Facebook 'Unintentionally Uploaded' Email Contacts From 1.5M Users

Facebook "unintentionally" harvested the email contacts of about 1.5 million of its users during the past three years. From a report: The activity came to light when a security researcher noticed that Facebook was asking users to enter their email passwords to verify their identities when signing up for an account, according to Business Insider, which previously reported on the practice. Those who did enter their passwords then saw a pop-up message that said it was "importing" their contacts -- without first asking permission, BI reported. A Facebook spokesperson confirmed that 1.5 million people's contacts were collected in this manner since May 2016 to help build Facebook's web of social connections and recommend other users to add as friends.

Unintentionally?

[black3d]

Except, they programmed it to do precisely that, so.. intentionally. Just unintentionally raised the ire of folks in doing so.

Re:Unintentionally?

[markdavis]

>"Except, they programmed it to do precisely that, so.. intentionally. Just unintentionally raised the ire of folks in doing so."

+1

This is just super slimy. And the problem with this type of practice it that it doesn't just violate the privacy of that user, but every single person that user knows.

Re:Unintentionally?

[Sebby]

And the problem with this type of practice it that it doesn't just violate the privacy of that user, but every single person that user knows.

I smell another class-action lawsuit!

Re:Unintentionally?

[tero]

LinkedIn does exactly the same thing. I've never given it permission to harvest my e-mails, yet it somehow seem to suggest me contacts based on addressbook matches alone.

All social platforms are just slimy personal information harversters. Burn them all.

The part where it told folks it was slurping

[cdsparrow]

up contacts is the mess up. If it hadn't given any indication it was doing it, then nobody would have noticed. So that's the unintentional part...

How About Fining Them $10,000 Per Theft?

[crunchygranola]

That seems like a fairly light penalty. Now if we count each user who had their contacts stolen in this manner than would be a $15 billion dollar fine. But I think that each contact stolen should be the definitions of "theft" in this case. So if we the average address book has, say 50 contacts in it, that would be $750 billion. Seems about right for a long running bit of organized crime.

Re:How About Fining Them $10,000 Per Theft?

[JaredOfEuropa]

If we’re talking about restitution to victims rather than a fine, then it should be an amount for each contact stolen.

Re:How About Fining Them $10,000 Per Theft?

[AmiMoJo]

If anyone in the EU was affected then the GDPR fine could be up to 4% of global revenue.

Facebook's revenue was $55.8 billion in 2018, so the fine would be $2.2 billion.

If they get the max fine depends on how many EU citizens were affected and how damaging their actions were. I'd push for the full amount, but unfortunately I was not one of the affected so cannot submit a GDPR complaint.

Re:address

[markdavis]

>"Doesn't matter for me, the address that FB has for me is my give away address. it is a real address and I do check it every month or so."

Yeah, but if your REAL address were in anyone else's contacts that that were handed over, then you were compromised without even knowing. It is just like jerk-wads who send out an Email "TO" everyone they know, instead of using BCC. Now all those people you don't know have your Email address. And when their lame-ass accounts or OS are compromised, start welcoming yet more spam (after dealing with the dozens of irritating REPLY ALL messages that follow).

I am glad I have never had a FaceBook account, and never will, and proud of it.

Re:address

[Narcocide]

I wonder if all the people in your email address book feel the same way about you giving away their privacy and anonymity along with your own in such a thoughtless manner.

You trusted

[AHuxley]

social media? Not a wise move.

They also uploaded from their mobile apps

[Drew+M.]

In addition to that, without asking you, they uploaded all of your mobile phone contacts when you installed their mobile app: https://www.huffpost.com/entry...

This is why I only access facebook from the web on mobile

Phishing

[Kohlrabi82]

So Facebook was basically running that script like a phishing site to obtain users' passwords. Aren't there laws which apply to that? Or did the lawyers tell them to say "unintentionally" to save themselves from any penalties? Fuck lawyers (and broken legislation).

Re: Naturally

[astrofurter]

One (brutal, draconian, merciless) Law for human persons.

One (light, permissive, forgiving) Law for corporate "persons".

Re:uhh.. sounds very much 'intentional' to me..

[Spamalope]

Someone just now noticed how Facebook's app works? First run on a phone it steals the contact list - then asks what your privacy preferences are. I used a phone with a honey pot address book last time I tested that app...

Re:uhh.. sounds very much 'intentional' to me..

[goose-incarnated]

to help build Facebook's web ...

someone's just finally calling them out on this much more widespread practice than the article leads you to believe.

The bigger, ignored, story is that facebook got the passwords to millions of users' email accounts.