Hacker News new | past | comments | ask | show | jobs | submit login
Facebook tracks all calls and messages on Android (twitter.com/dylanmckaynz)
265 points by m_ke on March 22, 2018 | hide | past | favorite | 37 comments



If you scroll through the replies, he does admit to opting into a feature to integrate SMS and phone with Messenger [1].

No doubt there's a permissions/version and facebook-overstepping-ethics conversation to have here (as always), but this isn't as major as the title implies. It does seem like Facebook continuing using permissions after he opted-out.

[1] https://twitter.com/dylanmckaynz/status/976825435026735104


For what it's worth, the cell metadata in the post is from over a year before I even opted-into the SMS integration.

The SMS integration was disabled after a few weeks of usage, the app was too buggy.


I have never/ever installed Messenger on phone, yet all calls/texts are in FB. Either they are copying it from WhatsApp servers, or stealing using FB app, not sure.


Android 6.0 was the first version to implement permission control. Looks like this guy was running 5.1, so we at least know how Facebook got access to that info.

Doesn't justify it though.


Android always had permissions:

https://developer.android.com/guide/topics/manifest/permissi... (see "introduced in")

Many apps request the phone permission to change their behavior on incoming calls, or during calls. For example, they would stop playing audio.

Access to text messages is sometimes requested to automate text message-based one time pad flows for the user.


By permission control they mean: https://developer.android.com/training/permissions/requestin...


isn't this the expected behavior for apps that you give the sms / voice call / contacts permissions to? i would be surprised if any such app did not display my call/sms history and autocomplete contacts.


I think it would be expected for local access, on the device where the data was originally stored. It is wholly unacceptable for them to upload that data. If someone has my name and phone number and installs Facebook, they have just given Facebook all of my personal information.


That is how mobile messengers like Telegram work - when you install them, they upload your contact list to their servers to "improve your experience".


Its not unexpected, but still alarming given the recent news on how and the extent to which third party apps are mining your data/sending targeted ads/manipulating people with data that's given for a benign purpose like inviting friends from your contacts (Trojan horse).


As I understand once some app gets your data, is USA there is a freedom to do whatever the company wants, and sell or share them with anyone including the governemnt.

At least Wikipedia says [1]:

> In general terms, in the U.S., whoever can be troubled to key in the data, is deemed to own the right to store and use it, even if the data was collected without permission, except to any extent regulated by laws and rules...

[1] https://en.wikipedia.org/wiki/Information_privacy_law#United...


He is using Android 5.1... that was before the whole permission system no?

Besides other people don't seem to be able to reproduce it.


Permissions existed, absolutely.

They were just "Accepted when installed" type permissions rather than "Hey, would you kindly grant me access to all of your data" type permissions.


Does that make it right for Facebook to gather this data? It seems entirely unnecessary.


If I'm understanding the other comments in the thread then the behavior is based on how Android worked in that older version... e.g.

if (on) { /* execute code for said feature */ }

Which implies: " In the version of Android mentioned the on flag is on when you install. It was a feature of that version of Android to turn it on... how can FB know you didn't want it on?"


> It was a feature of that version of Android to turn it on... how can FB know you didn't want it on?"

What user wants that "feature" on? (or at least to send the data to Facebook for storage)


Yeah, that's the whole issue. I cannot think of any reason why Facebook would want to store that data that benefits the user.


Android Apps targeting Android 6.0+ need to handle grant/revocation of permissions at runtime. Previous versions of Android would simply ask for the same permissions upfront when a user installed an app.


Yes but it's still possible to target a lower version of Android and request all the permissions up front which must users would agree to


That's exactly what the Mi Home (for Xiaomi IoT stuff) app does. Pesky little buggers.


I was able to reproduce it.


After reading this, I tried to download my data from Facebook. However, avast antivirus on my machine detected a Trojan in the zip file from Facebook with my data and blocked the download with this message: "We've safely aborted connection on bigzipfiles.facebook.com because it was infected with Java:Malware-gen[Trj]"

I find this very weird. Did anyone here faced the same issue ?


Unless Facebook is serving up malware in its zip files (possible, but unlikely IMO), you may have other malware on your machine that could be piggybacking off the connection to download more junk. I'd run a full scan with Malwarebytes to be sure.


This was the case indeed. A full scan weeded out the existing trojans.


Facebook is literally spyware most everyone's convinced themselves is okay.


Is this really surprising to anyone? I'm surprised that this information as available to download, but I'm guessing that's not because Facebook wants to provide it (there's probably laws in New Zealand which force this?).


> Is this really surprising to anyone?

Does it matter?


You probably have the GDPR to thank for this.

I'm curious how to get your shadow profile's data if you don't have an account.


They will have to provide it to you upon request. If they’ve got some self-service system then great, but if not they’ll legally have to do it manually.


I just used their self service system and they didn't provide any information about me that I didn't provide myself. For example, they didn't include my phone number, even though they surely have it since I a sure to have friends who has their mobile application installed.

My intention is to have a lawyer send them a letter asking for this information, but I'll wait until GDPR comes into effect first.


If I don't have a facebook account and the facebook app is installed on my phone by cell provider but I've disabled it does it still do this?


If it's not disabled, then definitely it can do this. If it's disabled then it should effectively be uninstalled so it should be fine.

That said it would certainly feel much more comfortable if you could delete it altogether.


It's interesting that this just dropped to the second page.


How do I request such a zip for myself?


As the sibling's linked tweet says: go to Facebook, then settings (? top right of masthead for me) and then at the bottom in greyed out print is a link for "download". It then asks for confirmation and says it'll email you when your archive has been prepared for download.


https://mobile.twitter.com/shell_ki/status/97680538533092966...


Notably missing on mbasic.facebook.com




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: