The authorisation granted by Android’s permissions system seems to be more permissive than expected, and according to Ars Technica, based on this loophole, Facebook was taking advantage of that to gather call and SMS data.
By taking advantage of the fact that pre-4.1 Android permissions could be requested by apps on the Play Store up until last year, and that those earlier permissions automatically grants call and SMS access including contacts, Facebook was able to harvest and store metadata linked with each from those that gave the app contacts access.
This discovering follows the recent Cambridge Analytica Facebook scandal –where a company called Cambridge Analytica allegedly collected data from some 50 million Facebook users, contrary to Facebook’s terms of service. Some of that data was apparently deleted after Facebook privately contacted the company a couple years ago, but independent audits are verifying that as we speak in the face of allegations that it might have been used to influence recent elections.
From that perpective, you can see how Facebook’s collection of SMS and call data over recent years could be a concern. The privacy implications of Facebook having that information are sketchy enough, but if unsupervised third parties like Cambridge Analytica had access to it, it could be in anyone’s hands.
Ars Technica’s Sean Gallagher was able to confirm, in exploring the contents of his own Facebook data archive, that call and SMS data from 2015 and 2016 was present. Others have confirmed the presence of that data up until October 2017, the approximate date at which Google retired support for pre-4.1 APIs for apps in the Play Store.
If you’re concerned, you might want to take a look at your own Facebook data to see what the company might have collected. It also includes information about which third party advertisers Facebook may have shared/sold it to. Allegedly you can even delete that data, though Ars reports information was still present in a downloaded archive after deletion, so YMMV.