Application security, Compliance Management, Network Security, Privacy

Facebook says it ‘unintentionally’ harvested 1.5M users’ email contacts via verification feature


Facebook has once again stoked controversy after the social media giant reportedly owned up to "unintentionally" collecting the email contacts of 1.5 million users without their consent.

Business Insider revealed the company's latest data mismanagement gaffe in an April 17 news report, after its staff members created a fake account and entered an email password for verification purposes. At that point, a message appeared indicating that Facebook was importing the user's email contacts, without ever asking for permission.

A Facebook spokesperson reportedly told the news outlet the company intends to notify all affected users and delete their contact information, blaming the involuntary data collection on an oversight related to a change to its verification feature.

Prior to May 2016, individuals who used their sensitive email passwords to verify a newly created Facebook account – a practice security experts have criticized – had the option to upload their email contacts as well. The spokesperson said the company changed this feature and, in the process, eliminated the text informing users that their contacts would be imported. But the underlying functionality remained after the change, resulting in unauthorized data collection over the last two years.

The spokesperson reportedly also explained that Facebook had very recently stopped asking new users for their email passwords (but not before Business Insider had tested the feature for its investigation).

"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," a Facebook spokesperson said. "When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account... These contacts were not shared with anyone and we're deleting them. "

A follow-up article from Business Insider on Thursday said that Ireland's Data Protection Commission has been in touch with Facebook regarding this incident, as it determines its response under the guidelines of GDPR.

Facebook has been under constant fire for a series of privacy and "fake news" scandals ranging from the Cambridge Analytica controversy to a recently discovered data breach affecting tens of millions of users.

Despite the social network's claims that the data collection was unintentional, Dan Goldstein, president and owner of
digital marketing agency Page 1 Solutions, believes this latest misstep continues a trend of Facebook riding "roughshod over issues of consumer consent in order to collect data."

"Taken in concert with recent revelations that Mark Zuckerberg approached third parties to gauge the market value of user data, this latest headline is chilling," Goldstein continued. "It paints Facebook as a glutton for data, even among internet users who aren't signed up on the platform. The commodification of private information by Facebook makes its dealings with third-party apps and developers look unseemly."

Brian Vecci, field CTO at data security firm Varonis, shared similar sentiments. "Today’s news shines yet another spotlight on Facebook's glaring oversight when it comes to consumer data privacy," said Vecci. "These online giants shouldn't be able to just grab your entire social network through your contact list without specific permission, and companies like Facebook need to face stiff penalties when they do it. Without basic consumer protections that lead to real penalties, this kind of thing will continue to happen. And while financial penalties are a good disincentive, unless there’s real legal teeth behind the regulation, these companies will continue to search for ways to do things the easy and cheap way."

"...This incident shows why Facebook and other large enterprises need to be more proactive when it comes to data privacy and security," said Monique Becenti, product and channel marketing specialist at cloud-based security tool provider SiteLock. "In addition to the ongoing privacy and security issues involving Facebook, ‘moving fast and breaking things’ isn’t an effective way to make decisions when consumer data is involved, as managing a massive quantity of data requires having a careful plan in place."

"With this in mind, companies need to evaluate how much consumer data they really need to be collecting," Becenti continued. "With more data comes more risk, so companies should evaluate what data they are storing and why."

SC Media has reached out to Facebook for comment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.