Last week, New Zealand student and technologist Dylan McKay downloaded his entire Facebook archive to see just how much data the company had harvested from. To his surprise, he discovered that not only had Facebook collected the identities of his friends and family from his address book, but that, for a short period between 2016 and 2017, they had also been keeping a running log of every phone call and text message sent or received on his Android device.

According to Facebook, this kind of data collection was “a feature, and not a bug,” and enabled by Dylan when he agreed to let Facebook synchronize his phone’s contact database. Unbeknownst to Dylan, while the app plainly stated it would need to be able to read and process his contact’s information, it failed at that time to explicitly state such access would include continual call and text monitoring, and that these records would be maintained indefinitely. Since then, Facebook has refined the permission tiers associated with app installs to make it clearer as what kinds of data collection each permission authorizes, but, as Dylan found out, a significant amount of damage had already been done.

This has been historical pattern with Facebook, as well as many other tech companies, particularly those within the social media space. What is described within the site’s terms and conditions doesn’t even begin to describe what is actually going on. Some hints are present – “data will be shared with partners and affiliates” – but an end user is not typically going to aware of just who those partners and affiliates are, nor is the company likely to enlighten them. The same applies to the conditions surrounding the sharing: is Facebook isn’t just giving away birthdates and puppy photos, they are trading that information for additional information, building a more and more complete profile of their customers as a single, uniquely identifiable entities. And that’s where things start to get dicey from a privacy perspective.

As the story of Dylan’s discovery broke, commentators on Twitter and other social media platforms began to point out some of the more uncomfortable aspects of the call tracking. One reader noted that Dyman’s medical history could be trivially gleaned from the lists of calls he’d made to his doctors – a simple Google search on the doctor’s name would identify his practice area and thus reveal the the types of treatment being sought. This raised alarms from members of the LGBTQ community, concerned that the sharing of such information could lead to a stealth form of “outing” members to the community to advertisers, employers, and insurers. Fears that women seeking safety from violent and abusive spouses might see the locations of their “safe houses” or shelters compromised via similar, equally simple analyses were also raised. Can the concept of privacy truly exist in a culture where corporations can freely traffic in information about you without any oversight from you?

Should you be concerned? Yes. What can you do to mitigate the risk? Get informed. And take whatever actions you deem necessary to protect yourself.  Always, always, read the terms and conditions of any web site or social media application you may use with a critical eye, and revisit those conditions regularly to look for changes. The devil, as they say, is in the details, and in this recent Facebook fiasco, the phrase “we reserve the right to change these policies at any time,” has never been more perceived as a grotesque afterthought.  To date, the company’s default mode has been to seize whatever it can get its hands on, and ask permission to keep it later – typically, only after a negative outcry in the press. The amount of detail they have amassed shouldn’t really come as shock – data collection and aggregation is their business model, after all – but end-users weary of the constant monitoring, or, more importantly, constant sharing need to start paying attention to the fine print, and start exercising a little more direct control over their private lives and details.

Related Links:

Dylan McKay’s Twitter Profile – the “pinned” tweet at the top is the first entry of a lengthier thread analysing his Facebook data:

https://twitter.com/dylanmckaynz

Facebook has set up this page where you can get instructions on how to download your personal data file: https://www.facebook.com/help/131112897028467?helpref=page_content&_fb_noscript=1#