Facebook has admitted it “unintentionally” harvested and uploaded email contacts from 1.5 million people, showing once again a lacklustre approach to user privacy.
The practice, used to verify the identity of new members and recommend friends, has been ongoing since May 2016 according to Business Insider, which broke the story.
At the start of April, some users reported that Facebook asked them to supply the password for their email account. It was a move much maligned by security experts at the time. Today’s revelation that 1.5 million people had their records uploaded had drawn further criticism and again highlighted the importance of gaining clear consent when handling user data.
Facebook says it has stopped the practice and that it will notify users who had their contacts taken without consent. The contacts will also be deleted, Facebook said.
“This news illustrates how easy it is for any company—not just Facebook—to skip asking for consent when harvesting personal data like your contacts,” said Brian Vecci, field CTO at data protection firm Varonis.
“Consumers need to be vigilant but also need a basic set of online rights. Companies shouldn’t be able to grab your entire social network through your contact list without express permission, and companies like Facebook need to face penalties when they do it.”
Facebooking email harvest – a breach of GDPR?
Europe’s new and tougher data laws – GDPR – threatens a maximum fine of 20% of global annual turnover.
“Under GDPR Article 7, consent for the collection of personal data must be unambiguous and for a defined purpose,” says Tim Mackey, senior technical evangelist at Synopsys. “While at first glance it may appear that requesting access to a new user’s contact information satisfies this criteria, that isn’t the case.
“Article 7 (4) states that consent is only freely given if the processing of the data – in this case email address and email password – is required for access to the service.
“As Facebook users know, the Facebook service doesn’t require Facebook to collect and process email passwords.”
Facebook email error latest in a long line of scandals
The latest is comparatively mild, in terms of both scale and impact.
“Luckily, there doesn’t seem to have been a major breach of such data,” says Jake Moore, security specialist at cybersecurity company ESET. “But it just goes to show how easily your personal data or even passwords can be compromised and why we should have tighter password management.”
Moore advises users to use a unique password and multi-factor authentication to err on the sign of caution.
“It just goes to show that however big or small the company is, mistakes can occur at the detriment of your password, so if there’s one thing you do different today, make sure you download and start using a password manager app.”