Facebook under investigation for harvesting 1.5m users’ contact lists

The New York Attorney General’s office announced last week that it’s launched an investigation into Facebook’s harvesting of 1.5 million users’ email address books without their consent.

Earlier this month, a security researcher had noticed that Facebook was asking some new users for their email passwords when they signed up: what he called “a HORRIBLE idea from an #infosec point of view”…

…particularly from a company that’s mishandled the passwords we use in two-factor authentication (2FA) and which saved hundreds of millions of users’ passwords to disk in raw, unencrypted form.

But Facebook wasn’t just asking for some new users’ email passwords, the company would go on to admit: it was also sucking up their contacts, popping up a message saying the platform was “importing” their contacts without asking for permission first, nor offering any way for users to cancel the process.

Facebook admitted it had “unintentionally uploaded” 1.5 million contact databases of new Facebook users since May 2016. But as noted in a press release issued on Thursday by the office of New York Attorney General Letitia James, the number of emails drawn into this filter feeder’s baleen is bound to be orders of magnitude higher, as in, hundreds of millions, given that the affected people could have hundreds, if not thousands, of contacts in their contact databases.

While Facebook claims that 1.5 million contact databases were directly harvested by its email password verification process for new users, the total number of people whose information was improperly obtained may be hundreds of millions.

Well, isn’t it just typical, AG James said. It’s just the latest demonstration of how Facebook “does not take seriously its role in protecting our personal information,” she was quoted as saying. She added…

It is time Facebook is held accountable for how it handles consumers’ personal information.

Put it on top of the “legal repercussions” pile

She’s not alone in that belief: Facebook’s anticipating that an upcoming settlement with the Federal Trade Commission (FTC) over user data privacy handling could be up to $5 billion. Canadian regulators last week said that they too believe that Facebook has broken the law and plan to take the company to court to force it to change its practices.

The Irish Data Protection Commission also said last week that it’s investigating Facebook over the issue of user passwords stored on its internal servers in plain text format.

“Unintentional” (perhaps illegal) but great for ad targeting!

Getting its hands on this vast trove of emails is great for Facebook’s core business of ad targeting, as well as to expand its already vast web of social connections. But it could have broken a number of privacy laws, some say.

Experts told Business Insider that the harvesting of the 1.5 million users’ email contact lists could possibly violate a 2011 consent decree between Facebook and the Federal Trade Commission (FTC), the EU General Protection Data Regulation (GDPR), and potentially even the Computer Fraud and Abuse Act (CFAA).

A Facebook spokesperson declined to comment on the legality of the company’s actions when Business Insider asked.

The investigation

Two people briefed on the NY AG’s investigation told the New York Times that it will “focus on how the contact list-importing practice came about, and whether or not it spread to hundreds of millions more people across the social network.”

After a furious backlash, shortly after the press got wind of the practice, Facebook said it stopped asking for new users’ email passwords and stopped importing their contact lists. Last week, it told news outlets that it was in touch with NY AG James’s office and was responding to questions about the matter.