Facebook's Terrible, Horrible, No Good, Very Bad Privacy Week
from the isn't-that-every-week dept
I know that some will argue that “every week” is a bad week for Facebook with regards to privacy, but this week in particular is looking especially awful, with (last I checked!) three “big” stories regarding the company’s bad decisions and handling regarding data. Of course, because this is Facebook, I still think the reporting is getting the story a bit wrong. The story that has gotten the most attention is the least concerning, while the ones getting less attention are the real problems.
First up is the NBC News story going through a big pile of leaked internal documents from its ongoing lawsuit with app developer Six4Three. If you don’t recall, the company, which made a skeezy app to let you find pictures of other people on Facebook wearing bikinis, got mad and sued Facebook when Facebook (finally) realized that maybe it shouldn’t give app developers access to so much data, and cut them all off (effectively killing Six4Three’s entire ability to operate). Many people reacted to this week’s story as if it was some big reveal that Facebook cut favorable data deals with some partners, and that it toyed around with business models selling access to data, but frankly, I don’t see all that much that’s different from the cache of documents that was released back in December.
As I said then, most of the stuff that people are freaking out about appears to be taken out of context. Facebook investigating different business models isn’t inherently bad. And many people are framing those discussions completely outside of the context of what Facebook was actually doing at the time or how people viewed the data it had access to. A lot of focus is on the fact that Facebook put a dollar value on the data — but that doesn’t actually mean (as many are suggesting) that it ever planned to “sell the data.” It did look at charging app developers to access the data, but that’s not a particularly crazy idea — and one that lots of people discussed at the time, and one that plenty of companies with lots of data use.
There are, certainly, reasonable concerns to be raised about Facebook looking to deliberately undermine competitive services via its platform — and that was the part that most concerned me back in December as possible antitrust violations. But, there doesn’t really appear to be that much new on that front. Facebook looks sketchy, but when hasn’t it looked sketchy?
And, because some will erroneously call me a Facebook shill, let’s look at the other two privacy blunders this week because there’s nothing redeeming about either of them. Both are straight up awful. They’re the kinds of security mistakes that tiny startups with no real understanding of security make. Not something that a company like Facebook should ever make. If you want to be concerned about Facebook and privacy, focus on these two stories that suggest not so much a cavalier attitude towards privacy as an incompetent implementation of basic security practices.
First up, Business Insider revealed that Facebook was asking users for their email password and then sucking up all your contacts without asking for permission. While you might wonder what idiot would hand Facebook his or her email password for no obvious reason (a valid question) that doesn’t absolve Facebook from even asking. After pressing Facebook on this, the company admitted that it sucked up the email contacts of 1.5 million users this way, and that it’s now deleting it.
Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network, Business Insider can reveal. The Silicon Valley company said the contact data was “unintentionally uploaded to Facebook,” and it is now deleting them.
The revelation comes after pseudononymous security researcher e-sushi noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, a move widely condemned by security experts. Business Insider then discovered that if you entered your email password, a message popped up saying it was “importing” your contacts without asking for permission first.
This is a very bad security practice, and certainly could lead to legal issues for Facebook. Sucking up that kind of data without permission is super bad. Facebook’s excuse here is not good either:
A Facebook spokesperson said before May 2016, it offered an option to verify a user’s account using their email password and voluntarily upload their contacts at the same time. However, they said, the company changed the feature, and the text informing users that their contacts would be uploaded was deleted ? but the underlying functionality was not.
How does someone not catch that? How does someone not catch that asking for your (non-Facebook!) email account is just a bad idea in general? This reflects extremely poorly on Facebook’s security review process.
The second story may be even worse. TechCrunch has the story that Facebook is now admitting that the really bad screwup first reported last month, concerning the company “accidentally” storing plaintext passwords of some Instagram users, actually impacted millions of users, rather than just a few thousand as originally reported. This of course, goes back to the general law of security breaches that we’ve discussed for over a decade: it’s always worse than originally reported. It’s difficult to think of a big security breach where the number of impacted people wasn’t updated upwards at a later date.
As we noted last month, what caused this was legitimately a bug, rather than nefarious intent, but for a company of Facebook’s size, and with the security talent it has on staff, this is the kind of bug that is unacceptable — especially with something such as protecting passwords (an area of security that is very well developed). I guess these are just more things to add to the neverending Facebook apology tour.