As we learned last year, Facebook has a habit of stealthily grabbing customer data to improve its own products and services, and then apologizing when the world finds out. There have been several instances that highlight how the company will go to any lengths to learn more about its users. It’s worrying for a number of reasons, but it’s especially troubling because the company still has tremendous potential to reach billions of users.

Here’s a comprehensive list of Facebook‘s notorious attempts to collect information for its own purposes. This doesn’t include incidents like the Cambridge Analytica fiasco of last year, where the company’s missteps allowed a third party to scrape users’ personal information.

Paying teens $20 for data about how they use their phones

First up is the latest revelation by TechCrunch, which noted that the social network paid $20 per month to teens to install an intrusive app to monitor their phone usage habits. It tracked private messages in social media apps, chats from in instant messaging apps including photos and videos, emails, web searches, web browsing activity, and even ongoing location information.

To do that, Facebook opted for a non-App store route and asked testers to use alternative app testing platforms such as Betabound, uTest, and Applause. The program asked users to install the Facebook Research app from a specific URL instead of the App Store, and then grant extensive permissions to monitor activity on their phones.

In its report, TechCrunch found that the Facebook Research app had some similarities to Facebook’s Onavo VPN app (which was banned by Apple). However, in a statement to TNW, the company denied that the Research app was a revamped version of Onavo.

Facebook told TNW only 5 percent of the participants of Project Atlas – the name Facebook assigned to this initiative so it could distance itself from its data collection efforts – were teens. That’s odd, considering that TechCrunch found that uTest ran campaigns on Instagram and Snapchat for a “paid social media research study” specifically targeting teens. TNW also found Reddit posts with referral codes to sign up for Project Atlas.

Credit: TechCrunch uTest campaigns

This incident shows that despite being banned from the App Store, Facebook is dogged enough about collecting data to find ways around these policies.

Onavo’s ‘free VPN’

In 2013, Facebook acquired Onavo, which offered a VPN service claiming to “block potentially harmful websites and protect your data.” Last February, the company even tried to promote the service through the “Protect” tab in the primary Facebook app.

Onavo App

Later in the year, Apple reportedly found that the app gathered user data about the sites people visited, and the mobile apps they used. As a result, it booted Onavo out of the App Store for violating its privacy policies.

Sponsored Stories

Back in 2011, Facebook introduced a concept called “Sponsored Stories” that took advantage of users’ content like check-ins, photos, and comments to create ads for companies like Coca-cola and Starbucks.

Strangely enough, there was no option to opt out of this. So, in April 2011, a bunch of people sued Facebook for using their information without their consent. Two years later, the company had to cough up $9 million in a class-action lawsuit; the amount was distributed between 614,000 people. It also had shut down the Sponsored Stories program.

Android texts and calls

Following the Cambridge Analytica scandal that broke in 2018, Facebook changed its privacy policy and allowed customers to download the data collected on them by the social network. When users downloaded their data, they found that Facebook read their call log and SMS metadata. Later, ArsTechnica reported that the social network collected the aforementioned data from Android phones that had the Facebook app installed for years. A few users found call logs going back to 2015.

Downloaded my facebook data as a ZIP file Somehow it has my entire call history with my partner's mum pic.twitter.com/CIRUguf4vD — Dylan McKay (@dylanmckaynz) March 21, 2018

In its defense, the company said that it asked for user permission to access call logs and SMS. However, the way Android permissions are structured, it’s hard to know what specific data the app is collecting. What’s more, Android’s runtime permission model – that allowed users to allow or deny permissions to specific parts after installing the app – only rolled out in 2015.

Plus, last December, some internal documents published by the UK parliament suggested that Facebook knew that the step of recording call log and SMS data might backfire, but it went ahead with it anyway. Clearly, the company acted in its own interest and didn’t take users’ privacy into consideration in this case.

Shadow profiles and extensive data gathering

Last year, when CEO Mark Zuckerberg testified in front of the US Congress over the issue of user data leak of Cambridge Analytica, Ben Lujan, a representative for New Mexico’s 3rd Congressional district, asked him about collecting data of users who didn’t sign up for Facebook‘s service:

You’ve said everyone controls their data, but you’re collecting data on people who are not even Facebook users, who never signed a consent or privacy agreement and you’re collecting their data. And you’re directing people who don’t have a Facebook page to sign up for Facebook in order to get their data.

Lujan was referring to ‘Shadow Profiles’ that exist on Facebook even if the person hasn’t signed up for any of the company’s services. Gizmodo wrote an extensive report on how people who’ve never registered to use Facebook, or have only interacted with you online through an email address of yours that is not connected to the social network can show up in the “People You May Know” section. This indicated that the company was gathering more data from your online activities than it previously let on.

Recently, Frederike Kaltheuner and Christopher Weatherhead from Privacy International, a UK-based non-profit that seeks to preserve the right to privacy, demonstrated how Facebook collects data from Android phones. In the talk, they also show how other apps share data with Facebook. You can check out the video below.

Conclusion

Time and time again, Facebook has found ways to snatch your data by hook or by crook, even if you’re not using its service. As if that’s not enough, the company is looking to expand its reach by unifying the messaging infrastructure of Instagram, WhatsApp, and Facebook Messenger.

As my colleague Abhimanyu wrote, the adoption of open standards could help wrest power from Facebook’s grasp, but the company’s internal practices and history might make existing and future users uneasy. As we’ve suggested in the past, it might be time for a change in management at the company so that it can salvage its reputation.

Read next: After Facebook, Google apologizes for running a user data collection program on iOS