Welcome to the latest episode of “Facebook’s Daily Screw-up.” Following a report from Business Insider yesterday, the company confirmed it had uploaded more 1.5 million users’ contact lists without their permission when they signed up for the service starting in May 2016.
According to BI, a security researcher noticed that Facebook was asking some users to enter the password for their email account when they’re making a new Facebook account. If they went ahead and entered the password, the social network displayed a message saying it was “importing your contacts,” without a way for them to opt out.
Later, it erased the notification text mentioning the contacts upload process, but forgot to remove the underlying code that carried out the task. How convenient!
Facebook also issued a statement saying it had stopped email verification functionality a month ago, and it’s also deleting the uploaded data:
Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.
It also told Business Insider reporter, Rob Price, that the uploaded data was sued to recommend friends to users, and to “improve ads.”
Update: A Facebook spokesperson has confirmed to me the harvested contacts weren't just used to recommend friends to users — the data was also utilised to "improve ads."
— Rob Price (@robaeprice) April 18, 2019
Facebook‘s arguments, in this case, are pretty meek and holds up to its reputation of a company that constantly mishandles user data. Last month, the company was caught storing user passwords in plaintext.
Is this how you want to build your privacy-focused social network, Mark?
TNW Conference 2019 is coming! Check out our glorious new location, an inspiring line-up of speakers and activities, and how to be a part of this annual tech bonanza by clicking here.
Pssst, hey you!
Do you want to get the sassiest daily tech newsletter every day, in your inbox, for FREE? Of course you do: sign up for Big Spam here.