Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Facebook Privacy Social Networks IT

Facebook 'Unintentionally Uploaded' Email Contacts From 1.5M Users (cnet.com) 75

Facebook "unintentionally" harvested the email contacts of about 1.5 million of its users during the past three years. From a report: The activity came to light when a security researcher noticed that Facebook was asking users to enter their email passwords to verify their identities when signing up for an account, according to Business Insider, which previously reported on the practice. Those who did enter their passwords then saw a pop-up message that said it was "importing" their contacts -- without first asking permission, BI reported. A Facebook spokesperson confirmed that 1.5 million people's contacts were collected in this manner since May 2016 to help build Facebook's web of social connections and recommend other users to add as friends.
This discussion has been archived. No new comments can be posted.

Facebook 'Unintentionally Uploaded' Email Contacts From 1.5M Users

Comments Filter:
  • to help build Facebook's web ...

    someone's just finally calling them out on this much more widespread practice than the article leads you to believe.

  • Unintentionally? (Score:5, Insightful)

    by black3d ( 1648913 ) on Wednesday April 17, 2019 @08:51PM (#58452092)

    Except, they programmed it to do precisely that, so.. intentionally. Just unintentionally raised the ire of folks in doing so.

    • by markdavis ( 642305 ) on Wednesday April 17, 2019 @09:18PM (#58452178)

      >"Except, they programmed it to do precisely that, so.. intentionally. Just unintentionally raised the ire of folks in doing so."

      +1

      This is just super slimy. And the problem with this type of practice it that it doesn't just violate the privacy of that user, but every single person that user knows.

      • by Sebby ( 238625 )

        And the problem with this type of practice it that it doesn't just violate the privacy of that user, but every single person that user knows.

        I smell another class-action lawsuit!

    • by Phylter ( 816181 )
      It does the exact same thing once you give it access to your contacts on your phone. As far as I remember, they don't tell you what they're doing with the contacts information.
    • Re:Unintentionally? (Score:4, Interesting)

      by tero ( 39203 ) on Thursday April 18, 2019 @12:03AM (#58452510)

      LinkedIn does exactly the same thing. I've never given it permission to harvest my e-mails, yet it somehow seem to suggest me contacts based on addressbook matches alone.

      All social platforms are just slimy personal information harversters. Burn them all.

      • Not the exact same thing. LinkedIn asks for permission. It uses the contact list on your mobile phone rather than trawling through your emails, and it certainly doesn’t ask for the password to your email account. I’ve no idea how it makes the suggestions that it does but it doesn’t seem to use my contact list (which it can’t anyway). Perhaps you got those suggestions because you were on their address list (and they granted access to It)?
      • by AmiMoJo ( 196126 )

        The suggestions are based on other people's address books. Unfortunately if they share their address books then LinkedIn gets your real name, phone number, email address, maybe a photo and more.

  • by cdsparrow ( 658739 ) on Wednesday April 17, 2019 @09:01PM (#58452128)

    up contacts is the mess up. If it hadn't given any indication it was doing it, then nobody would have noticed. So that's the unintentional part...

  • by crunchygranola ( 1954152 ) on Wednesday April 17, 2019 @09:10PM (#58452158)

    That seems like a fairly light penalty. Now if we count each user who had their contacts stolen in this manner than would be a $15 billion dollar fine. But I think that each contact stolen should be the definitions of "theft" in this case. So if we the average address book has, say 50 contacts in it, that would be $750 billion. Seems about right for a long running bit of organized crime.

    • If we’re talking about restitution to victims rather than a fine, then it should be an amount for each contact stolen.
    • by AmiMoJo ( 196126 )

      If anyone in the EU was affected then the GDPR fine could be up to 4% of global revenue.

      Facebook's revenue was $55.8 billion in 2018, so the fine would be $2.2 billion.

      If they get the max fine depends on how many EU citizens were affected and how damaging their actions were. I'd push for the full amount, but unfortunately I was not one of the affected so cannot submit a GDPR complaint.

      • by mccalli ( 323026 )
        My question is how would I know if I was affected? I don't have a Facebook account, but I am a contact in the address book of those that do. So how could I find out whether affected or not?
        • by AmiMoJo ( 196126 )

          That's an excellent point. I was thinking that I had never installed the app so my address book was safe, but other people with my details may have.

          I'll submit a GDPR data subject access request over the weekend.

    • "But I think that each contact stolen should be the definitions of "theft" in this case."

      If you're going that route, why not say each data element stolen could be a theft. That means if you had a work address, home address, cell #, phone #, birthday, and email address, that would equal 6 "thefts".

      This is bad, but you have to cut it off at some point. If I steal your bicycle, you can only get me for 1 theft. Not 152 for each part. Or 1x10^150 for each atom.

  • Pretty sure precious little of what that monster does is unintentional.

    That's the excuse my 6 year old tries when they're caught doing something they shouldn't be.

  • Doesn't matter for me, the address that FB has for me is my give away address. it is a real address and I do check it every month or so.
    • Re:address (Score:5, Insightful)

      by markdavis ( 642305 ) on Wednesday April 17, 2019 @09:22PM (#58452196)

      >"Doesn't matter for me, the address that FB has for me is my give away address. it is a real address and I do check it every month or so."

      Yeah, but if your REAL address were in anyone else's contacts that that were handed over, then you were compromised without even knowing. It is just like jerk-wads who send out an Email "TO" everyone they know, instead of using BCC. Now all those people you don't know have your Email address. And when their lame-ass accounts or OS are compromised, start welcoming yet more spam (after dealing with the dozens of irritating REPLY ALL messages that follow).

      I am glad I have never had a FaceBook account, and never will, and proud of it.

      • Yeah, but if your REAL address were in anyone else's contacts that that were handed over, then you were compromised without even knowing.

        Which is why I always give my *FAKE* email address to all my contacts. Haha! Spam me now, suckersss!!

      • If any of your friends have your e-mail address, physical address, phone number, or photo in their phone as well as the Facebook app on their phone, then Facebook likely has a really nice shadow profile of you despite the fact that you've never created an account with them. Welcome to the information age in the U.S.: your data is not under your control.
    • I wonder if all the people in your email address book feel the same way about you giving away their privacy and anonymity along with your own in such a thoughtless manner.

  • If an individual did anything like this they'd be facing a long list of felony charges, but since it's a corporation, the DOJ is yawning.

  • Yeah, right. https://www.esquire.com/uk/lat... [esquire.com] [esquire.com] Zuck: Yeah so if you ever need info about anyone at Harvard Zuck: Just ask. Zuck: I have over 4,000 emails, pictures, addresses, SNS [Redacted Friend's Name]: What? How'd you manage that one? Zuck: People just submitted it. Zuck: I don't know why. Zuck: They "trust me" Zuck: Dumb fucks.
  • social media? Not a wise move.
  • by Drew M. ( 5831 ) on Wednesday April 17, 2019 @11:27PM (#58452428) Homepage

    In addition to that, without asking you, they uploaded all of your mobile phone contacts when you installed their mobile app: https://www.huffpost.com/entry... [huffpost.com]

    This is why I only access facebook from the web on mobile

    • In addition to that, without asking you, they uploaded all of your mobile phone contacts when you installed their mobile app:

      I would gently question the wording of this. Facebook didn't "upload" your contacts, they forced your computers and phones to upload them. Without your permission. They stole it.

  • Phishing (Score:5, Interesting)

    by Kohlrabi82 ( 1672654 ) on Thursday April 18, 2019 @12:12AM (#58452534)

    So Facebook was basically running that script like a phishing site to obtain users' passwords. Aren't there laws which apply to that? Or did the lawyers tell them to say "unintentionally" to save themselves from any penalties? Fuck lawyers (and broken legislation).

  • They intended to *download* the contacts but actually uploaded them instead?

  • because they now are known to sell user data and told to stop, instead of just selling user data, they are secretly paid to make it look like a mistake, "Oops, we accidentally exposed data how convenient, the sooner the government shuts down facebook, and makes selling user's data illegal the better
  • ... the more evil Facebook looks.
    • by flippy ( 62353 )

      ... the more evil Facebook looks.

      And/or idiotically incompetent. I can see a scenario where someone said "hey, we have code that does what we want it to do already, let's just reuse that code", without realizing that code did other things too. As a professional programmer, it's incompetent bordering on negligent to reuse code without serious analysis, and that's an entirely believable explanation for what may have happened here.

      Having said that, they're still liable for whatever the consequences of messing up that badly are, even if it

  • The only accident I see here is the parents of certain FB staff members. And H1B's having no ethos.
  • And Monica Lewinsky "unintentionally" repeatedly faceplanted onto Bill Clinton's crotch.

You are always doing something marginal when the boss drops by your desk.

Working...