Facebook Inc. said it logs the phone call and messaging histories of some Android smartphone users who installed its messaging app or a lighter version of its main Facebook app.

The call and text logging happen when people using smartphones running the Android operating system sync their phone contacts with Messenger or Facebook Lite, the company said Sunday in a note posted online.

The statement followed users’ reports on Twitter in the past week that they had examined their Facebook data and saw the company logging the information.

While Facebook says there was nothing improper in its call logging, it is the latest example of Facebook users coming to the realization they are sharing vast quantities of data with the company—wittingly or not—each time they agree to one of its privacy settings or feature requests.

Facebook's current data crisis involving Cambridge Analytica has angered users and prompted government investigations. To understand what's happening now, you have to look back at Facebook's old policies from 2007 to 2014. WSJ's Shelby Holliday explains. Illustration: Laura Kammerman

Facebook is already dealing with fallout from a separate revelation that an outside data firm, Cambridge Analytica, improperly obtained data about tens of millions of Facebook members.


The Federal Trade Commission said Monday it is investigating Facebook in light of the Cambridge Analytica matter. Monday, Facebook’s stock was up 0.4% to $160.06 after a 14% slide last week. The Wall Street Journal previously reported the FTC had been looking into whether Facebook violated terms of a 2012 consent decree over collecting personal data and sharing it with others.

Also Monday, the attorneys general of 37 states and territories joined in a letter to Facebook demanding the company provide answers to questions about its policies and practices for handling information about its users.

“Attorneys General across the country have raised important questions and we appreciate their interest,” said Will Castleberry, Facebook vice president for state and local public policy. “Our internal review of the situation continues and we look forward to responding.”

Tech companies often say new features are aimed at making their services more convenient or easier to use. Syncing contacts gives users an easy way to send Facebook messages to people who are listed in a phone’s contact list, for example.


Dylan McKay, a software developer based in New Zealand, said the collection of phone call and messaging information on his phone lasted for more than a year. “I experimented with the ‘text anyone in your phone’ feature for a short amount of time—weeks,” he said.

Facebook said text and call logging is an “opt-in” feature when uploading and syncing contacts, aimed at helping people find others they know on Facebook. The company said it never sees messages or call content nor sells the data.

But the Cambridge Analytica controversy is drawing new attention to Facebook’s practices for obtaining and sharing user data, and how much users understand them.

One popular tool called “Log in with Facebook,” available on many apps, lets people log in using their Facebook credentials.


When users of the dating app Tinder log in using Facebook, for example, they share with Tinder their email address, date of birth, work and education history, photos, likes and the names of friends who also use the app, a Tinder spokeswoman said.

AllTrails, an app for hikers, accesses a user’s email address, date of birth, current city and friend list when a person logs in with Facebook, according to its website. The shopping app Wish accesses profile data and the user’s email address, according to its website.

AllTrails Inc. and Wish didn’t respond to messages seeking comment.

At present, apps using the Facebook login feature obtain what Facebook calls the user’s “public profile,” which includes information such as gender, information on their age such as whether they are over 18, and the user’s profile photo. The sharing of other data—such as date of birth or email address—can be blocked by the user.


These sorts of data-sharing arrangements are vital for Facebook, not only because they embed the network more deeply in users’ lives, but because they help Facebook gain more user information it can feed into advertisement-targeting tools.

Facebook’s developer guidelines spell out the way the data it supplies to app makers is supposed to be handled, but the company doesn’t automatically audit its developers, said Nils Puhlmann, formerly chief security officer with game developer Zynga Inc. “They offered a service with no controls,” he said.

If users ask for their data to be deleted, the app makers must comply, a Facebook spokeswoman said. However, if this request isn’t made, “data remains on the developer’s side until the developer deletes it,” she said.

Tinder deletes its data after users close their accounts, the Tinder spokeswoman said.

Typically, there are other ways of signing in to these apps—with a similar feature from Alphabet Inc.’s Google or by creating brand-new usernames and passwords. But with 2 billion Facebook users world-wide, “Log in with Facebook” is a quick and popular option.

The data sharing occurs in two directions. In exchange for providing Facebook user data to the app makers, Facebook learns which apps its users are installing—and deleting—and can also obtain data about how often these apps are being used, Facebook said.

That data could help Facebook build more accurate profiles of its users for advertisers, Mr. Puhlmann said. Knowing that someone has stopped using Tinder or started using a health app can be valuable information, he said.

Last week, Facebook Chief Executive Mark Zuckerberg said his company is taking steps to further curb the access app makers have to company data, following the Cambridge Analytica revelations. The company is now auditing developers who scooped up a suspicious amount of data, Mr. Zuckerberg told the Journal in an interview last week.

—Katherine Bindley contributed to this article.

Write to Robert McMillan at Robert.Mcmillan@wsj.com