Facebook Admits To Harvesting Email Contacts Of 1.5 Mn Users Without Consent

After a slew of scandals related to data collection and privacy violations on its platform, Facebook has now been found collecting email contacts of 1.5 Mn new users without their consent or knowledge.

According to a report in Business Insider, the social media giant has been harvesting email addresses in users’ contact lists since May 2016. It affects any user who wants to create a Facebook account with less popular email domains such as Yandex or GMX.

Because these domains don’t use the industry-leading OAuth standard to authenticate user identity, Facebook has to use the manual option to verify user identity. But besides asking users to go about it through a multi-step process as is the case for many web services, Facebook also allowed these users to enter their email account passwords directly inside a container on Facebook in order to verify that they actually own the email address. And if the user did enter the email password within Facebook, they would get a message saying Facebook is importing their contacts. What’s alarming is that there’s no indication of this before you enter the password, so Facebook is gathering data without user content.

In late March, security researchers expressed concern about this phishing-like approach by Facebook. It was first reported by cybersecurity software professional Mike Edward Moras, who spoke about it in a Twitter thread. Researchers highlighted that Facebook did not make it clear that users had another way to authenticate their email account.

As per an EFF report, the researchers were raising questions and were unsure about whether Facebook is indeed collecting this data.

But a Facebook spokesperson confirmed to Business Insider that 1.5 Mn contacts were ‘unintentionally collected’ by the company, and were used to enrich Facebook’s friend recommendations feature. However, there is no clarity on whether the contacts were used for ad-targeting too, or were accessible to Facebook data brokers.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” the Facebook spokesperson said.

“These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.” they added.

A History Of Data Privacy Violations

Since the Cambridge Analytica row erupted in public in early 2018, which compromised data of 87 Mn people across the world including 5.62 Lakh Indians, Facebook has been under immense scrutiny from governments and data privacy advocates around the world. Cofounder and CEO Mark Zuckerberg has had to address the US and UK lawmakers on questions about Facebook’s data privacy policy, its business model, ad targeting and more in several high-profile deliberations.

Later in September 2018, Facebook had again reported a security breach affecting 50 Mn accounts. The Facebook security breach happened on September 25, when Facebook’s engineering team discovered a security issue.

More recently in March 2019, Facebook had said that as part of a routine security review in January 2019, it found that some user passwords were being stored in a readable format within its internal data storage systems. However, the company later fixed the issue and notified affected users.

In this latest case, Facebook has added that it will stop ‘offering’ this option to users. “We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” the company spokesperson added.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.