
Facebook 'unintentionally uploaded' 1.5M people's email contacts without consent - starmftronajoll
https://www.businessinsider.com/facebook-uploaded-1-5-million-users-email-contacts-without-permission-2019-4
======
Rafuino
So, when is the FTC going to actually bring down the hammer on FB for
violating the consent agreement? There's no way this was "unintentional."

At $40,000 per user per day [1], even at just one day of violation, that's a
$60 billion fine FB should be liable for. "Under the settlement, Facebook
agreed to get consent from users before sharing their data with third
parties," so this seems to be EXACTLY in violation of that agreement.

[1] [https://www.cnet.com/news/facebooks-ftc-consent-decree-
deal-...](https://www.cnet.com/news/facebooks-ftc-consent-decree-deal-what-
you-need-to-know/)

*Edit: on second thought, it should be even higher, as each of the 1.5M users had multiple contacts uploaded. So, for example, let's say 1 user had 150 contacts who were not part of the other 1.5M users who had contacts uploaded. That alone should be a violation of the consent rights of those 150 people, so $6 million per day. If every one of the 1.5 million people had, on average, 150 contacts exclusive of the other 1.5 million people who had contact info uploaded, that's a $9 trillion liability for one day of violation.

The FTC has been toothless on this for quite some time now, so I'm expecting
no significant action as FB lawyers will defend that no one had data shared
with "third parties," technically. Well, shouldn't my contact info shared by a
friend with FB be a consent violation as FB is a "third party" from my
perspective?

~~~
elmo2you
Maybe I'm just ignorant, but I do not really see how this violates the FTC
agreement, because it covers Facebook sharing user data
(stored/tracked/gathered by Facebook) with third parties.

However, what Facebook did is far worse than violating that agreement.
Facebook gained accessed to user data on third party systems, to which they
should never have had access. They gained this (unauthorized) access (at best
without clear consent) on a false pretense (disguising as security related
requirement). Then they imported user data, with no relationship to their
stated goal/requirement, into their platform.

Associative contact information is a highly valuable commodity to any company
involved in marketing and social media. I've seen a lot of people argue how
this could have been the result of a laps of oversight, but that sounds like
arguing how a gem stone trader might have "accidentally" stolen a large
quantity of rough gem stones, while claiming to not have known their value.
Even if theoretically possible, it's extremely unlikely that nobody within
Facebook knew/realized the value of this data.

Either way, Facebook gained access to highly valuable assets. Even in the
unlikely event of sincere lack of oversight, it would demonstrate a level of
incompetence that warrants them to still be held criminally liable.

Moreover, Facebook might actually have outright violated the Computer Fraud
and Abuse Act (CFAA), in particular the "access in excess of authorization"
part, but I'm not sure.

~~~
doctorpangloss
Just stop using Facebook, Instagram and WhatsApp. I did, years ago, and
absolutely nothing of value was lost.

~~~
elmo2you
What user do, or should do, isn't really a part of this argument. This is
about Facebook violating agreements they made with governments or them
violating laws. This is a subject of public prosecution. How users should
respond is a different matter.

------
rchaud
FB's public comments about these remind me a lot of the "5 Standard Excuses"
scene in the '80s BBC sitcom Yes Minister, where a civil servant lists the
best CYA mea culpas for politicians to use when something goes wrong.

1\. It occurred before certain important facts were known, and couldn’t happen
again

2\. It was an unfortunate lapse by an individual, which has now been dealt
with under internal disciplinary procedures.

3\. There is a perfectly satisfactory explanation for everything, but security
forbids its disclosure.

4\. It has only gone wrong because of heavy cuts in staff and budget which
have stretched supervisory resources beyond their limits.

5\. it was a worthwhile experiment, now abandoned, but not before it had
provided much valuable data and considerable employment.

~~~
cyphar
For those who haven't seen the clip, [1]. Yes Minister is a brilliant piece of
satire (though it does have a somewhat unfortunate Thatcher-esque streak when
it comes to discussion of unions -- though it would've been difficult to avoid
ridiculing unions in satire from the 1980s).

[1]:
[https://www.youtube.com/watch?v=6Y4PEqvk0Jg](https://www.youtube.com/watch?v=6Y4PEqvk0Jg)

~~~
dwd
Just stick with brilliant, and there is also the equally clever second series
- Yes, Prime Minister.

While it was satire, the was a lot in it that could very well have been
reality.

~~~
cyphar
It is definitely brilliant and is one of my favourite satirical shows, but
that doesn't mean it's beyond criticism.

My primary criticism is that it didn't actually satirise the government's
ideology or policies -- the main criticism was of politicans, civil servants,
and interest groups like unions. These were actually in line with Thatcher's
ideals and policies at the time (it's therefore unsurprising she said it was
her favourite show).

I'm not trying to blunt any of their wit, just point out that (like most
works) it had its shortcomings. It's unlikely the BBC would've aired it if it
had just been a scathing ridicule of the PM at the time.

------
carnagii
18 USC 1030 (a)(4)

(4) knowingly and with intent to defraud, accesses a protected computer
without authorization, or exceeds authorized access, and by means of such
conduct furthers the intended fraud and obtains anything of value

[https://www.law.cornell.edu/uscode/text/18/1030](https://www.law.cornell.edu/uscode/text/18/1030)

A criminal investigation into whether or not this was really accidental would
be entirely warranted here. If there was intent to access this information
without authorized access that is criminal.

~~~
matt4077
Not a lawyer, but at least in my jurisdiction, fraud requires a monetary loss
by the victim.

Generally, civil law is better suited for this sort of thing, no matter how
good a pitchfork feels in your hand. As but one of the reasons, the required
standard of proof is much lower.

~~~
dmitryminkovsky
There’s got to be a monetary loss here. If there isn’t precedent for
calculating that loss, such precedent should be established. Our email
contacts are valuable, especially at 150m user scale. We could have all banded
together and sold them, had Facebook not stolen them. These users should be
compensated.

~~~
dahart
> There’s got to be a monetary loss here. Our email contacts are valuable.

Why? Nobody lost their contacts, so what’s the $ amount it cost them? Facebook
claims they’re deleting them. If that’s true, then Facebook isn’t gaining from
the contacts. If users don’t lose anything and if Facebook doesn’t gain
anything, what is the monetary loss?

> especially at 150m user scale

Where’s that number coming from? The article talks about 1.5 million users.

> We could have all banded together and sold them, had Facebook not stolen
> them.

So while it’s entirely true that contacts should never be copied without
consent, and that’s exactly what happened, I guess don’t forget that these
users consciously gave Facebook their passwords. No matter how much I trust
what someone says they’ll do, my email account password gives access to
everything in my email account, I’ve always thought it was a terrible terrible
idea to ever do it when connecting services together, for this very reason.
I’m saying it’s partly the users responsibility, and the outcome here is
predictable, because it has been predicted before by many people.

BTW, nothing stopping you from banding together and selling email addresses
now, if you think it’s a good idea... the blip with Facebook is not in any way
preventing that from happening.

~~~
threwawasy1228
>don’t forget that these users consciously gave Facebook their passwords.

There is a lot of legal precedence about social engineering and how to
prosecute it, this would completely fall under fraud. If I ask someone for
their password to perform some service and they then I copy all of their data,
that is a crime regardless of how stupid they are.

This really doesn't matter at all in a case of fraud if you gave the password
willingly, it is under false pretense. If someone asks me to give them
something so that they can provide a service or take those things as an
investment. I willingly give them those things yes, but we have a written,
verbal, or implied contract that they will do and will not do certain things
with that information. Failure to follow our agreement and instead robbing me
is a crime.

~~~
dahart
Hey I’m 100% with you. I’m not defending Facebook, and it’s _crazy_ they ask
for passwords. But just because Facebook’s at fault doesn’t mean that it’s
okay as a user to give out your password, nor does it mean that you lost any
money when contacts are copied, right? The words “stealing” and “robbing”
don’t really convey what happened here, even in the case Facebook isn’t
telling the truth.

~~~
threwawasy1228
You are saying that the words 'rob' and 'steal' don't convey what has happened
here, but this is only true in the colloquial sense. There is a good reason
why many legal codes and laws start off with a exhaustively long list of
definitions. Legal definitions often are different in very subtle ways that
maybe aren't apparent at first glance.

If you don't think that this is the proper framing, maybe consider a different
one. It is clear that there is definitely room to interpret this as a civil or
criminal act regardless of how the parties craft their arguments. For example,
imagine an employee that copies company data, even if it has no actual value
under their authorized username/password on the last day of work. This is
often charged as a clear criminal offense. So to reiterate, employee with
authorization to access dataset, copies a large dataset with no obvious
monetary value on their last day of work, but one that they weren't given
permission to copy. There are cases that have been literally this, and it is
easy to see how this incident could line up with this legal approach.

I think you are fixating too much on a critique of the specific charge listed
by the top of this thread. I was defending the idea that there would probably
be a way to go about mounting a case in that way. You seem to think that this
is the incorrect legal framing for this, which is totally fine. The legal
process is more of a subjective art than a science.

~~~
dahart
What made you think I was fixating on anything? I just agreed with you that
Facebook's action is at least negligent and could be criminal. I guess I'm
fine with the word stealing in the sense of information theft. Still, Facebook
claims it was an accident and that the data is being deleted. It might have
been intentional, but I'd wait to call it intentional until proven, even
though they've done it intentionally in other cases. :)

All I'm really saying is, no matter what, don't give out your password. And if
you do, don't pretend to be shocked when something bad happens.

------
smt88
Saying "unintentionally" here is like saying you unintentionally stole
someone's TV when they gave you their key to walk their dog.

It takes extra work to upload those contacts, which means several managers and
developers decided to do it and then spent time implementing it.

For the FB employees reading this: what is your tipping point? Would you say
no to that assignment?

~~~
jayawayjayyay
From the article it sounds like there was a prompt for permission that got
removed:

> Facebook told Gizmodo via email that in May 2016 it made a revision to the
> registration process, which originally asked the affected users for
> permission to upload contact lists. That change removed the opt-in prompt,
> though the company did not realize the underlying functionality was still
> operating in some cases.

It doesn't take a conspiracy to understand how a bug like that could happen.

~~~
zach43
its such a coincidence that these accidents keep happening in ways that enable
further data gathering...surely there isn't a larger problem with Facebook's
attitude towards their users' private data or anything

~~~
TheCraiggers
Well, to be fair we probably don't hear about the accidents that end up
causing the opposite situation. Those are just normal bugs.

~~~
simonh
"Facebook bug causes all user's sensitive data to not be uploaded in some
case" sounds like an Onion headline.

~~~
FabHK
The Onion has quite some insight on Facebook (the headlines practically write
themselves):

"Mark Zuckerberg Promises That Misuse Of Facebook User Data Will Happen Again
And Again" [https://www.theonion.com/mark-zuckerberg-promises-that-
misus...](https://www.theonion.com/mark-zuckerberg-promises-that-misuse-of-
facebook-user-d-1823988784)

"Facebook Employees Explain Daily Struggle Of Trying To Care About Company's
Unethical Practices When Gig So Cushy" [https://www.theonion.com/facebook-
employees-explain-daily-st...](https://www.theonion.com/facebook-employees-
explain-daily-struggle-of-trying-to-1825147978)

"Cash-Strapped Zuckerberg Forced To Sell 11 Million Facebook Users"
[https://www.theonion.com/cash-strapped-zuckerberg-forced-
to-...](https://www.theonion.com/cash-strapped-zuckerberg-forced-to-
sell-11-million-face-1829112856)

"New Facebook Feature Allows User To Cancel Account. ... The company later
confirmed that account closures would not stop Facebook from continuing to
acquire, permanently store, and sell all information about its current and
former users until the day they die." [https://www.theonion.com/new-facebook-
feature-allows-user-to...](https://www.theonion.com/new-facebook-feature-
allows-user-to-cancel-account-1819573073)

~~~
corodra
You probably could just say CNN instead of the Onion and people wouldn’t bat
an eye. Which is sad.

------
jammygit
First they ask for email passwords. Then the new users assume Facebook won't
comprehensively mine their emails. Then Facebook awkwardly gets caught
uploading 1.5 million users' email contacts.

It doesn't make sense for people to trust the service at all unless you assume
one of two things:

1 - Despite all the outrage on hackernews, and the NWT stories, our neighbours
down the street and family members still don't know how Facebook works or what
is done with their data

2 - They don't care about their data privacy. I've heard this claim many
times, but the people saying it often change their minds when they read more
news stories. I really do think people have trouble assuming the worst about
the intentions of others and are inclined to be trusting.

edit: clarification

~~~
darkpuma
> _" I really do think people have trouble assuming the worst about the
> intentions of others and are inclined to be trusting."_

I think you hit the nail on the head. Even on HN, it's not uncommon to see a
few comments on each negative story about facebook accusing the media of a
conspiracy against Facebook; claiming that the media is wrongly maligning
Facebook who is merely the unfortunate victim of a series of coincidental
accidents.

They have trouble accepting that a tech corporation like facebook _actually
might be rotten._

~~~
AnthonyMouse
I think you see that more with other tech companies.

There is a certain amount of anti-silicon valley sentiment in the media and as
a result there are a lot of stories maligning tech companies in ways that
aren't always fair. Especially when the media companies are campaigning for
some kind of problematic legislation that the tech companies are on the other
side of and so will take any excuse to try to make them look bad.

Then there's Facebook, about which nobody has time to write a story maligning
them unfairly because there is never that long between any of the stories
maligning them fairly.

------
mikro2nd
FB has said they'll be notifying the people whose contacts they
"unintentionally" uploaded. How about notifying _those contacts_ whose private
details they illicitly obtained that their privacy has been compromised by
Facebook - the innocents who signed up for FB and had their contact-list
stolen (let's call it what it is) may or may not feel any moral obligation
(more likely, don't even see the issue) to notify their friends/family/plumber
whose details they "lost" to a thief.

~~~
PedroBatista
It’s amazing what these companies can get away with without paying a single
dime to anyone.

~~~
dmix
People can sue if they can find some claim to real-life damages... You'd only
need a small percentage of the 1.5 million people and FB would probably settle
out of court.

~~~
PedroBatista
How about consumer and privacy laws? I know it varies from country to country
but the government can sue and fine companies and people in order to protect
it's citizens. I know I know.. I'm old fashioned like that.

------
javagram
This seems like a case similar to the Google WiFi data collection. Code
written for one reason was reused in a different project without understanding
what it would do.

Here’s an example page from 2011 talking about facebook’s old feature to
import contacts via providing them your email username and password. This was
at a point when many web mail services didn’t offer an OAuth API to do this,
so it did make some sense at the time. It was still safer to do a csv export
and then import, but much easier for users to provide the password directly.

[https://www.techwalla.com/articles/how-to-import-contacts-
to...](https://www.techwalla.com/articles/how-to-import-contacts-to-facebook)

> Type your email address and password for the Web-based email or instant-
> messaging service that you want to import into the dialog boxes and click
> "Find Friends."

~~~
matt4077
I thought of this as well. One difference, at least subjectively, is that
Google seems to make far fewer of such mistakes.

Just as with people, it’s sometimes difficult to judge them for a single act.
Only by aggregating behavior over time can we learn of their true character.

And Facebook’s rotten.

------
james246
LinkedIn pulled something similar a few years back. At the time, I was using
the same password for both my email and LinkedIn account, and found that
people from my email address book were showing up as suggested connections. I
can only assume "consent" for this was buried in the T&Cs.

~~~
shereadsthenews
Yeah people always forget this! LinkedIn is super-shady and what they were
doing was the darkest of all patterns.

------
throwaway_9168
Since FB has gone out of their way to weaponize "friendship", my suggestion to
everyone who actually likes to have some standards in their life and don't
like to be manipulated like that is simple. Just do it back to them.
"Unfriend" (IRL) everyone you know who works at Facebook and tell them you
will "friend" them back once they leave the company.

~~~
thecatspaw
I would never friend someone again who dropped me because of my employer

~~~
cyphar
I wouldn't say I necessarily agree with doing this when it comes to Facebook,
but is there really no circumstance in which you think it'd be justified to
cut off contact with a friend because of where they work?

For instance, if I had a friend whose job it was to design missiles that are
used to bomb innocent people (Lockheed-Martin for instance) I would seriously
reconsider my friendship with that person. Yes, it's "just their job" but
choosing to have a job which requires having such warped ethics would make me
reconsider whether I want to continue associating with them.

Nobody is forced to work at such companies. Yes, effectively all companies do
things which we don't agree with on some level (unimaginably large amounts of
tax avoidance being the most obvious example). But if a company's ethics are
completely antithetical to your own, then I don't see how you could morally
justify working for them.

(Obviously there are some understandable exceptions to the above -- the most
obvious being that in the US employees are effectively blackmailed into
working for their employer because they'll lose their heath insurance
otherwise.)

~~~
chucksmash
On its face the statement is true. LM does design missiles, and some non-zero
number of them have been used to kill innocent people.

I'm curious what part of the statement is important to you in making that
decision though. Is it that LM is part of the military-industrial complex,
full stop? That the weapons are used by the US military? That they are sold to
and used by other governments? Would LM be acceptable if they created weapons
that magically never harmed the innocent? What if they occasionally harmed the
innocent but were always used by people with good intentions who were doing
things you supported?

Never worked in that industry, just curious.

~~~
cyphar
I was using Lockheed-Martin as an example of a "clearly immoral" company, you
could replace it with any other example you can think of and the point would
be the same (that at some point you have to accept that ignoring your morals
in order to get a paycheck means you don't really have those morals).

As for my personal view, it's fairly clear that Lockheed-Martin props up
(through lobbying) and profits (through government contracts) from the US war
machine -- which in turn has killed millions of innocent civilians. And then
there's the contractors that Lockheed-Martin has provided to government
agencies to further strengthen the surveillance tools of the NSA, CIA, FBI,
and so on. So, I think Lockheed-Martin was a good example of a "clearly
immoral" company.

EDIT: You changed your comment after I responded to it. I don't think the
ethics of hypothetical magic missiles is a super useful conversation to have
(changes in technology don't change our underlying ethics, they just change
what ethical questions are being asked).

On the question about unintended consequences, obviously in wars you can't
guarantee zero civilian casualties and innocent bloodshed is inevitable
(though still unjustifiable). But the US is currently engaged in several
illegal wars of aggression (which is a crime under international law) and
clearly planning to engage in several more. Personally, I think the
"unintended consequences are inevitable in war" defense isn't available to you
if the war itself was illegal from the outset.

~~~
chucksmash
It was while you were responding to it. I thought I was fast enough to edit
that in. Sorry for the confusion, I appreciate your response.

------
blauditore
This may be an unpopular opinion, but things like this happen. Someone gets
the task to implement a login and either doesn't realize they should be using
OAuth or is simply too lazy to do so. Next, someone has the idea to suggest
friends, so let's grab some email contacts for that purpose.

That stuff happens all the time at small companies. While it's certainly bad
practice, it's often not evil intent, but just lack of technical skills (for
the former issue) and missing sense for potential privacy issues (for the
latter).

In case of a large company like Facebook, one could expect they'd have
processes and education in place to prevent such incidents, but I guess this
happened a while back when FB was much smaller than it is now.

~~~
ascendantlogic
> This may be an unpopular opinion, but things like this happen.

Yes, and at Facebook in the context of data gathering they seem to happen ALL
THE TIME. So if they did actually care about privacy they'd make changes to
curb these sort of "mistakes", but taken in aggregate the relentless "bugs"
show a pattern of willful malevolence.

------
tonyjstark
Not for one second I believe this was unintentionally. After all data scandals
where Facebook didn't actively care or even empowered the problem by not
acting towards privacy.

I think this company is inherently bad from the top and everyone working there
is enabling them. Sure, it pays well.

Problem is, most bigger companies do bad things. See VW and the emission
scandal and I hope Winterkorn and other top managers goes to jail for that.
Also I'm biased, for me Facebook and Instagram are pretty useless, the only
useful product they have is Whatsapp...

------
gyaniv
Can't someone file a class action lawsuit against Facebook?

I mean, it's nice that they are deleting the information now, but they clearly
did something wrong, and by basic standards, they should be punished. And the
deleting the stolen information isn't punishment, and since they probably
won't delete any new ad targeting information they gathered as a conclusion
from the contacts, they are still profiting from it, so the punishment should
be more then just a small fine (that I hope they get).

I'm just sick of them (and other companies) "accidentally" doing something
wrong, and barely get a slap on the wrist.

~~~
faxi
There already is a $78B class action lawsuit against Facebook over the
Cambridge Analytica scandal. $1000 per American whose information was
harvested. It's hard to google for however.

------
maxheadroom
> _Facebook says that it didn 't mean to upload these contacts_

How can you not mean to? It's one thing to say that, were it something
tangible, like paper, "Sorry, mate. These pages snuck in with the others.
Sorry about that. We'll pull it out. No worries."

Pulling contacts and uploading them is not a passive action but takes active
action.

> _and is now in the process of deleting them._

So, the question must then be asked: How do they differentiate the sources of
contacts associated with an account, unless they're logging that, as well? If
they're not logging that, then how are they, presumably, deleting those
contacts?

Are we taking bets on Facebook being in the news again, in a months' or so
time, for being found to not have deleted them? :)

~~~
mannykannot
> Pulling contacts and uploading them is not a passive action but takes active
> action.

Action such as "accidentally" asking for email passwords. It is quite
remarkable how these accidents line up just so.

Grammar-checking programs should be flagging any use of "accident",
"accidentally", "unintended" and "unintentionally" whenever they appear in the
same sentence as "Facebook" and are not within quotes.

------
nathan_long
I don't recall ever hearing that Facebook made a mistake which _decreased_ the
amount of data they collected or their usage thereof. Can anyone provide an
example?

~~~
hhanesand
I get what you’re getting at here, but I don’t think it would be reported in
the general media as it’s not a privacy violation.

------
hluska
At some point, some government is going to have to step in and stop Facebook.
Five years ago, I would not have believed that I would have supported
government action. Now, I’m afraid for the future if there is no intervention.

~~~
Cthulhu_
I don't know if you've followed the news, but multiple governments have
investigated, sued and fined Facebook. A quick Google indicates Facebook may
end up paying 1.6 billion to the EU. The UK is doing an investigation too,
with FB's impact on the Brexit referendum, as well as the whole Cambridge
Analytica thing.

If you're thinking Facebook is getting away with it, you're wrong.

Of course, they're mainly getting fined; if that isn't harsh enough punishment
then I don't know what to do next, that's dangerous territory.

~~~
viraptor
> that isn't harsh enough punishment then I don't know what to do next,

Split the business into smaller, independent ones. We've seen this before.
There's enough services hiding inside FB that treating them like a monopoly is
not a terrible idea.

~~~
astura
What, exactly, does Facebook have a monopoly on? It's not social media, chat,
photo sharing, events, ads, or news.

~~~
hluska
Two points:

1.) The US FTC really needs to update its working definition of a monopoly.
“Consumer welfare” is normally shown via price and since free services are
always free, it’s a tough thing to argue.

2.) Facebook owns about 70% of the social networking space, and Google and
Facebook have a virtual lock on online advertising. Moreover, through its
share buttons, Facebook has created a web full of data gathering - the sheer
amount of information they have makes them very hard to compete against. Add
in some regulatory issues in the Instagram and Whatsapp regulations and
there’s an image of a company that’s just about impossible to compete against
and that has used its clout to bring net harm to consumers.

------
kerng
Phones need better features to entirely prevent these things - so apps can't
trick the user. I want no application to have access, something like Incognito
mode for all apps basically. The permission dialogues are typically not very
helpful to make a meaningful decision and apps don't function at all without
certain permissions. So why not allow to "fake"
contacts,storage,location,etc...

Majority of apps are just spyware anyware.

~~~
low_key
This could be done previously with on custom Android builds with XPrivacy (an
XPosed module).

It worked quite well for a long time, but tended to be quite a burden to
maintain through OS updates. Starting with Oreo or so it no longer worked, but
there was another similar module that had much of its functionality.

It could even go as far as exposing a subset of your address book to an app.
So, for example, when I wanted to use WhatsApp I could just show it the 3
contacts that I wanted it to see.

The operating system should sandbox every app and by default provide it fake
data for everything. The user should say what they really want to allow the
app to access.

I eventually switched to an iPhone and just don't install many apps.

------
yakubin
Why would anyone just give a site their password to their email account? And
to Facebook on top of that?

~~~
Cthulhu_
Convenience. That is, Facebook - and others, like Skype - tells new users that
the easiest and quickest way to find your friends is to send them your
contacts so they can cross-reference the users.

And that, including me not paying attention, is how all my e-mail contacts got
an email from facebook where I invited them to FB. That wasn't the intent!

~~~
netsharc
Interestingly, WhatsApp (and Telegram, and Signal) don't even ask and just
upload all your contacts' phone numbers (this is before Android had the prompt
"Allow this app access to your contacts?). It's very convenient, and also very
sad.

Also sad is the fact that BlackBerry already had a fine-grained permissions
systems pre-iPhone days, but it took iPhone and Android many many versions and
years before they built such privacy controls (but yeah "We care about our
costumer's privacy" \- Apple). And Google didn't even care about privacy back
then I remember the Google Maps app for BlackBerry just prompts you "Please
give us all the permissions we want or this app will just exit now." on
startup, when you've denied it a permission or two.

~~~
elken
Permissions to read text messages is another one that gets me. I know not many
people use SMS as their primary communication but how can you be so
astonishingly blasé about your data to save typing in a code?

~~~
Liquid_Fire
Thankfully there is now the SMS Retriever API that lets you do this without
having access to all messages, and the Play Store no longer allows apps that
require this permission without SMS handling being a core functionality of the
app.

------
galfarragem
I'm pretty sure LinkedIn does or used to do the same.

~~~
gpvos
Still does. The apparently popular German payment system Sofortüberweisung
(now run by Klarna) even requests the password of your _bank account._

~~~
durnygbur
SOFORT quite explicitly ~scraps~ scrapes the entire available transaction
history for „your convenience” (much more is available with access login and
password actually). What a satisfaction when they tried to enter Polish market
and the Polish finance controlling authorities shut them down before they
managed to squeek. The famous German „privacy” it is.

~~~
lsaferite
The idea of handing over my banking password to any third party is crazy. Mind
you, I'd love an API that I could use to easily pull all of my banking details
into my local system. There are a few ways to do this currently, but nothing
simple, open, and standard.

P.S. As you seem to be a non-native English speaker, the word you wanted to
use was "scrapes" not "scraps".

~~~
durnygbur
> I'd love an API that I could use to easily pull all of my banking details
> into my local system.

This is almost non-existend for personal banking. First and only case by now
I’ve encountered was in Czechia:

[https://www.fio.cz/bank-services/internetbanking-
api](https://www.fio.cz/bank-services/internetbanking-api)

------
dangero
How is LinkedIn not under more scrutiny right now? They used to ask for my
email password all the time along with re-asking for access to contacts at
EVERY LOGIN.

I know this isn’t a contest, but I always felt LinkedIn was twice as scummy as
fb.

------
u801e
Why are companies even asking users to provide passwords for unrelated
services? For example, when I added an external account on Etrade, they gave
me the option of same day verification of that account if I provided them my
online banking account credentials.

This practice opens up a significant potential for abuse and should be
illegal.

~~~
matt4077
Is this question rhetorical?

Your online banking is known to be verified, therefore another company can
piggyback on that verification.

~~~
dingaling
They can't really 'piggyback' since disclosing your account authentication
details is against the ToS of the bank.

------
1024core
The only way FB will change its ways is if (a) good engineers stop joining
them, and (b) good engineers at FB start leaving. This will threaten their
entire growth prospectives and finally bring about change.

I was having discussions with FB recruiter and some of their senior managers.
I just informed them that I won't be pursuing that anymore.

FB engineers who are on HN: why are you still there? You can make similar
money at several other companies _without sacrificing your soul!_

~~~
save_ferris
Regulation is much more realistic, IMO.

The tech industry worships money and those who make it, and there are plenty
of engineers who'd take the FB compensation package in a heartbeat, regardless
of FB's public image problem.

This idea that the public will act together morally to stop corporate
malfeasance while sacrificing their good fortunes isn't that realistic. Look
at the FB shareholder situation. Lots of shareholders are angry at Zuck but
can't do anything about it. None of them seem particularly interested in
selling their shares because they don't want to have to pay for his bad
behavior.

~~~
1024core
> while sacrificing their good fortunes isn't that realistic.

... this does not need to happen. Plenty of other companies in the Bay Area
pay as well as FB, but without the heartache.

~~~
save_ferris
But there's some kind of inertia keeping those employees at FB for some
reason. Why put in all the effort to leave for another company to get paid the
same? Most people won't do that.

Engineers aren't going to start quitting en masse until their compensation is
threatened (i.e. the stock irreversibly tanks). In order for that to happen,
shareholders need to stage a massive sell-off, which won't likely happen soon
due to FOMO.

------
blibble
unintentional my foot

the code to implement that functionality didn't come from nowhere

~~~
brianpgordon
Apparently Facebook is claiming that the functionality came from a separate
"import contacts" feature that used to exist. But I agree; the idea that the
import logic could have slipped into the login process accidentally is
ludicrous. Or at least it indicates an outrageous lack of care on Facebook's
part.

~~~
ludston
It requires just one developer and a couple of reviewers to make poor choices.

Which begs the question, how do you structure your organisation such that a
foolish developer that only barely understands the change that they are making
can't write code that makes arbitrary queries to particular data sets in
unapproved contexts?

~~~
AnthonyMouse
Start by keeping the primary copy of the user's data on the user's own device
so that the developers never have access to it to begin with. Then, if you
ever have to hold a copy of the user's data, make sure it's encrypted by the
client and your servers are never in possession of the plaintext.

To access the user's data, your developers should have to intentionally crack
the user's password. And if they attempt to do that they should be fired.

Obviously this is not how Facebook works, but ideally it's how the thing that
replaces Facebook will work.

~~~
sonnyblarney
"Start by keeping the primary copy of the user's data on the user's own
device"

It's an organizational policy, procedural, ethics and legal question - not a
technical one.

They should have feature reviews before the code reviews. The feature review
panel puts bounds on what the code can do.

~~~
brianpgordon
I don't think you need a board to stop this specific case. It's pretty obvious
that what they were doing is unacceptable. The problem must have been a
pervasive culture of lack of respect for privacy at Facebook, not a single
engineer who somehow just didn't know any better.

~~~
sonnyblarney
Situations can get complicated. There might have been some side show reason to
do this or that. Without oversight, some things will fall through the cracks.

A review board would a) give clear direction b) catch problems and c) put
accountability where it belongs.

------
chicob
I guess that to the average users, every single incremental step seems
innocuous. The complete picture, however, is not foreseeable to them.

If the full scheme of Facebook's business strategy (and other companies' as
well, for that matter) were clear enough, a mass exodus would take place.

I'm still hoping a mass exodus takes place some day, or at least, like Roger
McNamee has suggested, log and data deletion is enforced in some way.

This has to stop. Even if there is some temporary outrage, these companies
remain unaccountable and get away with whatever they want.

From now on, I think I'll stop replying to emails provided by companies whose
trust I've long lost and use only Protonmail's encrypted link feature.

------
clintonb
Forget the contacts. People willingly gave Facebook their email passwords. Did
Facebook also accidentally upload users' emails? Why would Yandex (from the
screenshot) even permit this?

------
nemacol
I hate it when I accidentally write some code to crawl email accounts for data
and accidentally upload that data. Accidentally deploy that code to
production, hide the opt-out button, and forget to post a disclaimer. Gosh
darn it!

I'm just a mess without my morning coffee. If I don't get a good cup of joe in
the AM I could do something reckless and random... like violate the privacy of
millions of people! OOPS!

You know what I'm talking about! Right! ... right? ...

------
tsycho
And if we consider Facebook's normal modus operandi: Today it's 1.5 million, a
week or two later, they will say it was 15 million and 2 months later, they
will say it was 150 million+.

Don't give access to your contacts, location, emails and photos to not just
FB, but also WhatsApp and Instagram. If you must use them, try doing so from
incognito browser windows. Facebook has proven time and again it cannot be
trusted.

------
dsfyu404ed
This is like the app version of "sorry honey, I totally didn't mean to stick
it your butt but it was dark".

Facebook knew exactly what they were doing but they're playing dumb because
it's less insulting to the recipient that way and they feel that will minimize
the response.

------
logrott
I work in UX and this isn't unintentional. The copy "Facebook doesn't save
your password" proves this was intentional. I'm sure the PMs there are all
drinking the cool-aid and are rewarded in getting as much data from the user
as possible.

------
randyrand
Similarly, google has been publishing my mailing address on the "Maps" app for
decades and I've yet to see bloggers write about it.

Publishing mailing addresses _worse_ since that is a physical location in
addition to being mail location.

------
itronitron
move fast and take things

------
3xblah
Can someone use a throwaway e-mail address to sign up for Facebook?

Once the e-mail address is validated, is there any further need for a valid
e-mail address to continue using FB?

Historical fact: Going back to the days when a university address was
required, if the user created her Facebook account while at university and her
e-mail address later expired when she graduated, FB did not disable the
account.

Unless one wants to get notifications and other FB crud via email, AFAIK there
is no need for a working e-mail address to use FB.

~~~
nvssj
Just use a throwaway email account AND keep it? At some point they might
decide to lock you out if you log in from a different place, I think it's
better if you keep the email account safe.

~~~
3xblah
Has been over ten years since email address no longer valid; still waiting to
be "locked out".

------
M2Ys4U
"unintentionally". Yeah, sure, whatever you say Zuck.

~~~
moogly
At least they seem to have a thesaurus at hand. Last month they "mistakenly"
did something.

[https://nordic.businessinsider.com/facebook-old-posts-
mark-z...](https://nordic.businessinsider.com/facebook-old-posts-mark-
zuckerberg-disappeared-2019-3?r=US&IR=T)

------
mrhappyunhappy
Kinda off topic but I find it incredibly worrying the lack of privacy people
have online when it comes to advertising. There is creepy retargeting and then
there is retargeting to specific individuals.

Right now I can find just about anyone’s email, seed them with an ad pixel,
show them hyperpersonalized landing pages and follow them online knowing
exactly who they are, allowing me to tailor ads to individual level.

If that doesn’t creep you out, what would?

------
lbotos
Related:

WhatsApp on iOS recently updated, and now will only show phone numbers for
contacts UNLESS _I_ upload my contacts.

In the UI if I click on a number it will take me to the profile where I can
see that users name ~Tom, but wow, waddamove... Have we reached the point
where FB can't make any more money until they go deeper or is this just drag-
net "data is the new oil"

~~~
dingaling
It's the same on Android, with Contacts permission blocked it will show only
numbers except for groups.

Furthermore it won't let you start a chat with anyone unless it can access
your contacts to find them. However there's a great little app on F-Droid
called 'Open in Whatsapp' that lets you start a chat with any arbitrary phone
number.

------
untog
To be blunt: when I'm hiring for a developer and interview who worked for
Facebook as an applicant I'm going to have a _lot_ of questions about exactly
what they worked on. There's no way a feature like this created by accident,
the developers who put it together knew exactly what they were doing, and did
it anyway.

------
jwilk
Related:
[https://news.ycombinator.com/item?id=19559617](https://news.ycombinator.com/item?id=19559617)

( _Facebook Asking for Some New Users ' Email Passwords_)

------
aswanson
I find it astonishing people are still on fb, and even moreso that people that
are still on there have the slightest expectation that their data will be
handled with care & respect for their privacy.

------
Ayesh
If you have a bunch of photos 9f Mr. Zuck with a frowned, sad, confused, etc
face, sell them! With the amount 9fbstories popping up, one could make a
decent income out of them.

------
johnisgood
Why does it ask for your e-mail password to begin with? It is sad that there
are 1.5M people out there (and probably more) that actually gave them their
password. Scary.

------
1024core
Didn't LinkedIn get sued for this, many years ago?

------
dwighttk
The headline should use “asked” instead of “asks”

------
pndy
I have a feeling that the US govt agencies will benefit from this
"unintentional" upload - if they didn't already.

------
Navarr
I think a quote from The LEGO Movie sums it up best:

> You accidentally, expertly, carefully took the entire top off of that tower?

------
pluma
Post-GDPR this is "unintentionally" and they try to make amends. Pre-GDPR that
would just have been a "happy accident" and they'd just have swept it under
the rug.

------
hysan
While they are deleting the imported contacts, that doesn’t undo any potential
shadow profiles they generated, any training to their ML models that associate
users (relationships), or any training to their advertising models. I believe
Facebook doesn’t care about the contacts themselves. They wanted all of these
collarary benefits that the general public will not be thinking about.

------
dastx
They say they're going to delete it, but are they really though? How are they
gonna prove it?

------
kerng
How is this not a crime?

They trick you to get your password, then steal your contacts. Seems like
typical malware.

------
m3kw9
At this point is what ever, they gonna violate your privacy as they please,
with any excuse

------
jbverschoor
This ai thing sure is smart these days. Uploading email contacts withour
anyone knowing

------
skilled
This one actually made me laugh. Talk about going the extra mile with their
efforts.

------
1f60c
The age of “Facebook” and “accidentally” is (should be) long past.

------
peteretep
Honestly I don't understand why Zuck doesn't sell up at Facebook and use his
considerable money and brains to move to philanthropy, like billg. His
personal brand is going to continue to dive while he's the face of this
bullshit.

~~~
chimen
Ego.

~~~
peteretep
That feels like a good reason to go and cure malaria or something, and get out
of the PR disaster snowball that Facebook is becoming

------
kjar
In the prescient words of Britney Spears - “Oops I did it again”

------
ajuc
EU will slap Facebook's ass so hard over this :)

------
qwertox
By now we all know how Mark Zuckerberg rolls.

"Dumb fucks" wasn't just an episode, that's his character.

He'd probably be a good friend of Martin Shkreli if he wouldn't care that much
about what others think of him.

~~~
OrgNet
I'm glad that Zucky's comment finally came up but I'm surprised that it took
this long..

------
samcday
The selfish part of me wishes that the media would stop reporting on the
endless procession of privacy violations / attacks by Facebook. It doesn’t
seem to change a damn thing (Facebook revenue, DAU, etc seem to just keep
going up). All it does it make me depressed, watching as we all just aimlessly
shuffle pathetically toward some surveillance capitalism dystopia.

------
ggggtez
Again?

------
patrickg_zill
Nothing will ever change until someone goes to jail, IMHO.

------
ghani
This really seems like a big deal IMO.

------
oldjokes
Are they just flat out teaching people how to be super deceptive and how to
tactically play stupid in MBA programs nowadays?

~~~
rchaud
You're really attributing this to the MBA boogeyman, when Zuck the l33t coder
dropout almost certainly had to sign off on a move like this?

------
rezeroed
The incessant stories about Facebook are beyond tedious. I don't even know how
to complain about this. I suppose it would be nice if we could somewhere
officially label Facebook as dodgy rubbish, and abandon everyone who continues
to knowingly use it to suffer the expected consequences, and never have to
read another unsurprising article about them ever again.

