and SMS data” in any version of Facebook he installed, yet discovered that his call metadata had been uploaded.

Last week, some Facebook users who were prompted to download their data in advance of deleting their accounts were shocked to find that they contained detailed logs of all calls and SMS messages they had sent with their phones, even if they didn’t use Facebook applications to make or receive phone calls or texts.

In response, Facebook issued a “Fact Check”, in which the company repeatedly noted “people have to expressly agree to use this feature” and “uploading this information has always been opt-in only”. But the vast majority of the post is written in the present tense, and the example disclaimer Facebook posts – which does explicitly say the app will “continuously upload … your call and text history” – was only introduced in 2016, a year after the feature was initially introduced.

The “Fact Check” did not acknowledge that in the past, different notification screens have been used, including ones that did not warn users that call and text history would be uploaded.

Call and text history has only ever been uploaded from users of Android devices, since Apple’s iOS operating system does not allow app developers to see that sort of private information.

Every Android user who did see their communication collected by Facebook has still opted in at least once, however, since they need to give the application permission to access their information. But until very recently, Android’s permissions structure has been extremely vague for end users.

Until 2012, any Android application that could access contacts could also access phone and text logs, but the operating system did not explicitly notify users of that fact. That changed with that year’s “Jelly Bean” release, which updated the dialogue to make it clear that both communication history and contacts would be accessible – but didn’t let users only grant access to the latter. Rejecting the request meant the apps wouldn’t work.

It wasn’t until 2015 when Google released Android 6.0, dubbed “Marshmallow” that Android phones finally split up those permissions. That meant users could agree to share contacts, but reject access to their messaging and phone histories.

That’s the same year Facebook says its apps started collecting this information. But many Android users are not using the latest version of the software and often cannot get it even if they want it.

The Guardian asked Facebook whether it stands by its characterisation that the surveillance “has always been opt-in only”, but the company declined to comment, only referring back to the initial Fact Check.

    Share your experiences using the encrypted form below. One of our journalists may contact you to discuss further.

Topics

    Facebook

    Social networking
    Data protection
    Telecoms
    news

    Share on LinkedIn
    Share on Pinterest
    Share on Google+

Most viewed

    World
    UK
    Science
    Cities
    Global development
    Football
    Tech
    Business
    Environment
    Obituaries

back to top

    become a supporter
    make a contribution
    securedrop
    help

    advertise with us
    work for us
    contact us
    complaints & corrections

    terms & conditions
    privacy policy
    cookie policy
    digital newspaper archive

    all topics
    all contributors
    Facebook
    Twitter

© 2018 Guardian News and Media Limited or its affiliated companies. All rights reserved.

No comments: