Sean Gallagher, writing for Ars Technica:
In response to an email inquiry by Ars about this data gathering, a Facebook spokesperson replied, “The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it’s a widely used practice to begin by uploading your phone contacts.”
A widely used practice is something Facebook could have taken a stand on, eons ago, and led the industry, rather hiding under its cover.
As much as the headlines about Facebook having a bad week will continue, it’s amazing how unchecked the whole system was:
If you granted permission to read contacts during Facebook’s installation on Android a few versions ago—specifically before Android 4.1 (Jelly Bean)—that permission also granted Facebook access to call and message logs by default. The permission structure was changed in the Android API in version 16. But Android applications could bypass this change if they were written to earlier versions of the API, so Facebook API could continue to gain access to call and SMS data by specifying an earlier Android SDK version. Google deprecated version 4.0 of the Android API in October 2017—the point at which the latest call metadata in Facebook users' data was found.
The issue with such far reaching applications and OS' is that there aren’t—and are unlikely to be anytime soon—overarching regulations that can manage these issues. Even if the US or the EU has stringent privacy regulations that will allow them to penalize Facebook’s entities within their jurisdiction, that’s as far as they’d be able to go.
Six months down the road, where will this situation be? Will Facebook brazen it out through via heres-another-setting-under-privacy-settings? That can be the only real indicator.