Android's permissions system used to be more permissive than it should have been, and according to Ars Technica, Facebook was taking advantage of that little loophole to harvest call and SMS data. By exploiting the fact that pre-4.1 Android permissions could be requested by apps on the Play Store up until last year, and that those earlier permissions automatically granted call and SMS access together with requests to access contacts, Facebook was able to collect and store metadata associated with each from those that gave the app those permissions. 

This is on the heels of the larger Cambridge Analytica Facebook scandal—which we haven't really covered because, up until now, it hasn't really applied to Android specifically. The much-abridged version is that a company called Cambridge Analytica reportedly harvested data from some 50 million Facebook users, against Facebook's terms of service. Some of that data was ostensibly deleted after Facebook privately contacted the company a couple years ago, but independent audits are verifying that as we speak in the face of allegations that it might have been used to influence recent elections.

Within that lens, you can see how Facebook's collection of SMS and call data over recent years could be a concern. The privacy implications of Facebook having that information are sketchy enough, but if unsupervised third parties like Cambridge Analytica had access to it, it could be in anyone's hands.

Ars Technica's Sean Gallagher was able to confirm, in exploring the contents of his own Facebook data archive, that call and SMS data from 2015 and 2016 was present. Others have confirmed the presence of that data up until October 2017, the approximate date at which Google retired support for pre-4.1 APIs for apps in the Play Store.

If you're concerned, you might want to take a look at your own Facebook data to see what the company might have collected. It also includes information about which third party advertisers Facebook may have shared/sold it to. Allegedly you can even delete that data, though Ars reports information was still present in a downloaded archive after deletion, so YMMV.

UPDATE: 2018/03/25 4:39pm PDT BY

Facebook posted a bit of company news today in response to the allegations it stored call and messaging metadata. The company reiterated that it wasn't saving the actual content of calls or SMS/MMS messages—something neither Ars Technica nor we claimed, but presumably other outlets did.

It also further expanded precisely how that metadata was being collected. Turns out, it may not have been from the Facebook app. It's actually a part of Facebook Lite and Messenger (and users can opt out here and here, respectively). Facebook considers the data collection opt-in since the apps in question directly ask if you'd like to upload that information during setup.

That means that Facebook likely wasn't trying to hide the collection of that information behind older Android API levels, as they were initially accused of. Each app that requests that data makes those requests clear, as you can see just below in Facebook's screenshot of the Messenger setup process.

So, while Facebook has been collecting that metadata for years (since 2015, according to Facebook), the mechanism behind it should probably have been transparent to users of the service, and the company was not abusing older API levels to get it.

Those that remain worried can delete the information that was uploaded via the page here.

Source: Ars Technica