Facebook Admits to “Unintentionally Uploading” 1.5 Million Harvested Emails, Passwords & Contacts

If Facebook was a company touting its “days without an accident,” that sign would have been completely thrown out by now. After months of countless scandals surrounding data, surveillance and censorship, a new report from Business Insider gave users a rare admission of fault from Silicon Valley’s worst offender: revealing Facebook “unintentionally uploaded” the email contacts of 1.5 million new users who registered on the site since May 2016.

The company admitted this after a security researcher’s tweets began to question why Facebook was asking users to directly enter their email passwords in order to verify their identities. At the time, Business Insider didn’t know what to make of this, but their Facebook sources explain this was used to “improve ad targeting, build Facebook’s web of social connections, and recommend friends to add” whether the users like it or not, thus harvesting contact and log-in information without user consent.

According to the Facebook spokesperson, this practice originally began before May 2016 when the verification process involved both uploading the email password and contacts “voluntarily.” After this date, however, the company gave users a vicious false ultimatum between uploading a password the company has no right to know or being locked out of their Facebook account forever. The kicker? All warnings about contact uploads were deleted from the agreement screen — but the practice continued anyway. 

A Business Insider test allows us to view several screenshots concerning how the process goes. Upon signing up for a new account, users are required to provide the information without much detail. It doesn’t say whether it’s for identity verification, contact uploads, content reviews or anything. You just have to take the leap of faith the blue button represents. 

Facebook Email Harvesting

Once you enter the details and take this leap, Facebook begins the harvesting process before your very eyes. Without the permission of the user, a dialog box soon pops up to inform users they’ve begun “importing contacts”, implying Facebook is conducting a review of where emails are exchanged and using meta-data to connect these emails to Facebook accounts. Once this is known to the user, the process can’t be stopped mid-way through. There’s a reason why mother said never to give strangers your details — your account is suddenly out of your own hands until the search is complete.

Facebook email contact verification

Facebook Email contacts

This wasn’t some legal fine-print trickery, where the privacy catch can be learned beforehand by reading the agreement statement. Instead, there were no such documents in the first place, effectively giving the user no possibility to grant informed consent until the button is pressed and the contacts are already uploaded to Facebook servers — and once it’s pressed, there’s simply no turning back. 

But don’t worry! The spokesperson said Facebook apparently had no access to the content of user emails! Never mind the fact users gave their direct login information allowing such abilities. Apologies, but the days of taking Facebook assertions at face value have long since passed. User contacts alone are highly sensitive data. The state can’t demand such communications knowledge without a warrant, let alone a corporation.

Facebook, always trying to save face, released another statement:

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” the spokesperson said. “We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

The incident serves as another example of why the cyber-libertarian dreams of Silicon Valley have failed the public. This privacy violation isn’t a bug with an unaccountable, online socio-economic system — run exclusively by the most powerful private interests who view users as expendable income — but an intended feature for higher profits. This was the admission of the spokesperson as to why the process helped Facebook in the first place. The principles of liberty through privacy are antithetical to the almighty dollar.

Since the Cambridge Analytica scandal broke in early 2018, Facebook has been on a political warpath to maintain the status quo of self-regulation. The big tech giant has hired lobbyists to fight The California Consumer Privacy Act (CCPA), a sweeping new piece of legislation that, through a ballot initiative, would grant California residents concrete control over their personal data and wield restrictions on Silicon Valley. The CCPA allows users the right to control their own data, easily opt out of a companies’ data harvesting tactics and prevents the sale of such personal information and data without consent.

Despite their best efforts, the bill was signed into law by Gov. Jerry Brown during the 2018 mid-term elections. If there was big tech accountability in California, Facebook’s verification scandal could be considered a criminal offence, provided residents were affected by the harvesting. NBC News showed their data practices are purely to maintain monopoly power, citing company documents showing Facebook unethically uses data to leverage power over their market competitors, so it’s not unreasonable to demand Congress and lower governments enforce any policies keeping to America’s anti-trust standard.

It’s not enough for neoliberals and conservatives to virtue signal on social media about social media tyranny when their ideologies allow such practices in the first place. It requires the people to use their will and demand their rights be protected by law. 

“Mining and oil companies exploit the physical environment; social media companies exploit the social environment,” said controversial billionaire George Soros during his Davos panel earlier this year. “The owners of the platform giants consider themselves the masters of the universe, but, in fact, they are slaves to preserving their dominant position … Davos is a good place to announce that their days are numbered.”

Related News