Security Experts:

Facebook Collected Email Contacts of 1.5 Million Users Without Consent

Facebook has admitted to uploading the email contacts of up to 1.5 million users over a period of three years without gaining either the user or the contacts' prior consent.

New information has emerged since it was reported last month that Facebook was asking users for their email passwords as part of an account verification process. On 31 March 2019, independent security consultant and researcher Mike Edward Moras (@e-sushi on Twitter), reported that he had found this request for passwords. Facebook rapidly ceased the process -- but at the time it was not known what happened to the passwords received.

Facebook has now admitted that it uploaded an estimated 1.5 million users' email contacts as part of this process, without asking for consent. If the users have an average of around 100 contacts (not unusual), it would mean that Facebook acquired the addresses of 100 million or more people without their express permission.

Facebook has said that this was unintentional. "We estimate that up to 1.5 million people's email contacts may have been uploaded," said a Facebook spokesperson. "These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings."

It appears that this has been happening since May 2016. Before then, users were asked if they wished to verify their identity via their email account, and if they wished to upload their contacts voluntarily. When the system was changed, the account scraping code was 'unintentionally' left intact.

"This news illustrates how easy it is for any company -- not just Facebook -- to skip asking for consent when harvesting personal data like your contacts," said Brian Vecci, field CTO at Varonis. "Consumers need to be vigilant but also need a basic set of online rights. Companies shouldn't be able to grab your entire social network through your contact list without express permission, and companies like Facebook need to face penalties when they do it. Without basic consumer protections that lead to real penalties, this kind of thing will continue to happen."

This 'set of online rights' already exists in Europe under the General Data Protection Regulation. The Irish Data Protection Commissioner, who oversees Facebook's conformance to GDPR in Europe, is talking to Facebook -- but these rights only apply to citizens and residents of Europe. There are already several Facebook-related GDPR investigations under way in Ireland.

Rights also exist in the U.S. -- but are perhaps less explicit and will vary from state to state. This incident may, however, cause problems with the FTC, which is already investigating Facebook and possible breaches of a 2011 consent decree. It could be argued that the acquisition of this data was via deception since it was automatic and with no further reference to the user.

What Facebook did with the data it uploaded is probably lost in the mists of algorithms and automation. The data was almost certainly used to improve the company's ad targeting systems; but while the addresses themselves could be tracked and deleted, it is less certain whether the use already made of those addresses can be extracted and removed.

Facebook is facing mounting pressure against its privacy practices from many parts of the globe. The UK government has described it as acting like a digital gangster, and the UK data protection regulator levied the maximum possible fine of £500,000 for its role in the Cambridge Analytica scandal. In the U.S., Elizabeth Warren is running a campaign to become the Democrat nominee for the 2020 presidential election with a manifesto that includes, "It's time to break up Amazon, Google and Facebook.”

In February 2019 it was reported that certain phone apps send sensitive user data -- including health information -- to Facebook. In March 2019 it emerged that the company had stored hundreds of millions of Facebook and Instagram users' passwords in plaintext. And in April 2019, more than 540 million records containing data on Facebook users and their activities were discovered in an unprotected AWS S3 bucket.

Perhaps because of all these incidents, Facebook CEO Mark Zuckerberg published an open memo in March 2019 saying that the company would change its ways and become "a privacy-focused messaging and social networking platform." It's too early to see any effect from this new approach, but in the meantime new scandals just keep breaking.

Related: Facebook Faces Criminal Probe of Data Deals: Report 

Related: Is Facebook Out of Control? Investigations and Complaints Are Rising 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.