Android's permissions system used to be more permissive than it should have been, and according to Ars Technica, Facebook was taking advantage of that little loophole to harvest call and SMS data. By exploiting the fact that pre-4.1 Android permissions could be requested by apps on the Play Store up until last year, and that those earlier permissions automatically granted call and SMS access together with requests to access contacts, Facebook was able to collect and store metadata associated with each from those that gave the app those permissions.

This is on the heels of the larger Cambridge Analytica Facebook scandal—which we haven't really covered because, up until now, it hasn't really applied to Android specifically. The much-abridged version is that a company called Cambridge Analytica reportedly harvested data from some 50 million Facebook users, against Facebook's terms of service. Some of that data was ostensibly deleted after Facebook privately contacted the company a couple years ago, but independent audits are verifying that as we speak in the face of allegations that it might have been used to influence recent elections.

Within that lens, you can see how Facebook's collection of SMS and call data over recent years could be a concern. The privacy implications of Facebook having that information are sketchy enough, but if unsupervised third parties like Cambridge Analytica had access to it, it could be in anyone's hands.

Downloaded my facebook data as a ZIP file Somehow it has my entire call history with my partner's mum pic.twitter.com/CIRUguf4vD — Dylan McKay (@dylanmckaynz) March 21, 2018

Ars Technica's Sean Gallagher was able to confirm, in exploring the contents of his own Facebook data archive, that call and SMS data from 2015 and 2016 was present. Others have confirmed the presence of that data up until October 2017, the approximate date at which Google retired support for pre-4.1 APIs for apps in the Play Store.

If you're concerned, you might want to take a look at your own Facebook data to see what the company might have collected. It also includes information about which third party advertisers Facebook may have shared/sold it to. Allegedly you can even delete that data, though Ars reports information was still present in a downloaded archive after deletion, so YMMV.