Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook 'Unintentionally Uploaded' Email Contacts From 1.5M Users (cnet.com)

Posted by msmash on from the gift-that-keeps-giving dept.

Facebook "unintentionally" harvested the email contacts of about 1.5 million of its users during the past three years. From a report: The activity came to light when a security researcher noticed that Facebook was asking users to enter their email passwords to verify their identities when signing up for an account, according to Business Insider, which previously reported on the practice. Those who did enter their passwords then saw a pop-up message that said it was "importing" their contacts -- without first asking permission, BI reported. A Facebook spokesperson confirmed that 1.5 million people's contacts were collected in this manner since May 2016 to help build Facebook's web of social connections and recommend other users to add as friends.

39 of 75 comments (clear)

  1. uhh.. sounds very much 'intentional' to me.. by Anonymous Coward · · Score: 1

    to help build Facebook's web ...

    someone's just finally calling them out on this much more widespread practice than the article leads you to believe.

    1. Re:uhh.. sounds very much 'intentional' to me.. by Spamalope · · Score: 3, Informative

      Someone just now noticed how Facebook's app works? First run on a phone it steals the contact list - then asks what your privacy preferences are. I used a phone with a honey pot address book last time I tested that app...

    2. Re:uhh.. sounds very much 'intentional' to me.. by goose-incarnated · · Score: 3, Informative

      to help build Facebook's web ...

      someone's just finally calling them out on this much more widespread practice than the article leads you to believe.

      The bigger, ignored, story is that facebook got the passwords to millions of users' email accounts.

      --
      I'm a minority race. Save your vitriol for white people.
    3. Re:uhh.. sounds very much 'intentional' to me.. by Dru+Nemeton · · Score: 1

      Yeah I didn't catch that until on my local papers website I read, "Facebook said that they didn't read users e-mails" and it suddenly occurred to me that they couldn't do that unless they harvested the passwords as well.

      I have ZERO faith that they didn't harvest e-mails either to be honest.

  2. Unintentionally? by black3d · · Score: 5, Insightful

    Except, they programmed it to do precisely that, so.. intentionally. Just unintentionally raised the ire of folks in doing so.

    --
    "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    1. Re:Unintentionally? by markdavis · · Score: 5, Insightful

      >"Except, they programmed it to do precisely that, so.. intentionally. Just unintentionally raised the ire of folks in doing so."

      +1

      This is just super slimy. And the problem with this type of practice it that it doesn't just violate the privacy of that user, but every single person that user knows.

    2. Re:Unintentionally? by Phylter · · Score: 1

      It does the exact same thing once you give it access to your contacts on your phone. As far as I remember, they don't tell you what they're doing with the contacts information.

    3. Re:Unintentionally? by Sebby · · Score: 2

      And the problem with this type of practice it that it doesn't just violate the privacy of that user, but every single person that user knows.

      I smell another class-action lawsuit!

      --

      AC comments get piped to /dev/null
    4. Re:Unintentionally? by tero · · Score: 3, Interesting

      LinkedIn does exactly the same thing. I've never given it permission to harvest my e-mails, yet it somehow seem to suggest me contacts based on addressbook matches alone.

      All social platforms are just slimy personal information harversters. Burn them all.

    5. Re:Unintentionally? by Dunbal · · Score: 1

      Well fuck them, I have no contacts and no friends, so there! Hahahahahaha

      --
      Seven puppies were harmed during the making of this post.
    6. Re:Unintentionally? by JaredOfEuropa · · Score: 1

      Not the exact same thing. LinkedIn asks for permission. It uses the contact list on your mobile phone rather than trawling through your emails, and it certainly doesn’t ask for the password to your email account. I’ve no idea how it makes the suggestions that it does but it doesn’t seem to use my contact list (which it can’t anyway). Perhaps you got those suggestions because you were on their address list (and they granted access to It)?

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    7. Re:Unintentionally? by AmiMoJo · · Score: 1

      The suggestions are based on other people's address books. Unfortunately if they share their address books then LinkedIn gets your real name, phone number, email address, maybe a photo and more.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Unintentionally? by Sebby · · Score: 1

      Wait, the EULA doesn't include a personal arbitration clause? Fuckabug is slackin' when it comes to hiring lawyers...

      Wouldn't apply to non-Fuckedbook users whose data was "unintentionally" taken.

      --

      AC comments get piped to /dev/null
  3. The part where it told folks it was slurping by cdsparrow · · Score: 2

    up contacts is the mess up. If it hadn't given any indication it was doing it, then nobody would have noticed. So that's the unintentional part...

  4. How About Fining Them $10,000 Per Theft? by crunchygranola · · Score: 5, Insightful

    That seems like a fairly light penalty. Now if we count each user who had their contacts stolen in this manner than would be a $15 billion dollar fine. But I think that each contact stolen should be the definitions of "theft" in this case. So if we the average address book has, say 50 contacts in it, that would be $750 billion. Seems about right for a long running bit of organized crime.

    --
    Second class citizen of the New Gilded Age
    1. Re:How About Fining Them $10,000 Per Theft? by JaredOfEuropa · · Score: 2

      If we’re talking about restitution to victims rather than a fine, then it should be an amount for each contact stolen.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    2. Re:How About Fining Them $10,000 Per Theft? by AmiMoJo · · Score: 2

      If anyone in the EU was affected then the GDPR fine could be up to 4% of global revenue.

      Facebook's revenue was $55.8 billion in 2018, so the fine would be $2.2 billion.

      If they get the max fine depends on how many EU citizens were affected and how damaging their actions were. I'd push for the full amount, but unfortunately I was not one of the affected so cannot submit a GDPR complaint.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:How About Fining Them $10,000 Per Theft? by mccalli · · Score: 1

      My question is how would I know if I was affected? I don't have a Facebook account, but I am a contact in the address book of those that do. So how could I find out whether affected or not?

    4. Re:How About Fining Them $10,000 Per Theft? by AmiMoJo · · Score: 1

      That's an excellent point. I was thinking that I had never installed the app so my address book was safe, but other people with my details may have.

      I'll submit a GDPR data subject access request over the weekend.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:How About Fining Them $10,000 Per Theft? by MooseTick · · Score: 1

      "But I think that each contact stolen should be the definitions of "theft" in this case."

      If you're going that route, why not say each data element stolen could be a theft. That means if you had a work address, home address, cell #, phone #, birthday, and email address, that would equal 6 "thefts".

      This is bad, but you have to cut it off at some point. If I steal your bicycle, you can only get me for 1 theft. Not 152 for each part. Or 1x10^150 for each atom.

      --
      Ninjas don't carry tic tacs
  5. Unintentionally? by Archangel_Azazel · · Score: 1

    Pretty sure precious little of what that monster does is unintentional.

    That's the excuse my 6 year old tries when they're caught doing something they shouldn't be.

    --
    Your mind is like a parachute. It works best when it's been opened.
  6. address by kqc7011 · · Score: 1

    Doesn't matter for me, the address that FB has for me is my give away address. it is a real address and I do check it every month or so.

    --
    Passionately Indifferent
    1. Re:address by markdavis · · Score: 4, Insightful

      >"Doesn't matter for me, the address that FB has for me is my give away address. it is a real address and I do check it every month or so."

      Yeah, but if your REAL address were in anyone else's contacts that that were handed over, then you were compromised without even knowing. It is just like jerk-wads who send out an Email "TO" everyone they know, instead of using BCC. Now all those people you don't know have your Email address. And when their lame-ass accounts or OS are compromised, start welcoming yet more spam (after dealing with the dozens of irritating REPLY ALL messages that follow).

      I am glad I have never had a FaceBook account, and never will, and proud of it.

    2. Re:address by Narcocide · · Score: 2

      I wonder if all the people in your email address book feel the same way about you giving away their privacy and anonymity along with your own in such a thoughtless manner.

    3. Re:address by infolation · · Score: 1

      Yeah, but if your REAL address were in anyone else's contacts that that were handed over, then you were compromised without even knowing.

      Which is why I always give my *FAKE* email address to all my contacts. Haha! Spam me now, suckersss!!

    4. Re:address by organgtool · · Score: 1

      If any of your friends have your e-mail address, physical address, phone number, or photo in their phone as well as the Facebook app on their phone, then Facebook likely has a really nice shadow profile of you despite the fact that you've never created an account with them. Welcome to the information age in the U.S.: your data is not under your control.

  7. Naturally by sjames · · Score: 1

    If an individual did anything like this they'd be facing a long list of felony charges, but since it's a corporation, the DOJ is yawning.

    1. Re: Naturally by astrofurter · · Score: 3, Interesting

      One (brutal, draconian, merciless) Law for human persons.

      One (light, permissive, forgiving) Law for corporate "persons".

  8. 'unintentially' by beep54 · · Score: 1

    Yeah, right. https://www.esquire.com/uk/lat... [esquire.com] Zuck: Yeah so if you ever need info about anyone at Harvard Zuck: Just ask. Zuck: I have over 4,000 emails, pictures, addresses, SNS [Redacted Friend's Name]: What? How'd you manage that one? Zuck: People just submitted it. Zuck: I don't know why. Zuck: They "trust me" Zuck: Dumb fucks.

  9. You trusted by AHuxley · · Score: 2

    social media? Not a wise move.

    --
    Domestic spying is now "Benign Information Gathering"
  10. They also uploaded from their mobile apps by Drew+M. · · Score: 4, Informative

    In addition to that, without asking you, they uploaded all of your mobile phone contacts when you installed their mobile app: https://www.huffpost.com/entry...

    This is why I only access facebook from the web on mobile

    1. Re:They also uploaded from their mobile apps by sheramil · · Score: 1

      In addition to that, without asking you, they uploaded all of your mobile phone contacts when you installed their mobile app:

      I would gently question the wording of this. Facebook didn't "upload" your contacts, they forced your computers and phones to upload them. Without your permission. They stole it.

  11. Phishing by Kohlrabi82 · · Score: 5, Interesting

    So Facebook was basically running that script like a phishing site to obtain users' passwords. Aren't there laws which apply to that? Or did the lawyers tell them to say "unintentionally" to save themselves from any penalties? Fuck lawyers (and broken legislation).

  12. Load up or down? by dromgodis · · Score: 1

    They intended to *download* the contacts but actually uploaded them instead?

  13. probably got paid by someone to do it by FudRucker · · Score: 1

    because they now are known to sell user data and told to stop, instead of just selling user data, they are secretly paid to make it look like a mistake, "Oops, we accidentally exposed data how convenient, the sooner the government shuts down facebook, and makes selling user's data illegal the better

    --
    Politics is Treachery, Religion is Brainwashing
  14. The more we learn about Facebook... by QuietLagoon · · Score: 1

    ... the more evil Facebook looks.

    1. Re:The more we learn about Facebook... by flippy · · Score: 1

      ... the more evil Facebook looks.

      And/or idiotically incompetent. I can see a scenario where someone said "hey, we have code that does what we want it to do already, let's just reuse that code", without realizing that code did other things too. As a professional programmer, it's incompetent bordering on negligent to reuse code without serious analysis, and that's an entirely believable explanation for what may have happened here.

      Having said that, they're still liable for whatever the consequences of messing up that badly are, even if it wasn't intended.

  15. Bet for Forgiveness Business Model by LifesABeach · · Score: 1

    The only accident I see here is the parents of certain FB staff members. And H1B's having no ethos.

  16. Riiiiiiight by ilsaloving · · Score: 1

    And Monica Lewinsky "unintentionally" repeatedly faceplanted onto Bill Clinton's crotch.