So, when is the FTC going to actually bring down the hammer on FB for violating the consent agreement? There's no way this was "unintentional."<p>At $40,000 per user per day [1], even at just one day of violation, that's a $60 billion fine FB should be liable for. "Under the settlement, Facebook agreed to get consent from users before sharing their data with third parties," so this seems to be EXACTLY in violation of that agreement.<p>[1] <a href="https://www.cnet.com/news/facebooks-ftc-consent-decree-deal-what-you-need-to-know/" rel="nofollow">https://www.cnet.com/news/facebooks-ftc-consent-decree-deal-...</a><p>*Edit: on second thought, it should be even higher, as each of the 1.5M users had multiple contacts uploaded. So, for example, let's say 1 user had 150 contacts who were not part of the other 1.5M users who had contacts uploaded. That alone should be a violation of the consent rights of those 150 people, so $6 million per day. If every one of the 1.5 million people had, on average, 150 contacts exclusive of the other 1.5 million people who had contact info uploaded, that's a $9 trillion liability for one day of violation.<p>The FTC has been toothless on this for quite some time now, so I'm expecting no significant action as FB lawyers will defend that no one had data shared with "third parties," technically. Well, shouldn't my contact info shared by a friend with FB be a consent violation as FB is a "third party" from my perspective?
FB's public comments about these remind me a lot of the "5 Standard Excuses" scene in the '80s BBC sitcom Yes Minister, where a civil servant lists the best CYA mea culpas for politicians to use when something goes wrong.<p>1. It occurred before certain important facts were known, and couldn’t happen again<p>2. It was an unfortunate lapse by an individual, which has now been dealt with under internal disciplinary procedures.<p>3. There is a perfectly satisfactory
explanation for everything, but security forbids its disclosure.<p>4. It has only gone wrong because of heavy cuts in staff and budget which have stretched supervisory resources beyond their limits.<p>5. it was a worthwhile experiment, now abandoned, but not before it had provided much valuable data and considerable employment.
18 USC 1030 (a)(4)<p>(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value<p><a href="https://www.law.cornell.edu/uscode/text/18/1030" rel="nofollow">https://www.law.cornell.edu/uscode/text/18/1030</a><p>A criminal investigation into whether or not this was really accidental would be entirely warranted here. If there was intent to access this information without authorized access that is criminal.
Saying "unintentionally" here is like saying you unintentionally stole someone's TV when they gave you their key to walk their dog.<p>It takes extra work to upload those contacts, which means several managers and developers decided to do it and then spent time implementing it.<p>For the FB employees reading this: what is your tipping point? Would you say no to that assignment?
First they ask for email passwords. Then the new users assume Facebook won't comprehensively mine their emails. Then Facebook awkwardly gets caught uploading 1.5 million users' email contacts.<p>It doesn't make sense for people to trust the service at all unless you assume one of two things:<p>1 - Despite all the outrage on hackernews, and the NWT stories, our neighbours down the street and family members still don't know how Facebook works or what is done with their data<p>2 - They don't care about their data privacy. I've heard this claim many times, but the people saying it often change their minds when they read more news stories. I really do think people have trouble assuming the worst about the intentions of others and are inclined to be trusting.<p>edit: clarification
FB has said they'll be notifying the people whose contacts they "unintentionally" uploaded. How about notifying <i>those contacts</i> whose private details they illicitly obtained that their privacy has been compromised by Facebook - the innocents who signed up for FB and had their contact-list stolen (let's call it what it is) may or may not feel any moral obligation (more likely, don't even see the issue) to notify their friends/family/plumber whose details they "lost" to a thief.
This seems like a case similar to the Google WiFi data collection. Code written for one reason was reused in a different project without understanding what it would do.<p>Here’s an example page from 2011 talking about facebook’s old feature to import contacts via providing them your email username and password. This was at a point when many web mail services didn’t offer an OAuth API to do this, so it did make some sense at the time. It was still safer to do a csv export and then import, but much easier for users to provide the password directly.<p><a href="https://www.techwalla.com/articles/how-to-import-contacts-to-facebook" rel="nofollow">https://www.techwalla.com/articles/how-to-import-contacts-to...</a><p>> Type your email address and password for the Web-based email or instant-messaging service that you want to import into the dialog boxes and click "Find Friends."
LinkedIn pulled something similar a few years back. At the time, I was using the same password for both my email and LinkedIn account, and found that people from my email address book were showing up as suggested connections. I can only assume "consent" for this was buried in the T&Cs.
Since FB has gone out of their way to weaponize "friendship", my suggestion to everyone who actually likes to have some standards in their life and don't like to be manipulated like that is simple. Just do it back to them. "Unfriend" (IRL) everyone you know who works at Facebook and tell them you will "friend" them back once they leave the company.
This may be an unpopular opinion, but things like this happen. Someone gets the task to implement a login and either doesn't realize they should be using OAuth or is simply too lazy to do so. Next, someone has the idea to suggest friends, so let's grab some email contacts for that purpose.<p>That stuff happens all the time at small companies. While it's certainly bad practice, it's often not evil intent, but just lack of technical skills (for the former issue) and missing sense for potential privacy issues (for the latter).<p>In case of a large company like Facebook, one could expect they'd have processes and education in place to prevent such incidents, but I guess this happened a while back when FB was much smaller than it is now.
Not for one second I believe this was unintentionally. After all data scandals where Facebook didn't actively care or even empowered the problem by not acting towards privacy.<p>I think this company is inherently bad from the top and everyone working there is enabling them. Sure, it pays well.<p>Problem is, most bigger companies do bad things. See VW and the emission scandal and I hope Winterkorn and other top managers goes to jail for that. Also I'm biased, for me Facebook and Instagram are pretty useless, the only useful product they have is Whatsapp...
Can't someone file a class action lawsuit against Facebook?<p>I mean, it's nice that they are deleting the information now, but they clearly did something wrong, and by basic standards, they should be punished. And the deleting the stolen information isn't punishment, and since they probably won't delete any new ad targeting information they gathered as a conclusion from the contacts, they are still profiting from it, so the punishment should be more then just a small fine (that I hope they get).<p>I'm just sick of them (and other companies) "accidentally" doing something wrong, and barely get a slap on the wrist.
><i>Facebook says that it didn't mean to upload these contacts</i><p>How can you not mean to? It's one thing to say that, were it something tangible, like paper, "Sorry, mate. These pages snuck in with the others. Sorry about that. We'll pull it out. No worries."<p>Pulling contacts and uploading them is not a passive action but takes active action.<p>><i>and is now in the process of deleting them.</i><p>So, the question must then be asked: How do they differentiate the sources of contacts associated with an account, unless they're logging that, as well? If they're not logging that, then how are they, presumably, deleting those contacts?<p>Are we taking bets on Facebook being in the news again, in a months' or so time, for being found to not have deleted them? :)
I don't recall ever hearing that Facebook made a mistake which <i>decreased</i> the amount of data they collected or their usage thereof. Can anyone provide an example?
At some point, some government is going to have to step in and stop Facebook. Five years ago, I would not have believed that I would have supported government action. Now, I’m afraid for the future if there is no intervention.
Phones need better features to entirely prevent these things - so apps can't trick the user. I want no application to have access, something like Incognito mode for all apps basically. The permission dialogues are typically not very helpful to make a meaningful decision and apps don't function at all without certain permissions. So why not allow to "fake" contacts,storage,location,etc...<p>Majority of apps are just spyware anyware.
How is LinkedIn not under more scrutiny right now? They used to ask for my email password all the time along with re-asking for access to contacts at EVERY LOGIN.<p>I know this isn’t a contest, but I always felt LinkedIn was twice as scummy as fb.
Why are companies even asking users to provide passwords for unrelated services? For example, when I added an external account on Etrade, they gave me the option of same day verification of that account if I provided them my online banking account credentials.<p>This practice opens up a significant potential for abuse and should be illegal.
The only way FB will change its ways is if (a) good engineers stop joining them, and (b) good engineers at FB start leaving. This will threaten their entire growth prospectives and finally bring about change.<p>I was having discussions with FB recruiter and some of their senior managers. I just informed them that I won't be pursuing that anymore.<p>FB engineers who are on HN: why are you still there? You can make similar money at several other companies <i>without sacrificing your soul!</i>
I guess that to the average users, every single incremental step seems innocuous. The complete picture, however, is not foreseeable to them.<p>If the full scheme of Facebook's business strategy (and other companies' as well, for that matter) were clear enough, a mass exodus would take place.<p>I'm still hoping a mass exodus takes place some day, or at least, like Roger McNamee has suggested, log and data deletion is enforced in some way.<p>This has to stop. Even if there is some temporary outrage, these companies remain unaccountable and get away with whatever they want.<p>From now on, I think I'll stop replying to emails provided by companies whose trust I've long lost and use only Protonmail's encrypted link feature.
Forget the contacts. People willingly gave Facebook their email passwords. Did Facebook also accidentally upload users' emails? Why would Yandex (from the screenshot) even permit this?
I hate it when I accidentally write some code to crawl email accounts for data and accidentally upload that data. Accidentally deploy that code to production, hide the opt-out button, and forget to post a disclaimer. Gosh darn it!<p>I'm just a mess without my morning coffee. If I don't get a good cup of joe in the AM I could do something reckless and random... like violate the privacy of millions of people! OOPS!<p>You know what I'm talking about!
Right!
...
right?
...
And if we consider Facebook's normal modus operandi: Today it's 1.5 million, a week or two later, they will say it was 15 million and 2 months later, they will say it was 150 million+.<p>Don't give access to your contacts, location, emails and photos to not just FB, but also WhatsApp and Instagram. If you must use them, try doing so from incognito browser windows. Facebook has proven time and again it cannot be trusted.
This is like the app version of "sorry honey, I totally didn't mean to stick it your butt but it was dark".<p>Facebook knew exactly what they were doing but they're playing dumb because it's less insulting to the recipient that way and they feel that will minimize the response.
I work in UX and this isn't unintentional. The copy "Facebook doesn't save your password" proves this was intentional. I'm sure the PMs there are all drinking the cool-aid and are rewarded in getting as much data from the user as possible.
Similarly, google has been publishing my mailing address on the "Maps" app for decades and I've yet to see bloggers write about it.<p>Publishing mailing addresses <i>worse</i> since that is a physical location in addition to being mail location.
Can someone use a throwaway e-mail address to sign up for Facebook?<p>Once the e-mail address is validated, is there any further need for a valid e-mail address to continue using FB?<p>Historical fact: Going back to the days when a university address was required, if the user created her Facebook account while at university and her e-mail address later expired when she graduated, FB did not disable the account.<p>Unless one wants to get notifications and other FB crud via email, AFAIK there is no need for a working e-mail address to use FB.
Kinda off topic but I find it incredibly worrying the lack of privacy people have online when it comes to advertising. There is creepy retargeting and then there is retargeting to specific individuals.<p>Right now I can find just about anyone’s email, seed them with an ad pixel, show them hyperpersonalized landing pages and follow them online knowing exactly who they are, allowing me to tailor ads to individual level.<p>If that doesn’t creep you out, what would?
Related:<p>WhatsApp on iOS recently updated, and now will only show phone numbers for contacts UNLESS <i>I</i> upload my contacts.<p>In the UI if I click on a number it will take me to the profile where I can see that users name ~Tom, but wow, waddamove... Have we reached the point where FB can't make any more money until they go deeper or is this just drag-net "data is the new oil"
To be blunt: when I'm hiring for a developer and interview who worked for Facebook as an applicant I'm going to have a <i>lot</i> of questions about exactly what they worked on. There's no way a feature like this created by accident, the developers who put it together knew exactly what they were doing, and did it anyway.
Related: <a href="https://news.ycombinator.com/item?id=19559617" rel="nofollow">https://news.ycombinator.com/item?id=19559617</a><p>(<i>Facebook Asking for Some New Users' Email Passwords</i>)
I find it astonishing people are still on fb, and even moreso that people that are still on there have the slightest expectation that their data will be handled with care & respect for their privacy.
If you have a bunch of photos 9f Mr. Zuck with a frowned, sad, confused, etc face, sell them! With the amount 9fbstories popping up, one could make a decent income out of them.
Why does it ask for your e-mail password to begin with? It is sad that there are 1.5M people out there (and probably more) that actually gave them their password. Scary.
Post-GDPR this is "unintentionally" and they try to make amends. Pre-GDPR that would just have been a "happy accident" and they'd just have swept it under the rug.
While they are deleting the imported contacts, that doesn’t undo any potential shadow profiles they generated, any training to their ML models that associate users (relationships), or any training to their advertising models. I believe Facebook doesn’t care about the contacts themselves. They wanted all of these collarary benefits that the general public will not be thinking about.
Honestly I don't understand why Zuck doesn't sell up at Facebook and use his considerable money and brains to move to philanthropy, like billg. His personal brand is going to continue to dive while he's the face of this bullshit.
By now we all know how Mark Zuckerberg rolls.<p>"Dumb fucks" wasn't just an episode, that's his character.<p>He'd probably be a good friend of Martin Shkreli if he wouldn't care that much about what others think of him.
The selfish part of me wishes that the media would stop reporting on the endless procession of privacy violations / attacks by Facebook. It doesn’t seem to change a damn thing (Facebook revenue, DAU, etc seem to just keep going up). All it does it make me depressed, watching as we all just aimlessly shuffle pathetically toward some surveillance capitalism dystopia.
The incessant stories about Facebook are beyond tedious. I don't even know how to complain about this. I suppose it would be nice if we could somewhere officially label Facebook as dodgy rubbish, and abandon everyone who continues to knowingly use it to suffer the expected consequences, and never have to read another unsurprising article about them ever again.