With No Permission, Facebook Slurped up ‘Hundreds of Millions’ of Email Contacts
This story only gets worse for Facebook: Two weeks ago, I told you about how Zuckerberg’s firm was demanding some users enter their email passwords. But now, further revelations make the situation look much, much worse.
It appears Facebook was actually copying those users’ entire contact lists—without permission. The company says it was “unintentional.” So that’s alright then.
How many more straws can fit on this camel’s back? In today’s SB Blogwatch, we’ve lost count of all the Facebook scandals.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: stupid Tesla.
Book Another Facebook Farce
What’s the craic? Rob Price isn’t wrong—“It ‘unintentionally uploaded’ 1.5 million people’s email contacts without their consent”:
The revelation comes after pseudonymous security researcher e-sushi noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, a move widely condemned by security experts. [I] then discovered that … a message popped up saying it was “importing” your contacts without asking for permission.
…
Facebook disclosed [the] contacts were … used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends. … Contacts can still be highly sensitive data — revealing whom people are communicating with and connect to.
…
A Facebook spokesperson said before May 2016, it offered an option to … voluntarily upload their contacts. [But that] the text informing users that their contacts would be uploaded was deleted — but the underlying functionality was not.
…
The total number of people whose contact information was improperly obtained by Facebook may well be in the dozens or even hundreds of millions. … The spokesperson could not provide a figure for the total number of contacts.
…
The incident is the latest privacy misstep from the beleaguered technology giant. … Since the Cambridge Analytica scandal in early 2018 … the company’s approach to handling users’ data has come under intense scrutiny.
Yeah, you could say that. Ishita Chigilli Palli and Kanishka Singh say this—“Facebook says it uploaded email contacts of up to 1.5 million users”:
[It] seems to be the latest privacy-related issue faced by the social media company. … “We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we are deleting them,” Facebook told [us].
…
The company has also been facing criticism from lawmakers across the world for what has been seen by some as tricking people into giving personal data to Facebook and for the presence of hate speech and data portability on the platform.
Who was that raw-fish researcher? Mike Edward Moras—@originalesushi—feels vindicated:
Remember that Facebook thing? Seems I made no mistake putting out the message in public at the beginning of this month. Otherwise, they’d still be at it.
…
Good to know my stopping them in their act made more sense than anticipated. … Seems my little FB finding merely affected millions of users.
…
Problem in this case was that FB required, upon registration, to provide the email provider password to verify your email. So, here it was “verify your email by giving us your email provider password” and not the usual email provider’s API-based stuff or even contact import.
Still, we can trust Facebook, right? Aunty Beeb’s Rory Cellan-Jones offers this analysis:
We’ve woken up to the harms that could come from handing over that precious information about our social connections. … Now every time the social network suggests “people you may know”, we will wonder “How do you know that I may know them?”
…
The idea that they should trust Facebook with their data seems more old-fashioned by the day.
But it was an accident, OK? Mark Madsen—@idyll_code—scoffs ironically:
I’ve been a programmer since 1998, and I’ve never seen code accidentally harvest user data. It usually locks up and crashes when I make a mistake. Instead of, say, uploading my address book to Facebook.
…
Strange.
But is it legal? Former FTC CTO Ashkan Soltani—@ashk4n—thinks not:
This is one of the most legally actionable behaviors by Facebook to date. I’m confident regulators will be taking a look.
…
Note the Facebook statement doesn’t mention whether contacts were used for advertising (they likely were). If there is any potential for a disgorgement / ill-gotten gains remedy, it would be this case.
…
Number of ppl impacted is actually in the hundreds of millions. … Facebook allows advertisers to use information from users’ address books to allow advertisers to target their friends.
And nokcha suggests 18 USC 1030 (a)(2)(C):
“Whoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer … shall be punished as provided in subsection (c) of this section.”
(The definition of “protected computer” encompasses any computer that is “used in or affecting interstate or foreign commerce or communication”.)
Even if “unintentional”? cdsparrow scoffs:
The part where it told folks it was slurping … contacts is the mess up. If it hadn’t given any indication it was doing it, then nobody would have noticed. … That’s the unintentional part.
And smt88 anticipates an analogy:
[It’s] like saying you unintentionally stole someone’s TV when they gave you their key to walk their dog.
Meanwhile, Miguel de Icaza remembers his school days:
”Unintentionally” is the new “the dog ate my homework.”
And Finally:
Speaking of accidental contacts, Mehdi Sadaghdar says Tesla was an idiot
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Mike Deerkoski (cc:by)
Pingback: Photo App Pivots to Violating Its Users' Privacy - Security Boulevard