
Facebook's Email-Harvesting Practice Is Under Investigation in N.Y. - kerng
https://www.bloomberg.com/news/articles/2019-04-25/n-y-opens-investigation-into-facebook-s-email-harvesting
======
jakelazaroff
I'm glad the attorney general is getting involved. We need to start charging
Facebook execs for these flagrant privacy violations. They're being fined 3
_billion_ dollars for legal expenses relating to an FTC inquiry… and their
stock price went _up_ by 8% [1].

The market just does not care; it's time regulators and law enforcement
started to.

[1] [https://www.barrons.com/articles/facebook-stock-is-up-
becaus...](https://www.barrons.com/articles/facebook-stock-is-up-because-its-
earnings-report-was-mostly-positive-51556138491)

~~~
SheinhardtWigCo
Not just execs, I hope. The engineers who wrote the code and managers who told
them to do it should also face justice.

~~~
baroffoos
That would require all developers to become lawyers so they can make sure
everything they are being asked to do is legal.

~~~
wavefunction
What's wrong with introspection about what you're doing on an ethical level?
There's no legal standard involved so you don't have to be a lawyer, just a
bit more thoughtful.

~~~
baroffoos
The law isn't just ethics. Companies have whole legal teams because laws are
so complex. Should a developer be responsible because the cookie banner they
implemented wasn't compliant with the laws of 100 countries even though the
legal team already told them it was ok?

~~~
spaceheretostay
> Should a developer be responsible because the cookie banner they implemented
> wasn't compliant with the laws of 100 countries even though the legal team
> already told them it was ok?

Yes. 100%. "I was just following orders" is not a valid excuse, ever -
Nuremberg is the obvious extreme example, but it's true everywhere.

~~~
tzs
In fact, "I was just following orders" often is a valid excuse. It didn't work
at Nuremberg _because_ it was an extreme example. The orders there were to do
things that could not even conceivably be legal, so those who carried them out
were considered to have knowingly acted illegally.

When the orders are to do something that is plausibly legal, and you have good
reason to believe that it is in fact so, "I was just following orders" will
probably work in most jurisdictions.

~~~
pluma
Iff they have confirmation from their product lead that what they're doing is
perfectly legal and it isn't obviously illegal, I agree that there's no
liability.

If it's either obviously illegal or it's clearly at least dodgy and they
didn't get explicit confirmation from the project lead, "following orders" is
not a valid excuse.

To take the VW case as an example: if your project lead tells you to implement
a way to recognise test conditions and adjust the performance to reduce
emissions, that is dodgy af and you should at least get confirmation that this
isn't illegal (i.e. that it's not intended to cheat on certifications but
maybe just for certain internal testing scenarios). In the end the entire
chain of command that led to this being implemented is guilty, but if the
person implementing that behavior knew what they were doing was illegal or at
least suspect and they didn't get confirmation, they're still guilty.

------
mehrdadn
Did anything happen regarding LinkedIn's email harvesting from before when
Microsoft bought it? I feel like that was far worse than Facebook's.

~~~
kerng
They settled a class action lawsuite I think, but if I remember there was some
form of consent involved that emails will be leveraged (probably not obvious
either, and shouldn't be done). In Facebook's case it has clearly been
misleading, possibly intentionally multiple times now (email, phone
numbers,...).

~~~
zamalek
I didn't like it (which is why they didn't get my damned password), but they
were pretty open about what they planned to do with your credentials.

The problem isn't how open they are, it's that most people don't understand
what the harvesting means. Facebook could have asked for the sacrifice of the
firstborn and people would have snapped it up on the prospect of a few likes
on their fake online alterego. It's human nature and the HN echo chamber
exists far outside that normalcy. Most people don't "get it" (through no fault
of their own) and that's why it's dangerous [edit] and effective.

~~~
simion314
>I didn't like it (which is why they didn't get my damned password), but they
were pretty open about what they planned to do with your credentials.

From what I read FB had a "bug" where the feature was not removed properly, so
the text about harvesting was removed but by "mistake" the harvesting code was
left running.

~~~
pluma
I think what happened was that they had an "import friends from your email
contacts" feature in the past and the code was reused for "verify your
identity via email" but they didn't realise the code would still also upload
the email contacts.

At least that's the story I've heard about why this was an "honest mistake".

------
dschuetz
Why is "we will never ask for your passwords at any time" not a thing anymore?
What Facebook did was phishing, basically. With the password Facebook could be
doing a lot more rather than just "upload contacts". Imagine those passwords
landing (or accidentally leaking) into the hands of third-party services
Facebook is working with! On the user end, what happened to "never ever give
away your passwords"? I mean, that's why spear-phishing is so successful,
because naïve people give away their passwords in the hopes that this darn
annoying login-screen goes away.

~~~
javagram
Asking for passwords has been an industry standard for a decade or more. Bad
security practice? Yes IMO but companies have been getting away with it.

Besides Facebook I can think of LinkedIn and Mint as two big examples of SaaS
that ask for 3rd party passwords. Mint is even getting your banking
information, whereas LinkedIn and Facebook were just doing contact import.

And of course before the era of SaaS giving applications passwords was normal,
e.g. putting your email passwords into an email client like Eudora or
Thunderbird. It only really becomes questionable in SaaS where the passwords
inevitably end up on a server somewhere subject to a data breach, or, in
Facebook’s case, misuse by another piece of its own software.

------
sidcool
This is probably the third investigation against FB this week. How do we still
continue trusting it with our personal data? I have been equally stupid in
sharing freely on FB/Instagram, not anymore.

~~~
Funes-
What about WhatsApp? Virtually no one in my country--not even the elderly, who
now broadly use the app as well--is willing to abandon it, no matter how its
parent company is depicted. In fact, last time I checked, around 75% of _all_
population use the app. I don't, and thus I'm paying the price socially--
mentally, I'm better off; it comes without saying.

~~~
midasz
Same - I don't really speak to some people anymore because I moved away from
WhatsApp. The one's I do really want to speak to (family) have installed both
apps now, simply because I messaged the group saying "I'll be moving away from
WhatsApp - you can reach me through text, calling, and telegram" and just
left/uninstalled WhatsApp. It can be that simple.

------
orijing
The article claims the practice "was uncovered by Business Insider last week",
implying FB was being sneaky about it. But if you look at the Business Insider
article ([https://www.businessinsider.com/facebook-
uploaded-1-5-millio...](https://www.businessinsider.com/facebook-
uploaded-1-5-million-users-email-contacts-without-permission-2019-4)), you'll
see this:

> A Facebook spokesperson said before May 2016, it offered an option to verify
> a user's account using their email password and voluntarily upload their
> contacts at the same time. However, they said, the company changed the
> feature, and the text informing users that their contacts would be uploaded
> was deleted — but the underlying functionality was not.

> "Last month we stopped offering email password verification as an option for
> people verifying their account when signing up for Facebook for the first
> time. When we looked into the steps people were going through to verify
> their accounts we found that in some cases people's email contacts were also
> unintentionally uploaded to Facebook when they created their account"

so Facebook discovered this bug in an audit of its code, fixed it, and planned
to notify everyone who was impacted.

~~~
kerng
Can we please stop calling these privacy violations bugs? It sounds like a
benign thing. These are not bugs anymore. It's unauthorized access to records
of millions, and Facebook is the one who performed the violation.

I can give a dog walker or cleaning personel the keys to my apartment, still
if they steal stuff and I have evidence they will be prosecuted. It's not a
bug that they don't have business ethics.

~~~
product50
So a hacker took all of Equifax's data including your SSNs, address, names,
DOB etc. By your analogy, all of Equifax engineers should be in jail right
now!

BTW, just in case you are unaware, Equifax got away with this hack with zero
fines in US.

~~~
kerng
Your are mixing things up.... In this situation the hacker is Facebook.

Most of the other Facebook data breaches where they didn't secure data
accordingly would compare more to what you refer to.

This case is different though as Facebook performed unauthorized actions on
email accounts, basically breaking in.

~~~
product50
I am making a case for the OP's comment that Facebook may have made a genuine
mistake by introducing this bug - like they literally called out in their
statement.

A bug is a bug. Whether it allows a hacker to sneak in to steal all your data
or whether it allows a company to collect data it wasn't supposed to (as in
this case Facebook specifically mentioned that it didn't turn off the feature
though it intended to).

~~~
jimsmart
> in this case Facebook specifically mentioned that it didn't turn off the
> feature though it intended to

What you are describing here is in fact a lack of action, or a lack of change
policy (to cause such action). That's not a bug. A bug is unintentional
behaviour of some code, not some folk who've said they'll do something, but
then don't.

And as for whether the original behaviour is/was a bug is also a point of
contention too: that's a lot of willfully bad behaviour that's got chained
together somehow to do what it did, then reviewed, signed off, and deployed —
that's quite some 'accident' — I write code, and to me this whole thing just
smells of a cover-up (by FB calling this a 'bug', when it very much looks to
be otherwise).

------
busymom0
Are there screenshots or something of this "asking for email password" thing
the article talks about? I feel like anyone who sees a facebook page asking
for their email password should already feel a bit warned and skeptical. I had
personally never seen such a thing until 3 years ago when I deactivated my
account. Is this a new thing?

~~~
orijing
The Business Insider article has this:
[https://amp.businessinsider.com/images/5ca400acc6cc5023740b5...](https://amp.businessinsider.com/images/5ca400acc6cc5023740b5924-1920-1014.jpg)

[https://www.businessinsider.com/facebook-
uploaded-1-5-millio...](https://www.businessinsider.com/facebook-
uploaded-1-5-million-users-email-contacts-without-permission-2019-4)

------
droithomme
So this relates to their practice of ransacking all your email contacts
without your consent, engaging in data theft as they upload them and analyze
them for subsequent actions. And of course Linked In is also notorious for
engaging in this criminal vile privacy raping practice.

I remember maybe 8 years ago it was here on HN that a company was found to be
doing this and it was shocking to some. But an executive of that company
showed up here and said that "everybody does it" and it's "standard practice"
and for some years after that anyone complaining about the practice here was
not only downvoted but sometimes warned by our glorious compromised
moderators.

In my opinion the practice of contact list ransacking should never be allowed,
is clearly unethical, and anyone defending it is an enemy of humanity who
should be locked away in order to protect society.

~~~
jmspring
LinkedIn is notorious for this. The app still asks for contact access all the
time.

~~~
anitil
Off topic, but I have to ask - what do you use the app for? In my head
LinkedIn is a 'work' thing so I only use it on my laptop.

------
happppy
Facebook stock is going up regardless of so many scandals.

------
rasz
uh oh an investigation! as meaningful as the Charter Spectrum one I imagine.

[https://eu.democratandchronicle.com/story/news/politics/alba...](https://eu.democratandchronicle.com/story/news/politics/albany/2019/04/19/what-
means-consumer-charter-spectrum-new-york-reach-deal/3523198002/)

TLDR Scammed consumers twice, gets to keep doing what it was doing.

"Charter and the Department believe that this action is an important step
forward" indeed

------
garbonicc
just.stop.using.facebook

~~~
dang
Could you please stop posting unsubstantive comments to Hacker News?

~~~
garbonicc
what are you some kind of fascist

~~~
dang
Ok, since you don't seem to want to use this site as intended, I've banned the
account. If that changes, you're welcome to email us at hn@ycombinator.com.
We're happy to unban anyone who gives us reason to believe they'll follow the
site guidelines in the future.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
sonnyblarney
Please investigate 'everyone' for this.

------
product50
This might have been an honest mistake. To do this for 1.5M users only when
Facebook's user-base runs into billions might indicate that.

~~~
jimsmart
> To do this for 1.5M users only when Facebook's user-base runs into billions

Well, put like that, it sounds just like they did it as a planned A/B test
strategy (like they do to trial other features) — and, personally, I believe
this to be the case.

Deploying such code/functionality is hardly an accident/bug.

