Facebook Admits To Harvesting Email Contacts Of 1.5 Mn Users Without Consent

Facebook Admits To Harvesting Email Contacts Of 1.5 Mn Users Without Consent

SUMMARY

Claims it ‘unintentionally uploaded’ email contacts of some new users

Security researchers likened Facebook’s methods to a phishing attack

Facebook has apologised and said it will stop giving this option to users

After a slew of scandals related to data collection and privacy violations on its platform, Facebook has now been found collecting email contacts of 1.5 Mn new users without their consent or knowledge.

According to a report in Business Insider, the social media giant has been harvesting email addresses in users’ contact lists since May 2016. It affects any user who wants to create a Facebook account with less popular email domains such as Yandex or GMX.

Because these domains don’t use the industry-leading OAuth standard to authenticate user identity, Facebook has to use the manual option to verify user identity. But besides asking users to go about it through a multi-step process as is the case for many web services, Facebook also allowed these users to enter their email account passwords directly inside a container on Facebook in order to verify that they actually own the email address. And if the user did enter the email password within Facebook, they would get a message saying Facebook is importing their contacts. What’s alarming is that there’s no indication of this before you enter the password, so Facebook is gathering data without user content.

In late March, security researchers expressed concern about this phishing-like approach by Facebook. It was first reported by cybersecurity software professional Mike Edward Moras, who spoke about it in a Twitter thread. Researchers highlighted that Facebook did not make it clear that users had another way to authenticate their email account.

Facebook Admits To Harvesting Email Contacts of 1.5 Mn Users Without Consent

 

 

As per an EFF report, the researchers were raising questions and were unsure about whether Facebook is indeed collecting this data.

But a Facebook spokesperson confirmed to Business Insider that 1.5 Mn contacts were ‘unintentionally collected’ by the company, and were used to enrich Facebook’s friend recommendations feature. However, there is no clarity on whether the contacts were used for ad-targeting too, or were accessible to Facebook data brokers.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” the Facebook spokesperson said.

“These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.” they added.

A History Of Data Privacy Violations

Since the Cambridge Analytica row erupted in public in early 2018, which compromised data of 87 Mn people across the world including 5.62 Lakh Indians, Facebook has been under immense scrutiny from governments and data privacy advocates around the world. Cofounder and CEO Mark Zuckerberg has had to address the US and UK lawmakers on questions about Facebook’s data privacy policy, its business model, ad targeting and more in several high-profile deliberations.

Later in September 2018, Facebook had again reported a security breach affecting 50 Mn accounts. The Facebook security breach happened on September 25, when Facebook’s engineering team discovered a security issue.

More recently in March 2019, Facebook had said that as part of a routine security review in January 2019, it found that some user passwords were being stored in a readable format within its internal data storage systems. However, the company later fixed the issue and notified affected users.

In this latest case, Facebook has added that it will stop ‘offering’ this option to users. “We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” the company spokesperson added.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
Unlock 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
Unlock 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

Facebook Admits To Harvesting Email Contacts Of 1.5 Mn Users Without Consent-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

Facebook Admits To Harvesting Email Contacts Of 1.5 Mn Users Without Consent-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

Facebook Admits To Harvesting Email Contacts Of 1.5 Mn Users Without Consent-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

Facebook Admits To Harvesting Email Contacts Of 1.5 Mn Users Without Consent-Inc42 Media
Facebook Admits To Harvesting Email Contacts Of 1.5 Mn Users Without Consent-Inc42 Media
You’re in Good company