How Facebook Lied and Stole Your Contacts

Reading Time: 4 minutes.

Facebook logo, hiding in the shadows.Facebook’s “People You May Know” feature was introduced a few years ago. People were creeped out. How could Facebook know we know these people? Somethings they had people you’ve never exchanged information with, just someone who was in the same area as you. How does Facebook do this? They won’t say. They’re clearly using your location, somehow even if you don’t have location tracking enabled on your phone. They’re also using friends of friends, a virtual game of “six degrees of separation.”

Facebook’s features creeped people out enough. One user went to download his data from Facebook and found call logs he had with his partner’s mom. It was then that we realized Facebook is using call logs, including duration and missed calls, and message history to sidestep asking for contacts permissions. Facebook had found a way to grab information on your friends without asking for it. In fact, Facebook made getting this permission without your knowledge a key priority.

How Permissions Work

Phone permissions are supposed to stop app developers from having unlimited access to the data on your phone. It’s what allows you to feel secure downloading an app like Facebook without worrying that they’re collecting all of your information. Permissions act like a layer between an app and your device and its data. So, when an app like Facebook wants to access contacts, it has to ask the operating system for them. If you have enabled the contacts permission for that app, it hands the requested data over, otherwise, it will not.

This system puts you in charge of the gates between your apps and your data. It forces apps to always ask you for permission for this data first, as all permissions are off by default. Once you enable one though, the app will have access until you shut it down. In some ways, an app developer could use permissions in a sneaky way, using data that you might not suspect they’re using.

How Facebook Dodged Permissions

A small font with gray on white text explanation of what users were enabling. It says Facebook will continuously collect information on users.

This alert was intentionally difficult to read. Click to zoom.

We knew Facebook was storing call logs and messages from Android users for some time now. Though the permission dialog Facebook used to inform users (right) made the text difficult to read, we were able to confirm this immediately after users noticed the behavior.

However, we didn’t have information on the discussions that went on in Facebook regarding the matter. The British government released hundreds of emails and documents it seized as part of an investigation. The insight into the company’s inner workings and values has not made Facebook look good. As it turns out, Facebook knew the feature would not be popular. They not only decided to go forward with it anyway, but decided to use a method that would avoid a new permissions dialog. In doing so, they were able to keep from truly alerting users to their permissions grab with an Android-level popup.

The Lead Up

Email from Facebook engineer. He points out that the decision to grab call and message logs will be unpopular, but the growth team will go with it anyway. Facebook knew that grabbing your friends’ information from your call logs and messages would be unpopular. They knew that, if they triggered an Android-level popup, people would realize that Facebook was getting new permissions, and could therefore grab more data. They also knew that the move would alienate users. The Facebook employee in this email, Mark Tonkelowitz, seemed to be against the move, saying “it appears that the growth team will charge ahead.” It seems as though he believed it was ill-advised as well.

Dodge the Popup

Facebook engineer stating that they may have found a way around the Android permissions popup.Facebook engineers found a way to use the read call log permission to get all of a user’s main contacts, including nicknames and other information from their contacts cards or messages, without an Android popup. This means that, even if you saw a screen like the one in the screenshot above, and continued through the app, if you didn’t see a permissions dialog, you wouldn’t worry: clearly Facebook already had that permission. What you didn’t realize is that they were using existing permissions in new ways, sidestepping requirements for contacts or messages permissions. Facebook found a way to get your information without you feeling like you gave up security or privacy.

What you ended up doing was helping Facebook build out shadow profiles, get phone numbers for Facebook users who didn’t list their own numbers, and help Facebook make connections through people who may not want to be connected at all.

People You May Know

Gizmodo has an interesting take on this problem. They were investigating a problem sex workers had reported. Despite using burner phones, pseudonyms, and alternative phone numbers, sex workers were getting friend requests from their clients. They were seeing their clients in their “People You May Know” section. How could Facebook have this information? If the sex worker had their real phone number as a contact on the burner phone, Facebook could have been able to grab up the information and collect their sex worker identity to their true identity. This lead to stalking from their clients, blackmail, and harassment.

Facebook doesn’t just make these connections. They also create their own nodes in their little web. If a person does not seem to have a profile, Facebook creates a “shadow profile.” This is a profile for a person who hasn’t signed up to Facebook yet, but the company knows they exist. They may have the person’s name, pseudonyms, nicknames, phone numbers, email address, physical addresses, photos, and more, all from the people they know. This is why you can’t escape Facebook’s data collection. Even if you’re not a user, Facebook has built an advertising profile on you. Even if you never sign up for Facebook, advertisers can use the service to track and target you with ads.

No matter what, Facebook knows you.

Android vs iOS

Facebook messenger permission turned off

Turning off contact access in iOS is easy.

This is one of the many areas where iOS devices are more secure. If you choose not to share your contacts information with Facebook, they won’t have this information on you or your friends. But this is like crowd immunity. If some people don’t get the vaccination, anyone can get sick. Since Android users are uploading contact information and more unwittingly, Facebook has this information on you and your friends anyway.

If you use Android, you don’t have many options here. Facebook may have come preinstalled on your device and you may be unable to delete it. However, you can go into your apps page, select the Facebook and Messenger apps, and remove all updates. You can then disable the app, effectively uninstalling it. You can use. bookmark to view Facebook on your phone, but you’ll need to spoof your browser as a desktop browser to get Messenger on your device without downloading the app.

Facebook likely has your information anyway. Since there’s no legislation stopping these kind of large information grabs, there’s nothing you can really do. Facebook will get your information whether you have an account and the app or not. It’s Facebook’s world, we’re just living in it.


Sources: