Facebook Admits To Uploading Contacts of 1.5 Million Users Without Permission
You know which company could weather a good privacy controversy right now? Facebook.
After all, making Cambridge Analytica a household name didn’t really sour anyone on the social media giant. Releasing the phone numbers of two-factor authentication users to companies for advertisements they couldn’t opt out of? A minor blip. That time when they accidentally reset 14 million users’ default settings so that they would post publicly instead of privately? Whoops.
So, imagine my relief when I found out it was Facebook, as opposed to one of those social media companies with shakier reputations that might not be able to cope with another scandal, that uploaded the email contacts of more than a million users to their servers without the permission of said users.
“Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network,” Business Insider reported on Thursday.
“The Silicon Valley company said the contact data was ‘unintentionally uploaded to Facebook,’ and it is now deleting them.
“The revelation comes after pseudononymous security researcher e-sushi noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, a move widely condemned by security experts. Business Insider then discovered that if you entered your email password, a message popped up saying it was ‘importing’ your contacts without asking for permission first.”
Users weren’t given any chance “to opt out, cancel the process, or interrupt it midway through” once it began harvesting the email contacts.
While the security breach didn’t give Facebook the content of the user’s emails, it did tell them who the user was emailing with. According to Business Insider, this information was used “to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add.” Of course it was.
The company says it will notify all of the users whose email data was uploaded without their permission. Thursday was indeed a red-letter day for Facebook, as it was also revealed that another major PR face-plant involving password storage was much more widespread than initially revealed.
“Facebook says it stored millions of Instagram users’ passwords in plain text, leaving them exposed to people with access to certain internal systems,” The Verge reported. “The security lapse was first reported last month, but at the time, Facebook said it only happened to ‘tens of thousands of Instagram users,’ whereas the number is now being revised up to ‘millions.’ The issue also affected ‘hundreds of millions of Facebook Lite users’ and ‘tens of millions of other Facebook users.’
“Passwords are supposed to be stored in an encrypted format that allows websites to confirm what you’re entering without directly reading it. But as Krebs on Security first reported, various errors seem to have caused Facebook’s systems to log some passwords in plain text since as early as 2012. Facebook noticed the problem in January and said in March that the issue had been resolved.”
Again: Whoops!
I don’t just mention this to pile on a platform that rightly deserves opprobrium for a freight train of privacy scandals over the past few years, though that’s certainly a) deserved and b) fun. I’d instead like to point you to the fact that this all comes as Mark Zuckerberg is literally begging Congress to regulate his industry.
In a Washington Post Op-Ed on March 30, the Facebook CEO said that he believed “we need a more active role for governments and regulators. By updating the rules for the Internet, we can preserve what’s best about it — the freedom for people to express themselves and for entrepreneurs to build new things — while also protecting society from broader harms.”
Or, as a Reason headline put those calls for government intervention more succinctly: “Zuckerberg’s Plea: Regulate Me Before I Violate People’s Privacy Again!”
“While Congress has been holding hearings, poking tech execs, and dancing the legislative Fandango, the marketplace has imposed actual sanctions” on Facebook, Thomas Hazlett wrote in a piece published Wednesday.
“Between the time Facebook’s Cambridge Analytica scandal was revealed, March of last year, and March of this year, shareholders lost more than $61.6 billion adjusted for overall market (NASDAQ) fluctuations.”
A proposed fine of up to 4 percent on annual revenue for violations of the law in legislation written by Democrat Oregon Sen. Ron Wyden, meanwhile, would have only cost Facebook a mere $2.2 billion.
And make no mistake, this kind of regulation would be good for Facebook and its shareholders while being bad for the free market. What Facebook aims at doing is ossifying the current social media landscape so that the current leaders — most notably Facebook and Twitter — won’t face new competition. It would take a lot to challenge those platforms now, but imagine the kind of resources it would require if new entrants to the marketplace didn’t just have to make a better product and market it more effectively but also had to comply with a slew of government regulations purportedly designed to protect your privacy.
Hazlett and I would part ways on whether regulation is required when dealing with Facebook, but it oughtn’t be on the company’s terms. Protecting Facebook and protecting your data are two different things. What the company wants is the former disguised as the latter. That ought to be a non-starter, for reasons that were all too evident Thursday.
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.
