Hacker News new | past | comments | ask | show | jobs | submit login
Facebook e-mail mess: Address books altered, e-mail lost (cnet.com)
389 points by iProject on June 30, 2012 | hide | past | favorite | 183 comments

Facebook simply doesn't have an ethical central core. They've shown over and over that when user privacy or security conflict with facebook's goals, they'll choose facebook over the user. It's always relatively subtle; they strive to only do what they can get away with...but it's always pushing the line, and is never based on trying to do what's right, merely avoiding backlash. Facebook, the company, is kind of a sociopath.

I wish it weren't this way. I have several friends within facebook whom I like and respect, and they produce a lot of great technology. But, I fear facebook having more power than they already have. It can only end badly for the user.

Facebook really needs a "don't be evil" moment, but I suspect it's too late, and I suspect that Zuckerberg simply doesn't think that way.

The "don't be evil" moment will be when people really start pulling the plug en masse.

I mean the advertisers.

I don't advertise my company with facebook, for this very reason. I'm sure there are other people out there who feel this way. I spend about $1500 a month with Google, because they're trying not to be evil (even if they fail at the attempt sometimes). Not big money, by any means, but if a few thousand companies are opting to not advertise with facebook because they're kinda evil, it could start to be real money.

That's not a don't be evil moment, that's continuing to act in a self interested way, just circumstances changing what is in your best interest.

> I have several friends within facebook whom I like and respect, and they produce a lot of great technology.

I find this idea interesting. Can an entity like a corporation have a life beyond that which is given to it by its employees? Like the ship of theseus, can you replace all employees and still have a business that "feels" the same?

Of course. Work with any government bureaucracy and you'll notice it pretty quickly. Entire divisions can be filled with good, bright, well-meaning people, yet that division can still churn out crap work product. How is that? An organization's culture and the way incentives are aligned can quickly override any pockets of talented individuals.

So the obvious question is: How does one change this from the inside? Does the plan of attack differ if you were a line worker versus a VP?

Therein lies the difference between a company and a quality company.

Sounds like they just tried to steal a huge network of e-mail addresses and run it through their infrastructure.

To me, this is essentially theft.

Can you elaborate on why you think in this specific case user privacy or security conflict with Facebook's goals?

It seems obvious, to me, but I guess I'll spell it out:

Facebook wants access to your email so badly that they're willing to steal it. This is, in my opinion, among the worst things they've ever done for user privacy (and security, but mostly privacy in this case), in a long list of subtle, and not-so-subtle tactics.

It also has very real security consequences. The automatic contact list updates for potentially millions of users means that sensitive information is likely flowing into facebook servers as we speak, without users knowing it. Passwords, medical information, company secrets, who knows what else? Someone who trusts facebook enough to use it for social interactions might not trust them enough to know about their medical conditions, proprietary company data, passwords for other sites, etc. Facebook took away that privilege for many people with this change.

All that said, here's what's important: This does nothing good for users, and a few bad things. The fact that facebook made this change, knowing that the vast majority of users were not interested in using facebook email thus far, tells us that facebook thinks first of facebook. Even if there were no privacy or security concerns, what the user wants wasn't even in the equation, when facebook did the math on this.

Why would that sensitive information start flowing to people's @facebook.com email addresses automatically when Facebook changed the email address shown on the site?

Have you read the article? Because some people's contact lists were updated at the same time, because they were synced with facebook.

I'm pretty sure this is just a mistake and not some big scheme where Facebook wants to steal your e-mails. Don't you realise how ridiculous it sounds?

passwords for other sites

Wait, seriously? People are using websites where the password reset emails are being sent from somebody's Droid phone? I think you've gotten a little carried away.

I said nothing about password reset emails. I come from an IT background. I can't even count the number of times I've sent temporary passwords over email to co-workers, customers, etc., including from my phone. If something can be sent via email, it will be, and when the numbers are in the millions...there's a lot of data that people consider private.

Makes me wish asymmetric crypto was used more often :) "Hey, send me your public key and I'll encrypt and e-mail you the password."

Maybe a phone call to communicate a password would be better. Not as convenient of course, but security and convenience don't often go together. That assumes your voice provider isn't recording the call.

Frustrated voice fades in, "Right, capital L. No, slash, not backslash. The one that's leaning to the right. Bottom-left to top-right. By the shift key. On your phone? I'm not sure where it is on your phone's keyboard. Ohh, you got it? Ok, the rest is lowercase..."

Sometimes an email or text is better for everyone. But I always split up the info between two bands. Most info in an email and a SMS for the password. Or just have them change it after they log in.

Sure, sometimes that's what you need to do. But, other times, if you know you're sending to a trusted server, such as your own company server that you manage yourself (or people who are trusted manage), it's deemed acceptable to send passwords via email. The problem here is that facebook has introduced a new vector.

It's low grade evil; but low grade evil multiplied by millions starts looking like more serious evil. Just like low grade incompetence begins to cause serious harm when it is inflicted on millions.

Ever seen sites with the ability to connect via Facebook? It often grants said site(s) with the user's Facebook primary-email. Now all personal emails, including password recoveries, are going through Facebook for said site(s).

I'm having a hard time imagining a scenario where a site would send some information via email but that same information would not be available to anyone logging in via the web interface. But whatever.

You seem to lack imagination when it comes to nefarious deeds, which is fine; unfortunately, facebook does not lack imagination in this area (and in fact, one could argue this is a core belief at facebook, since it was founded upon a hacking incident wherein Zuckerberg borrowed student data).

They desperately want your email...they don't want it because it's cool to be an email provider. They want it because they intend to use it. The point isn't what specific piece of data they'll get from it (though passwords will be among that data--as a mail server administrator of 15+ years I can assure you of that); the point is that it's simply evil for them to interject their servers into the path via deceptive means.

I remember many phpbb forums are configured like that and administrative mails aren't duplicated in the forum internal messaging system.

if the site is using facebook for authentication, you don't have a password on said site therefore you don't have a password recovery leakage vector

About an year ago, when the story blew up about the Facebook app sneaking through your phone contacts and adding friends numbers' to your Facebook account. I instantly deleted the Facebook app from my Android, and told my friends Facebook was clearly not reliable to have an app privilege on your phone. I called it that they would eventually do even worse, if you let them have an app in your phone. The general consensus was that I was an alarmist doomsayer extremist exaggerating over nothing.

Well, who is crazy now? :) And I repeat what I said before. If you don't delete your Facebook app. They'll keep pulling stunts like these over and over again. It's very clear from their history that they have extremely little care for customer interests.

The part about "Facebook sneaking through contacts and adding friends' numbers" isn't correct: the Facebook app has always had a pretty clear description about what would happen if contact sync (an optional feature) is enabled.

For example, on iOS, it looked like this almost two years back: http://www.neowin.net/images/uploaded/iPhoneNumber.png (as seen on this page from October 2010: http://www.marismith.com/facebook-phonebook-how-safe-your-ce...) I don't have any old screenshots of the Android version, but the current app is similar to the iOS screenshots above.

"The general consensus was that I was an alarmist doomsayer extremist exaggerating over nothing."

And they'll still call you that. Facebook's hold is too great.

user =/= customer

User = product

If x service is making money off their product (you, user) then you should really have at least some "rights". The key word being should.

If you aren't buying a product, you are the product.

That's worth drilling into your head.

Yes, that means that User = product from HN's perspective, but I am willing to bet it is a lot more of a complex connection than it is with facebook ;-)

I didn't buy my copy of Debian, yet they treat me better than many companies I pay.

I pay for cable, yet I still get advertising.

That "not paying means you're the product" is a nice sound bite, but it doesn't actually mean anything.

It seems the "not paying means you're the product" is short for "not paying a for-profit company means you're the product".

I never said that's a bad thing. But at least with the open source software I work with, if you use the software, great. Maybe you will come to me for services later. I wonder how many Debian-involved businesses have such a model.

Paying for media is an interesting exception. Very often for newspapers, etc, you are both buying a product and becoming a product.

But in the end it's a good warning to know the business model of those you get free stuff from.

The tm is "multi-sided market" in the economics literature. We're only beginning to figure them out.

Why should users have rights in this situation, other than the right to stop using the service? I understand why it would be nice if they did, but why should they? Why is it am imperative?

It depends where you are but there are certain legal rights that no terms of use can waive.

They're set up as a minimum standard of acceptable behaviour that someone should be able to expect by default and that there is no reason why a company shouldn't / can't adhere to. Generally they're around physical protection from harm, though they do extend to other things (including Data Protection in Europe).

Why should these rights at least exist? Because (a) people can't be expected to take a detailed look at every product and service they might use to assess it fully, that would simply be too time consuming, so you set a basic standard for prevention of harm and (b) can you imagine what the likes of Facebook or Exxon or whoever might do without them.

people can't be expected to take a detailed look at every product and service they might use to assess it fully, that would simply be too time consuming, so you set a basic standard for prevention of harm

So basically, you're saying people should trade trust in one third party (the service provider) for trust in another third party (whoever sets and enforces the basic standard). I can understand why people may choose to do this (though in many cases I don't think the second third party is any more reliable than the first), but I don't see it as an improvement. I don't think FB cares about whatever legal standards are in place; to them that's just a cost of doing business. But they do care about losing users.

can you imagine what the likes of Facebook or Exxon or whoever might do without them.

Sure, and I can also imagine people not using FB or Exxon (many people boycotted Exxon for years after the Valdez spill, IIRC). Also, I can turn the question around: can you imagine what those who are trusted to enforce standards of behavior might do once they know the public trusts them and won't question what they do? How good a job did regulators do at enforcing standards of behavior on investment banks?

And before you ask, I do not use FB, precisely because I don't trust them to take care of my data. And it's not just FB; I don't trust Google to take care of my data, which is why I don't use gmail, for example, or any other Google services except search and maps. I don't expect anyone to take care of my data unless I'm paying them, as a customer, to do that--and even then I watch them.

No, that's not what I'm saying. It's not one or the other, these constraints don't prevent the possibility that people may leave if they don't like a service and what it does, they're an additional guard against the very worst potential abuses.

I'm not saying that because company X conforms with the (very light) regulation in place that they're to be trusted, just that I see benefit in having two forms of protection in place.

You're assuming that there is an actual net benefit to having the second form of protection. I don't think there is. It may seem like a short-term benefit if some regulator actually catches, say, Facebook in the act of misusing people's data; but the long-term effect is that people believe that they can actually trust a company with their data when they're not a paying customer (or even, beyond a certain point, when the are a paying customer). And since the long-term outcome of any regulatory scheme is regulatory capture, sooner or later FB will just be buying the regulations they want, and the so-called protection won't be there any more. Again, I refer you to the economy since 2008.

It's a de facto imperative for startups looking to build loyalty, but FB is far from a startup now. They can do whatever the hell they want and get away with it... for now.

This is about the other side of things. Everyone who had you as a Facebook friend and does still have the app, is now sending you emails that you're possibly not receiving. The problem is worse than you make it out to be. Deleting your whole account and manually telling people your email address was the only way to prevent this.

Yes. I don't recall if it was that dust up or another one, but about a year ago I completely deleted my FB account. As noted above, because it was clear that this was a continuing pattern.

Well, this is my gripe with their "go fast and break things" mantra. It works as long as you have such a highly desirable product that your users just don't care if you're doing everything right. (Or maybe you're in a non-mission-critical business, or better yet, your customers are a bunch of kids!)

I'm all for going fast and sincerely believe in "A sense of urgency", but Facebook is really lucky they're not serving more serious/demanding customers.

It works on facebook because no one uses facebook for anything important. But messing with iOS contacts... that's reaching out and breaking things that aren't on facebook.

Define important. It's become my de facto social calendar, and it's how I communicate online with most people that aren't geographically close to me. (I'm honestly not even sure I even have their email addresses, especially not since this fiasco.)

Yea I communicate with my friends through facebook. That's one way to do it. My communications with friends aren't important compared to something like email which I use with investors or for business. However facebook drops messages often enough that I wouldn't use it for important stuff even if I wanted to.

Facebook is serving shareholders now. I'm hoping there are some serious repercussions internally at FB for this, because as a shareholder, I'm pissed they messed this up because the user base is upset and will continue to stop trusting Facebook.

How's the stock supposed to get back to 38 now?

How's the stock supposed to get back to 38 now?

Sorry to be cynical, but: it was never supposed to be at 38 in the first place. Facebook isn't worth anything close to its nominal market cap, it's just the latest very high profile pyramid scheme, or rather it would have been if they hadn't gone in so absurdly high with the IPO that even the heavyweight investors interested in risky tech stocks have mostly run away.

If you valued Apple like Facebook was at 38 Apple would be worth over 2 trillion dollars. Also keep in mind Apple is faster growing than Facebook in terms of actually making money.

Yeah, sure there is some potential but perhaps not that much. Everyone does scream its got the same trajectory as Google, but the thing is they are already slowing down.

If the stock hits 38 again and Facebook has not figured out a marvelous new way to make a lot more money, then its all just speculation and gambling.

Your mistake was buying into FB. Honestly it will take a major acquisition to reach 38.

"...because as a shareholder..."

A couple quick questions:

1. How much did you buy in at? 2. WHY on Earth did you buy?

it isn't.

Did you buy at 38?

I wish their mantra for anything that touched this much personal contact/privacy information was, "slow down and think things through".

(Granted, a LOT of Facebook touches personal information, but something like this is pretty tendril-y in its reach).

Can any attorneys out there explain how altering computing devices to redirect and intercept email is not a criminal act when done without the knowledge or consent of the owner?

If any of us pulled the same stunt, even if authorized to access the system for other reasons, would we not be subject to prosecution? Hopefully, the same will happen to FB.

In addition to the Federal communications and cybercrime statutes, there is California Penal Code 502:

(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense: (1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data. ... (4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network. (5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network. ... etc.

It remains to be seen if there is a prosecutor with the backbone to go after this.

Well, "Knowingly accesses and without permission... uses any data" would make the accessing and transmission of contacts (a la Path and many other apps) illegal. Except there's probably a clause somewhere that you agreed to without reading which lets them do that, and the same may be true here.

While it's probably true that the EULA permits FB to read the contact list, and update it in expected ways, there are many points covered in those statutes: interception and destruction of data, making the system unavailable for its intended use, etc.

Can anyone find language permitting FB to destructively alter the contents in profoundly unusual ways so that email is redirected to FB servers for interception and delivery as FB deems appropriate?

I'd really like to see an informed legal opinion on the possible criminality of their actions.

Not sure about criminal charges, but at the very least, it seems like a negligent act resulting in real damages to many people. I don't think a class-action lawsuit is out of the question.

Don't know in the US, but in Germany it is a criminal act afaik (ianal). Looking forward to the EU investigation into this. Maybe Facebook soon joins Microsoft in having to pay a billion euro fine?

Facebook and Microsoft don't pay fines. Facebook's and Microsoft's shareholders pay the fines.

As I understand it, when an email address on Facebook gets synced to a phone, that's just a cache. Any updates to the email address on Facebook automatically update the cache. When friends update their email addresses, the cache gets overwritten and you don't have their old addresses anymore.

But now, Facebook changed people's email addresses without their permission. The cache gets updated, and boom, the old address is gone.

But what makes it more scary is that people don't actually remember that they originally got the address from Facebook and they don't understand the caching behavior. All they know is that the old address is gone. So they think that email addresses that they didn't get from Facebook are also at risk.

The workaround is to manually copy email addresses from Facebook to some other system. Any email addresses you get from Facebook by automatically syncing aren't safe.

It's a pity; after all, most of the point of the system is that you shouldn't have to manually update your address book when your friends change their contact info.

That's an excellent explanation. It also fits the mold of just about every other "service X broke into service Y and stole my info" story, wherein people forget lots of other plausible explanations.

And a good lesson as to why you should never make unannounced changes to your user's data. They will think you "broke" something, even if it never worked the way they thought it did.

The more important question is, what are Apple and Google doing allowing apps write access to a user's address book??

I can't believe anyone at Facebook was dumb enough to think this was a good idea. But at the same time, I can't believe some "rogue engineer" did this by accident. I'm curious to see what Facebook says about it.

They have to allow write access to some applications otherwise there can be no third-party address book apps. If there was such a permission, you can bet that facebook would have asked for it by default. You can also be sure that hundreds of millions of people would have granted it and we would be seeing the exact same problem.

The root of the problem is facebook. The important questions should be directed at facebook. We can look to Apple or Google for help, but ultimately when we install an application, we grant it our trust and Facebook routinely tramples all over it. Turns out that it's a winning strategy.

This is a very good explanation. But it also points out that the permission system is not really helping when you want background info on what's going on - you and I know this info from a background in development. Take a look at the permissions for google maps on android as an illustration.

iOS 6 beta now prompts for permission to allow access the address book - the same way you get prompted now for gps or notification permissions when apps request it.

I noticed a lot of those permission alerts, over and over.

Android has a feature where you can indicate that contacts from disparate services are actually the same person. For example, I have my friend Chris in my Android directory, my Gmail directory, on Facebook and on Twitter. Within my contact list, I am able to specify that these are actually all the same person. They're still separate contacts from each service though, they're just grouped together in my phone's directory.

I suspect that the problem being described happens when the only source of someone's email address was the Facebook contact, as I doubt that, e.g., a Facebook contact would overwrite someone Gmail contacts. At this point it's not clear, however.

I think you're right. If this is only changing addresses that only have Facebook as a source, then it's not really a problem with the phone. But if it's changing addresses that are in your Gmail contacts (say) then it's a serious problem. Worse if the change then propagates from your phone to your Gmail!

I think someone needs to confirm exactly what's happening here.

It sounds like this is iOS's built-in Facebook integration that was blindly trusting Facebook's data.

FB integration isn't coming until the fall - it is currently only available in developer builds of iOS 6.

iOS6 is still in Beta. be nice to see Apple haul Facebook through the hot coals (?) for this.

anyone else think Apple and Facebook make interesting partners? They're both doing their best to get users into their own domains to the exclusion of all else

There's an important difference that I think you're eliding. People who use Apple devices and services, are Apple's customers; people who use Facebook services are Facebook's product. The former are not always treated ideally, but the money flows from them to Apple, so Apple is preoccupied with how to make their long-term experience better - e.g., to ensure that they'll continue to be disposed to give Apple money. The latter are digital sharecroppers, to use Atwood's phrase, and Facebook has repeatedly demonstrated that it doesn't give a shit about making their long-term experience better.

Are any of the iOS complaints coming from people who aren't running iOS 6 dev builds?

iOS6's settings allow you to block individual apps from accessing your address book.

In iOS6 any app that wants to access your address book or calendar has to request permission. It's very much like how an app requests permission to send push notifications in iOS5.

As someone who quit facebook a while back, I can't help but feel that this kind of event vindicates me. Sometimes I'm tempted to re-create a minimal account on the service just for findability, but even that small step would have been enough for facebook to hijack my contact info in a friend's phone. There really is no way to have a facebook account at all, no matter how infrequently you use it, without getting screwed over.

How do you know when someone has deleted their Facebook account?

They'll tell you.

Too true. It's getting tiring reading the comments of posts like this because I know it's going to be filled with people boasting about how they've already deleted their accounts/just did it. The HN crowd is a tiny, tiny minority in the pool of Facebook users, our actions are hardly representative of sea change.

Or blog about it, or write an email.

Because people want to keep in touch with their friends, "friends", followers, etc.. They need to notify them that they are using some other way to communicate.

“Everything that has transpired has done so according to my design.”—Mark Zuckerberg

"Pray I don't alter it any further."

You get free unlimited photo storage, free groups, events, messaging, status updates, and more. All your friends are on it and using it. You use it to keep in touch with people around the block and around the globe in real time.

All we ask is that your private communications never again leave this application. Perhaps you think you’re being treated unfairly?

Facebook will fix this embarrassing cock-up as if it had never happened - as always. I find your lack of faith disturbing.

December 2nd, 1998? I'm curious how you had that handy. Have you always liked this comic and finally found a relevant place for it? Was it something you vague remembered and Googled it?

Dilbert has full text search. Remember part of any phrase from a relevant comic, and you can find it in short order. Not sure how the grand-parent poster found it of course.

There's a difference between complaining about features within Facebook (timeline, etc) and changes Facebook tries to make outside of it's app. Changing your personal contact details is way outside.

Not sure how the facebook app integrates with the contact list, but isn't it only a projection of information that facebook servers publish? I.e. it's not "your personal contact details", but rather an entry that you accepted as being presented by facebook?

It would be disturbing if they changed an existing entry that you created yourself, but if it's only an entry bound to an external (facebook) account, I'm not sure it's that bad. Which one is it then?

Also, "break things".

That doesn't speak too well of his design ability.

Just to be clear, that quote is from Emperor Palpatine (Star Wars), not really Zuckerberg

Oh, I see. That speaks well of raganwald's wit and sarcasm.

That speaks well of Palpatine's design then.

They're two separate people?

Always two there are, no more, no less: a master and an apprentice.

Let me see now. They have pushed their email address out into people’s address books and taken control of their private communications.

Where is the poor (business) design?

Where is the poor (business) design?

You'll see this when people start recognizing Facebook as the crap it really is, and stop using it.

Possibly, but just for the sake of an interesting discussion, what is there about this particular blatant “It screws users over but it's good for Facebook” move that is different than all the other moves they’ve pulled?

I think the difference here is that everything they've done before now has been more or less bounded by my own actions. If they screw my privacy, it's my own damned fault for posting sensitive stuff to their site. Hell, even if they track me around the web, I should've been more careful about blocking their cookies.

But this is another ballgame. What they've done here is effectively hijack a completely unrelated and ubiquitous communication channel — without any action on my part, and without giving any indication of doing so!

I don't even use Facebook, but since I created a Facebook account at some point in the past, they potentially have access to my inbound email traffic. That's just absurd and stupid.

I've avoided installing any facebook mobile apps out of fear of specifically this kind of thing. I'm much more comfortable keeping it quarantined in a web browser, away from my real contacts list, even if that browser interface is comparatively sluggish and unusuable.

I don't mean to defend them because this move is stupid, but to help you get this back in control: you can go you your about page and set the @facebook email to be hidden. I had done this in the past and they didn't touch it.

No, that's the problem here: I had definitely hidden my @facebook email address (setting it to be visible to only me) when it was first created. After a number of people posted this story, I found that the email address was suddenly the only one showing. That's what is so nefarious about this. I had to go and reselect the options I had already chosen, and the only reason I noticed it was because of the press. Really slimy.

I, as well, have set the @facebook.com address as hidden and set my normal address as visible and public. After the story broke I found my usual address "hidden from timeline" and the @facebook.com address visible.

Does this fix any device synchronization problems, where someone you know had their record of your e-mail address changed to the @facebook one automatically?

It doesn't seem to be clear, as I write this, exactly what is going on there and how much is completely automatic/without consent vs. how much was "expected" behaviour. It's pretty clear that a lot of people aren't happy about it regardless, though. Even if some contact originally got onto your phone via integration with a third party service, that could have been years ago. If you weren't aware that the contact was only remaining there/unmodified because the third party chose to leave it that way, it's understandable that you might be upset if that changed without warning after a long time.

I've been waiting for people to stop watching reality TV too.

Still waiting.

Eventually and maybe even sooner then most think, fb will become jet another dinosaur. It's just a matter of time. Fly dinosaur, fly :-)

I know increasing numbers of people who are either walking away from it completely or largely disengaging, many of whom are people who'd be seen in the sort of groups usually marked out as trend setters, those whose behaviour tends to be copied by others down the line.

I don't think it's going to disappear, but it does feel as though it's reaching something of a peak.


his business card also said "I'm CEO, Bitch."

I just deleted the Facebook app from my iPhone. I have no idea if it altered any of my contacts, but this certainly does scare me enough to warrant deletion.

I wish I could do that. I wonder if Facebook paid HTC a lot of money to make the Facebook app un-uninstallable.

I have suggested this before on another thread and i'm not sure if you can do it on your phone but here it goes.

Root it and use titanium backup to force uninstall, it's how I removed all the junk.

I rooted my HTC Evo just so I could "freeze" the facebook and sprint apps. I got a good amount of extra battery life by doing so.

If you go to Settings >> Accounts & Sync, can you at least uncheck "Sync Contacts" for Facebook?

Or just remove your Facebook login credentials entirely, thus rendering the app unable to do anything? (I don't have that exact model but I think this should work, no?)

I have the Facebook app forced on my Nexus One (thanks, Google!) but I never logged in and it didn't touch my contacts as hoped.

Delete facebook from your life. Lawyer up. Hit the gym.

Words to live by.

If your HN contribution is nothing more than a catchy meme, you're gonna have a bad time.

(So am I. I'm aware.)

Memes are fine, as long as they're amusing.

The community has altered the posting guidelines. Pray we don't alter them any further.

I really don't understand this - FB has repeatedly shown they don't give a shit about users' privacy etc. They also don't care about breaking stuff. This is not the first time it is happening, and won't be the last. So, Why are people putting their work email ids on their FB account???

I've sent several emails to my Facebook email address just for shits and giggles. I've never gotten a single one to go through.

You probably already know this but just to confirm, emails dont show up in messages. Instead they go to 'other' in messages, which no one checks anyways.

That's not consistent w/ my testing:

- email from address associated w/ facebook account goes directly to facebook messages

- email from address not associated w/ facebook account does not arrive, in neither messages nor 'other'

Thanks. I didn't know that and wondered where they went.

How long have you waited? I heard of emails to Facebook taking as much of half an hour to arrive.

Days. Not in messages, other, or anywhere.

An excellent reason not to give apps write access to your address book willy-nilly. You can't trust them not to screw up.

Is it not illegal to intercept private communications without the parties' consent? Seems like this opens them up to a massive lawsuit...

I think you'd have to show they accepted the email, then chose not to deliver it to the user.

I think this is just incompetence. hopefully, it's coupled with a little incontinence.

But the thing is they're not supposed to get the email at all. The user goes into their contact book and selects the person they want to email, and suddenly Facebook is getting the email instead of it being sent to the person's actual email address.

I think Facebook's position on this would be that the user goes into their contact book, selects the @facebook.com email address of the person they want to email, and then Facebook gets the email because it's on their service.

It's not an intercept since obviously mail servers have to be able to receive email.

I fail to see what that technical detail matters. IANAL but the practical effect of this move is to intercept private communications they didn't see before without explicit permission from the user. I'd love to see a lawyer have a good go at this one.

I've been complaining for ages that Facebook's contact sync was broken in Ice Cream Sandwich. I only had the app installed so I could sync my friend's contacts details with Facebook anyway, and every update I'd check to see whether they'd fixed it. But it was still broken, even after dozens of updates.

Now I'm glad it's broken!

Just in case you were being serious... Facebook sync wasn't broken in ICS. Google intentionally disabled the feature in Gingerbread.

"Google says it is removing Facebook contacts because they are not stored locally on the phone like other contacts. This means that, unlike your Google contacts, the Facebook listings aren’t exportable so, if users decide to close their Facebook accounts, those contacts will disappear from the address book, something which violates Google’s notions of data portability."


Agreed. I paid a buck for HaxSync to get sync working on ICS, looks like it wasn't able to overwrite the email addresses I had for people. I just disabled contact sync for HaxSync and Facebook (in case they actually decide to get it working with ICS)

The part that really bothers me - The address books on iOS 6 changed without the user noticing.

The funny part is my friends thought I was crazy NOT to sync my Facebook contacts with my gmail contact list.

This is a great example of why I continue to keep my information segregated across different networks. For all of the nonsense Facebook keeps pulling, I continue to have a healthy does of scepticism when allowing them access to ANY of my information - let alone letting these networks interact with each other.

Losing emails and user dissatisfaction is just a bug. Making their email addy the primary specifically to seed everyone's contacts with it via sync-enabled apps was the feature.

Behaviour awfully similar to that of a virus, or malware.

How does this not violate CFAA? This really sounds like a company that believes it is above the law.

Uh, how could it violate CFAA? It's their own systems, and their data (they own it all).

I have no clue whether this violates CFAA, but arguably they usurped address books and intercepted user's communication.

This was obviously intentional, and the timing makes sense -- Apple is rolling out address book synchronization with Facebook.

I hope this forces Apple to reconsider.

Maybe it's a stretch . . . But it does sound like their system is presently causing changes to occur in external systems that were not authorized. Then again, having your address book linked to FB might be construed as authorization . . .

I wonder how high up within Facebook that decision originated and was ultimately approved.

Amount raised on IPO: $16 Billion

Value of Zuck's shares post-IPO: $19 Billion

Pissing off 800 million users with a forced email change: PRICELESS

There are some things money can't buy. For gut-wrenching invasion of privacy there's Facebook.

Quite apart from the ethical ins and outs of this, it's simply a buggy release.

I played around with my new (and unwanted) email address and found the following:

1. Email sent to the new facebook address from the gmail account associated with my profile gets delivered to my facebook messages.

2. Email sent to the new facebook address from another gmail account I own is not delivered. It simply disappears.

This is basic stuff. I guess they did like no testing before they released this f*up to their billion or so users.

Bundling things together gives the bundler more leverage. And opens you up to paying more when they make a mistake.

An older German lady I know told me many times growing up that you should not $h|t where you eat. In other words, it pays to keep some things separate from other things.

If you value someone's contact information, keep track of it separately. And have a backup.

Facebook managed to remove any opportunity to email me from my Facebook page. I'd previously set my @facebook.com email as visible only to me, so that it wasn't published to the page. They didn't change that, but they did set all of my other email addresses as "hidden from timeline."

Here's my fear. I deleted my FBook account a couple years ago. And it seems to be at least inactive, but I assume there is still an entity representing "me" in some state at FBook, because that's how FBook rolls.

As I understand this latest feature, if I am a contact on someone else's phone, and their FBook app notices that I am a FBook user, that person's entry for me get's slammed to now point to me@FBook. So when that person emails me, it no longer goes to me@me.com, it goes to me@FBook.com. Which is an address that may or may not exist, but I'm gonna go out on a limb here and guess that FBook doesn't respond with a no such address, it just consumes the data. And I'm suddenly unreachable.

I wonder if this isn't a breach of the stricter privacy laws we have in Europe. Redirecting the email I send to my frieds to Facebook's servers without asking for my consent looks very suspicious to me.

At first I was wondering what Facebook has to do with email.

Then I read this:

"alterations that had begun in their contacts and address books outside Facebook -- valid e-mail addresses were being changed for @Facebook without people's awareness"

WTF?! This sounds like the facebook app has access to modify the contents of a phone's address book without direct user action. Is that what's happening here? I just checked all my contacts and everything seems fine (BB7.1)

Does anyone know if there is some kind of possibility to copy facebook contacts to my phone? I'm using Android+Facbook sync. Phone is rooted... I have at least 100 people who are facebook contacts and the ones I don't want to loose, but I'm not even able to copy paste their number not to mention copying them to phone/sim card...

I know facebook doesn't want you to do it, but there has to be a way....

The way I copied facebook contact information was to sync to yahoo contacts, then export yahoo contacts, then import into google contacts.

I'm not sure how this would work on/in the mobile ecosystem, but I'd have to imagine that getting on your desktop/laptop computer for a few minutes would be worth the effort of backing up the information.

I just uninstalled facebook from my android phone. The facebook contacts and their information is still being shown in my phone contacts list. I am not sure if it will be deleted in future (during some sync operation). If that happens, I may install it back again. In the latter scenario, merging the contacts however will be a pain.

I tried the same and contacts disappeared.

Okay, I tried to look some more. I discovered that there is a "Facebook" option in the accounts list that I can add on my phone (Motorola Droid Bionic). This facebook account was responsible for the facebook contacts in my address book. So, I went to the facebook website and revoked its permission to access my account.

Its been more than a day now, and the facebook contacts are still there in my phone. May be you want to add the facebook account, and then revoke its permission from the facebook website. I think this will leave your facebook accounts in your phone.

I will update this post if my contacts disappear in near future.

OMFG, are they this desperate to fight off Gmail!

People call G+ a desperate attempt, but this is ground-bottom. There's only word to describe this, disaster.

Anyone else find it odd that the day the facebook email change scandal broke, they announced Sandberg was their first ever female on the board? Really looked like they had a distraction press release in the pipeline for exactly this scenario, and they popped the top as soon as there was backlash.

I feel so sad that there is no competing product out there and thus FB has the balls to repeatedly treat its users insignificantly.

It's even more sad FB is using it (the fact that all of my friends are on FB and hence I wouldn't switch) to take undue advantage in a way that I would not permit had they asked me.

The depressing thing about this is that people will notice that email doesn't work and then use fb messages even more. I mean, how many people are still with one of the major banks, only a few years after their greedy behavior caused so much harm?

Don't many phone users sync their phone contacts to Outlook and similar? So wouldn't this lead to "work email" contacts being caned by Facebook?

I just checked mine, but seems all my contacts only have phone numbers since I use Gmail and GApps web-only accounts.

That is why you need Distributed Social Networking Protocol. http://en.wikipedia.org/wiki/Distributed_Social_Networking_P...

To be clear, does this affect iOS 5 address books? What if those contacts are pulled from an Exchange account? I sync contacts but thought that only went as far as photographs and putting those silly links to profiles.

iOS 5 doesn't have FB integration, so it couldn't happen directly.

I don't know if the FB app can write to your contacts (although it can read them, which caused that dust up earlier in the year). That's where the danger might be for iOS 5 users.

The FB app can update your contact photos when your FB friends update their profile pics, I actually like that feature, it’s fun and relatively harmless.

I didn't know that (I don't log into FB much), that's actually kinda neat. That would be a great way to keep photos for everyone.

If you're not capable of actually pinning down the social graph, just cut links until you get to something tractable. Excellent plan.

To be clear, does this affect iOS 5 address books?

This is why I never upload my pictures or videos on facebook and I have my home town and current city are set to Valhalla and Atlantis.

http://techcrunch.com/2009/12/15/facebook-lie-terms-of-servi... "Mr. Schnitt suggests that users are free to lie about their hometown or take down their profile picture to protect their privacy..."

The clarification from Barry Schnitt (Facebook’s Director of Corporate Communications and Public Policy) was even worse:

"I think WSJ is paraphrasing. What I said is profile picture and current city are optional. You don’t have to include a profile picture or you can include a picture of your dog or anything you like. Similarly, you don’t have to indicate your current city or you can indicate that your current city is “Atlantis”, “Valhalla” or, again, anything you like. We hope people will use accurate information if they are comfortable doing so because that information helps them to be found by their friends, which is part of the point of joining the site."

I hope someone chimes up again saying how Facebook has so many smart engineers on staff. This looks like either an intelligence failure, or an ethics failure, or a little of both.

God damn facebook. This is why i hate their motherfuckin' asses

What? Is this Reddit now?

So I hold an opinion and do have substantial intellectual abilities. Does that mean I must be erudite in every post? <-- rhetorical answer because the answer is an assumed "No."

> Does that mean I must be erudite in every post?

No, you take your own decisions, you don't have to give knowledgeable answers. But it is always a good thing to word your answer while taking in respect the nature of forum you are posting it to.

Lolz. Even a reasonable post gets downvoted.

Now I'm just itching for downvotes. GIVE ME THEM.

I think you are being downvoted because none of your posts are reasonable or add to the discussion on HN. For example, you asked if all your posts must be erudite, and you believe that the obvious answer to your question is "no".

Basically, when you can't even answer your own rhetorical questions correctly, then it's pretty much all downhill from there.

Why would anyone on God's green earth sync their Address book to facebook!?! It's a social network for crying out loud, not a work place! WT..!!

This is what happen's when you mix work and pleasure ha ha, it's a stupid kid's playground to post stupid thing's and do nothing all day! I just can't get past it, why would anyone sync their address book to FB!? ha ha ha

Why on earth do you think that everyone's address books are business-only?

Because most of my social contacts are on Facebook? And by keeping my address book synced, I don't have to keep track of every time everyone gets a new phone number or email address.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact