
Facebook e-mail mess: Address books altered, e-mail lost - iProject
http://news.cnet.com/8301-1023_3-57464415-93/facebook-e-mail-mess-address-books-altered-e-mail-lost/?tag=mncol
======
SwellJoe
Facebook simply doesn't have an ethical central core. They've shown over and
over that when user privacy or security conflict with facebook's goals,
they'll choose facebook over the user. It's always relatively subtle; they
strive to only do what they can get away with...but it's always pushing the
line, and is never based on trying to do what's right, merely avoiding
backlash. Facebook, the company, is kind of a sociopath.

I wish it weren't this way. I have several friends within facebook whom I like
and respect, and they produce a lot of great technology. But, I fear facebook
having more power than they already have. It can only end badly for the user.

Facebook really needs a "don't be evil" moment, but I suspect it's too late,
and I suspect that Zuckerberg simply doesn't think that way.

~~~
Splines
> _I have several friends within facebook whom I like and respect, and they
> produce a lot of great technology._

I find this idea interesting. Can an entity like a corporation have a life
beyond that which is given to it by its employees? Like the ship of theseus,
can you replace all employees and still have a business that "feels" the same?

~~~
Heinleinian
Of course. Work with any government bureaucracy and you'll notice it pretty
quickly. Entire divisions can be filled with good, bright, well-meaning
people, yet that division can still churn out crap work product. How is that?
An organization's culture and the way incentives are aligned can quickly
override any pockets of talented individuals.

~~~
Splines
So the obvious question is: How does one change this from the inside? Does the
plan of attack differ if you were a line worker versus a VP?

------
vibrunazo
About an year ago, when the story blew up about the Facebook app sneaking
through your phone contacts and adding friends numbers' to your Facebook
account. I instantly deleted the Facebook app from my Android, and told my
friends Facebook was clearly not reliable to have an app privilege on your
phone. I called it that they would eventually do even worse, if you let them
have an app in your phone. The general consensus was that I was an alarmist
doomsayer extremist exaggerating over nothing.

Well, who is crazy now? :) And I repeat what I said before. If you don't
delete your Facebook app. They'll keep pulling stunts like these over and over
again. It's very clear from their history that they have extremely little care
for customer interests.

~~~
threejay
user =/= customer

~~~
rangibaby
User = product

If x service is making money off their product ( _you_ , user) then you should
really have at least some "rights". The key word being _should_.

~~~
pdonis
Why should users have rights in this situation, other than the right to stop
using the service? I understand why it would be nice if they did, but why
_should_ they? Why is it am imperative?

~~~
Tyrannosaurs
It depends where you are but there are certain legal rights that no terms of
use can waive.

They're set up as a minimum standard of acceptable behaviour that someone
should be able to expect by default and that there is no reason why a company
shouldn't / can't adhere to. Generally they're around physical protection from
harm, though they do extend to other things (including Data Protection in
Europe).

Why should these rights at least exist? Because (a) people can't be expected
to take a detailed look at every product and service they might use to assess
it fully, that would simply be too time consuming, so you set a basic standard
for prevention of harm and (b) can you imagine what the likes of Facebook or
Exxon or whoever might do without them.

~~~
pdonis
_people can't be expected to take a detailed look at every product and service
they might use to assess it fully, that would simply be too time consuming, so
you set a basic standard for prevention of harm_

So basically, you're saying people should trade trust in one third party (the
service provider) for trust in another third party (whoever sets and enforces
the basic standard). I can understand why people may choose to do this (though
in many cases I don't think the second third party is any more reliable than
the first), but I don't see it as an improvement. I don't think FB cares about
whatever legal standards are in place; to them that's just a cost of doing
business. But they _do_ care about losing users.

 _can you imagine what the likes of Facebook or Exxon or whoever might do
without them._

Sure, and I can also imagine people not using FB or Exxon (many people
boycotted Exxon for years after the Valdez spill, IIRC). Also, I can turn the
question around: can you imagine what those who are trusted to enforce
standards of behavior might do once they know the public trusts them and won't
question what they do? How good a job did regulators do at enforcing standards
of behavior on investment banks?

And before you ask, I do _not_ use FB, precisely because I don't trust them to
take care of my data. And it's not just FB; I don't trust Google to take care
of my data, which is why I don't use gmail, for example, or any other Google
services except search and maps. I don't expect _anyone_ to take care of my
data unless I'm paying them, as a customer, to do that--and even then I watch
them.

~~~
Tyrannosaurs
No, that's not what I'm saying. It's not one or the other, these constraints
don't prevent the possibility that people may leave if they don't like a
service and what it does, they're an additional guard against the very worst
potential abuses.

I'm not saying that because company X conforms with the (very light)
regulation in place that they're to be trusted, just that I see benefit in
having two forms of protection in place.

~~~
pdonis
You're assuming that there is an actual net benefit to having the second form
of protection. I don't think there is. It may seem like a short-term benefit
if some regulator actually catches, say, Facebook in the act of misusing
people's data; but the long-term effect is that people believe that they can
actually trust a company with their data when they're not a paying customer
(or even, beyond a certain point, when the _are_ a paying customer). And since
the long-term outcome of _any_ regulatory scheme is regulatory capture, sooner
or later FB will just be buying the regulations they want, and the so-called
protection won't be there any more. Again, I refer you to the economy since
2008.

------
ozataman
Well, this is my gripe with their "go fast and break things" mantra. It works
as long as you have such a highly desirable product that your users just don't
care if you're doing everything right. (Or maybe you're in a non-mission-
critical business, or better yet, your customers are a bunch of kids!)

I'm all for going fast and sincerely believe in "A sense of urgency", but
Facebook is really lucky they're not serving more serious/demanding customers.

~~~
gee_totes
Facebook is serving shareholders now. I'm hoping there are some serious
repercussions internally at FB for this, because as a shareholder, I'm pissed
they messed this up because the user base is upset and will continue to stop
trusting Facebook.

How's the stock supposed to get back to 38 now?

~~~
Silhouette
_How's the stock supposed to get back to 38 now?_

Sorry to be cynical, but: it was never supposed to be at 38 in the first
place. Facebook isn't worth anything close to its nominal market cap, it's
just the latest very high profile pyramid scheme, or rather it would have been
if they hadn't gone in so absurdly high with the IPO that even the heavyweight
investors interested in risky tech stocks have mostly run away.

------
sugarmountain
Can any attorneys out there explain how altering computing devices to redirect
and intercept email is not a criminal act when done without the knowledge or
consent of the owner?

If any of us pulled the same stunt, even if authorized to access the system
for other reasons, would we not be subject to prosecution? Hopefully, the same
will happen to FB.

In addition to the Federal communications and cybercrime statutes, there is
California Penal Code 502:

(c) Except as provided in subdivision (h), any person who commits any of the
following acts is guilty of a public offense: (1) Knowingly accesses and
without permission alters, damages, deletes, destroys, or otherwise uses any
data, computer, computer system, or computer network in order to either (A)
devise or execute any scheme or artifice to defraud, deceive, or extort, or
(B) wrongfully control or obtain money, property, or data. ... (4) Knowingly
accesses and without permission adds, alters, damages, deletes, or destroys
any data, computer software, or computer programs which reside or exist
internal or external to a computer, computer system, or computer network. (5)
Knowingly and without permission disrupts or causes the disruption of computer
services or denies or causes the denial of computer services to an authorized
user of a computer, computer system, or computer network. ... etc.

It remains to be seen if there is a prosecutor with the backbone to go after
this.

~~~
fl3tch
Well, "Knowingly accesses and without permission... uses any data" would make
the accessing and transmission of contacts (a la Path and many other apps)
illegal. Except there's probably a clause somewhere that you agreed to without
reading which lets them do that, and the same may be true here.

~~~
sugarmountain
While it's probably true that the EULA permits FB to _read_ the contact list,
and update it in expected ways, there are many points covered in those
statutes: interception and destruction of data, making the system unavailable
for its intended use, etc.

Can anyone find language permitting FB to destructively alter the contents in
profoundly unusual ways so that email is redirected to FB servers for
interception and delivery as FB deems appropriate?

I'd really like to see an informed legal opinion on the possible criminality
of their actions.

~~~
machrider
Not sure about criminal charges, but at the very least, it seems like a
negligent act resulting in real damages to many people. I don't think a class-
action lawsuit is out of the question.

------
skybrian
As I understand it, when an email address on Facebook gets synced to a phone,
that's just a cache. Any updates to the email address on Facebook
automatically update the cache. When friends update their email addresses, the
cache gets overwritten and you don't have their old addresses anymore.

But now, Facebook changed people's email addresses without their permission.
The cache gets updated, and boom, the old address is gone.

But what makes it more scary is that people don't actually remember that they
originally got the address from Facebook and they don't understand the caching
behavior. All they know is that the old address is gone. So they think that
email addresses that they _didn't_ get from Facebook are also at risk.

The workaround is to manually copy email addresses from Facebook to some other
system. Any email addresses you get from Facebook by automatically syncing
aren't safe.

It's a pity; after all, most of the point of the system is that you shouldn't
have to manually update your address book when your friends change their
contact info.

~~~
tedunangst
That's an excellent explanation. It also fits the mold of just about every
other "service X broke into service Y and stole my info" story, wherein people
forget lots of other plausible explanations.

~~~
ams6110
And a good lesson as to why you should never make unannounced changes to your
user's data. They will think you "broke" something, even if it never worked
the way they thought it did.

------
crazygringo
The more important question is, what are Apple and Google doing allowing apps
write access to a user's address book??

I can't believe anyone at Facebook was dumb enough to think this was a good
idea. But at the same time, I can't believe some "rogue engineer" did this by
accident. I'm curious to see what Facebook says about it.

~~~
po
They have to allow write access to _some_ applications otherwise there can be
no third-party address book apps. If there was such a permission, you can bet
that facebook would have asked for it by default. You can also be sure that
hundreds of millions of people would have granted it and we would be seeing
the exact same problem.

The root of the problem is facebook. The important questions should be
directed at facebook. We can look to Apple or Google for help, but ultimately
when we install an application, we grant it our trust and Facebook routinely
tramples all over it. Turns out that it's a winning strategy.

~~~
toemetoch
This is a very good explanation. But it also points out that the permission
system is not really helping when you want background info on what's going on
- you and I know this info from a background in development. Take a look at
the permissions for google maps on android as an illustration.

------
graue
As someone who quit facebook a while back, I can't help but feel that this
kind of event vindicates me. Sometimes I'm tempted to re-create a minimal
account on the service just for findability, but even that small step would
have been enough for facebook to hijack my contact info in a friend's phone.
There really is no way to have a facebook account at all, no matter how
infrequently you use it, without getting screwed over.

~~~
grourk
How do you know when someone has deleted their Facebook account?

They'll tell you.

~~~
untog
Too true. It's getting tiring reading the comments of posts like this because
I know it's going to be filled with people boasting about how they've already
deleted their accounts/just did it. The HN crowd is a tiny, tiny minority in
the pool of Facebook users, our actions are hardly representative of sea
change.

------
raganwald
“Everything that has transpired has done so according to my design.”—Mark
Zuckerberg

~~~
domador
That doesn't speak too well of his design ability.

~~~
simonsarris
Just to be clear, that quote is from Emperor Palpatine (Star Wars), not really
Zuckerberg

~~~
horsehead
They're two separate people?

~~~
Silhouette
Always two there are, no more, no less: a master and an apprentice.

------
nphase
I just deleted the Facebook app from my iPhone. I have no idea if it altered
any of my contacts, but this certainly does scare me enough to warrant
deletion.

~~~
kmm
I wish I could do that. I wonder if Facebook paid HTC a lot of money to make
the Facebook app un-uninstallable.

~~~
californian
If you go to Settings >> Accounts & Sync, can you at least uncheck "Sync
Contacts" for Facebook?

~~~
jarofgreen
Or just remove your Facebook login credentials entirely, thus rendering the
app unable to do anything? (I don't have that exact model but I think this
should work, no?)

~~~
jarek
I have the Facebook app forced on my Nexus One (thanks, Google!) but I never
logged in and it didn't touch my contacts as hoped.

------
vijayr
I really don't understand this - FB has repeatedly shown they don't give a
shit about users' privacy etc. They also don't care about breaking stuff. This
is not the first time it is happening, and won't be the last. So, Why are
people putting their work email ids on their FB account???

------
pkulak
I've sent several emails to my Facebook email address just for shits and
giggles. I've never gotten a single one to go through.

~~~
Achshar
You probably already know this but just to confirm, emails dont show up in
messages. Instead they go to 'other' in messages, which no one checks anyways.

~~~
molecule
That's not consistent w/ my testing:

\- email from address associated w/ facebook account goes directly to facebook
messages

\- email from address not associated w/ facebook account does not arrive, in
neither messages nor 'other'

------
jarek
An excellent reason not to give apps write access to your address book willy-
nilly. You can't trust them not to screw up.

------
wikkiwa
Is it not illegal to intercept private communications without the parties'
consent? Seems like this opens them up to a massive lawsuit...

~~~
jfoutz
I think you'd have to show they accepted the email, then chose not to deliver
it to the user.

I think this is just incompetence. hopefully, it's coupled with a little
incontinence.

~~~
Alex3917
But the thing is they're not supposed to get the email at all. The user goes
into their contact book and selects the person they want to email, and
suddenly Facebook is getting the email instead of it being sent to the
person's actual email address.

~~~
Zakharov
I think Facebook's position on this would be that the user goes into their
contact book, selects the @facebook.com email address of the person they want
to email, and then Facebook gets the email because it's on their service.

------
codeka
I've been complaining for ages that Facebook's contact sync was broken in Ice
Cream Sandwich. I only had the app installed so I could sync my friend's
contacts details with Facebook anyway, and every update I'd check to see
whether they'd fixed it. But it was still broken, even after dozens of
updates.

Now I'm glad it's broken!

~~~
californian
Just in case you were being serious... Facebook sync wasn't broken in ICS.
Google intentionally disabled the feature in Gingerbread.

"Google says it is removing Facebook contacts because they are not stored
locally on the phone like other contacts. This means that, unlike your Google
contacts, the Facebook listings aren’t exportable so, if users decide to close
their Facebook accounts, those contacts will disappear from the address book,
something which violates Google’s notions of data portability."

[http://blog.laptopmag.com/google-removes-facebook-
contacts-f...](http://blog.laptopmag.com/google-removes-facebook-contacts-
from-address-book-on-nexus-s-future-lead-devices)

------
arihant
The part that really bothers me - The address books on iOS 6 changed without
the user noticing.

------
at-fates-hands
The funny part is my friends thought I was crazy NOT to sync my Facebook
contacts with my gmail contact list.

This is a great example of why I continue to keep my information segregated
across different networks. For all of the nonsense Facebook keeps pulling, I
continue to have a healthy does of scepticism when allowing them access to ANY
of my information - let alone letting these networks interact with each other.

------
spinchange
Losing emails and user dissatisfaction is just a bug. Making their email addy
the primary specifically to seed everyone's contacts with it via sync-enabled
apps was the feature.

~~~
FuzzyDunlop
Behaviour awfully similar to that of a virus, or malware.

------
emeraldd
How does this not violate CFAA? This really sounds like a company that
believes it is above the law.

~~~
daeken
Uh, how could it violate CFAA? It's their own systems, and their data (they
own it all).

~~~
flatline3
I have no clue whether this violates CFAA, but arguably they usurped address
books and intercepted user's communication.

This was obviously intentional, and the timing makes sense -- Apple is rolling
out address book synchronization with Facebook.

I hope this forces Apple to reconsider.

------
rdl
I wonder how high up within Facebook that decision originated and was
ultimately approved.

------
robomartin
Amount raised on IPO: $16 Billion

Value of Zuck's shares post-IPO: $19 Billion

Pissing off 800 million users with a forced email change: PRICELESS

There are some things money can't buy. For gut-wrenching invasion of privacy
there's Facebook.

------
bogger
Quite apart from the ethical ins and outs of this, it's simply a buggy
release.

I played around with my new (and unwanted) email address and found the
following:

1\. Email sent to the new facebook address from the gmail account associated
with my profile gets delivered to my facebook messages.

2\. Email sent to the new facebook address from another gmail account I own is
not delivered. It simply disappears.

This is basic stuff. I guess they did like _no_ testing before they released
this f __*up to their billion or so users.

------
stretchwithme
Bundling things together gives the bundler more leverage. And opens you up to
paying more when they make a mistake.

An older German lady I know told me many times growing up that you should not
$h|t where you eat. In other words, it pays to keep some things separate from
other things.

If you value someone's contact information, keep track of it separately. And
have a backup.

------
simonster
Facebook managed to remove any opportunity to email me from my Facebook page.
I'd previously set my @facebook.com email as visible only to me, so that it
wasn't published to the page. They didn't change that, but they did set all of
my other email addresses as "hidden from timeline."

------
antidoh
Here's my fear. I deleted my FBook account a couple years ago. And it seems to
be at least inactive, but I assume there is still an entity representing "me"
in some state at FBook, because that's how FBook rolls.

As I understand this latest feature, if I am a contact on someone else's
phone, and their FBook app notices that I am a FBook user, that person's entry
for me get's slammed to now point to me@FBook. So when that person emails me,
it no longer goes to me@me.com, it goes to me@FBook.com. Which is an address
that may or may not exist, but I'm gonna go out on a limb here and guess that
FBook doesn't respond with a no such address, it just consumes the data. And
I'm suddenly unreachable.

------
danmaz74
I wonder if this isn't a breach of the stricter privacy laws we have in
Europe. Redirecting the email I send to my frieds to Facebook's servers
without asking for my consent looks very suspicious to me.

------
grannyg00se
At first I was wondering what Facebook has to do with email.

Then I read this:

"alterations that had begun in their contacts and address books outside
Facebook -- valid e-mail addresses were being changed for @Facebook without
people's awareness"

WTF?! This sounds like the facebook app has access to modify the contents of a
phone's address book without direct user action. Is that what's happening
here? I just checked all my contacts and everything seems fine (BB7.1)

------
angry-hacker
Does anyone know if there is some kind of possibility to copy facebook
contacts to my phone? I'm using Android+Facbook sync. Phone is rooted... I
have at least 100 people who are facebook contacts and the ones I don't want
to loose, but I'm not even able to copy paste their number not to mention
copying them to phone/sim card...

I know facebook doesn't want you to do it, but there has to be a way....

~~~
sushantsharma
I just uninstalled facebook from my android phone. The facebook contacts and
their information is still being shown in my phone contacts list. I am not
sure if it will be deleted in future (during some sync operation). If that
happens, I may install it back again. In the latter scenario, merging the
contacts however will be a pain.

~~~
angry-hacker
I tried the same and contacts disappeared.

~~~
sushantsharma
Okay, I tried to look some more. I discovered that there is a "Facebook"
option in the accounts list that I can add on my phone (Motorola Droid
Bionic). This facebook account was responsible for the facebook contacts in my
address book. So, I went to the facebook website and revoked its permission to
access my account.

Its been more than a day now, and the facebook contacts are still there in my
phone. May be you want to add the facebook account, and then revoke its
permission from the facebook website. I think this will leave your facebook
accounts in your phone.

I will update this post if my contacts disappear in near future.

------
superxor
OMFG, are they this desperate to fight off Gmail!

People call G+ a desperate attempt, but this is ground-bottom. There's only
word to describe this, disaster.

------
Heinleinian
Anyone else find it odd that the day the facebook email change scandal broke,
they announced Sandberg was their first ever female on the board? Really
looked like they had a distraction press release in the pipeline for exactly
this scenario, and they popped the top as soon as there was backlash.

------
curiousfiddler
I feel so sad that there is no competing product out there and thus FB has the
balls to repeatedly treat its users insignificantly.

It's even more sad FB is using it (the fact that all of my friends are on FB
and hence I wouldn't switch) to take undue advantage in a way that I would not
permit had they asked me.

------
yaix
The depressing thing about this is that people will notice that email doesn't
work and then use fb messages even more. I mean, how many people are still
with one of the major banks, only a few years after their greedy behavior
caused so much harm?

------
richardw
Don't many phone users sync their phone contacts to Outlook and similar? So
wouldn't this lead to "work email" contacts being caned by Facebook?

I just checked mine, but seems all my contacts only have phone numbers since I
use Gmail and GApps web-only accounts.

------
darkhorn
That is why you need Distributed Social Networking Protocol.
[http://en.wikipedia.org/wiki/Distributed_Social_Networking_P...](http://en.wikipedia.org/wiki/Distributed_Social_Networking_Protocol)

------
JumpCrisscross
To be clear, does this affect iOS 5 address books? What if those contacts are
pulled from an Exchange account? I sync contacts but thought that only went as
far as photographs and putting those silly links to profiles.

~~~
MBCook
iOS 5 doesn't have FB integration, so it couldn't happen directly.

I don't know if the FB app can write to your contacts (although it can read
them, which caused that dust up earlier in the year). That's where the danger
might be for iOS 5 users.

~~~
raganwald
The FB app can update your contact photos when your FB friends update their
profile pics, I actually like that feature, it’s fun and relatively harmless.

~~~
MBCook
I didn't know that (I don't log into FB much), that's actually kinda neat.
That would be a great way to keep photos for everyone.

------
jfoutz
If you're not capable of actually pinning down the social graph, just cut
links until you get to something tractable. Excellent plan.

------
JumpCrisscross
To be clear, does this affect iOS 5 address books?

------
accountswu
This is why I never upload my pictures or videos on facebook and I have my
home town and current city are set to Valhalla and Atlantis.

[http://techcrunch.com/2009/12/15/facebook-lie-terms-of-
servi...](http://techcrunch.com/2009/12/15/facebook-lie-terms-of-service/)
"Mr. Schnitt suggests that users are free to lie about their hometown or take
down their profile picture to protect their privacy..."

The clarification from Barry Schnitt (Facebook’s Director of Corporate
Communications and Public Policy) was even worse:

"I think WSJ is paraphrasing. What I said is profile picture and current city
are optional. You don’t have to include a profile picture or you can include a
picture of your dog or anything you like. Similarly, you don’t have to
indicate your current city or you can indicate that your current city is
“Atlantis”, “Valhalla” or, again, anything you like. We hope people will use
accurate information if they are comfortable doing so because that information
helps them to be found by their friends, which is part of the point of joining
the site."

------
mkramlich
I hope someone chimes up again saying how Facebook has so many smart engineers
on staff. This looks like either an intelligence failure, or an ethics
failure, or a little of both.

------
horsehead
God damn facebook. This is why i hate their motherfuckin' asses

~~~
Achshar
What? Is this Reddit now?

~~~
horsehead
So I hold an opinion and do have substantial intellectual abilities. Does that
mean I must be erudite in every post? <\-- rhetorical answer because the
answer is an assumed "No."

~~~
horsehead
Lolz. Even a reasonable post gets downvoted.

Now I'm just itching for downvotes. GIVE ME THEM.

~~~
chris_wot
I think you are being downvoted because none of your posts are reasonable or
add to the discussion on HN. For example, you asked if all your posts must be
erudite, and you believe that the obvious answer to your question is "no".

Basically, when you can't even answer your own rhetorical questions correctly,
then it's pretty much all downhill from there.

------
jfreak53
Why would anyone on God's green earth sync their Address book to facebook!?!
It's a social network for crying out loud, not a work place! WT..!!

This is what happen's when you mix work and pleasure ha ha, it's a stupid
kid's playground to post stupid thing's and do nothing all day! I just can't
get past it, why would anyone sync their address book to FB!? ha ha ha

~~~
untog
Why on earth do you think that everyone's address books are business-only?

