Facebook's Terrible, Horrible, No Good, Very Bad Privacy Week

from the isn't-that-every-week dept

I know that some will argue that “every week” is a bad week for Facebook with regards to privacy, but this week in particular is looking especially awful, with (last I checked!) three “big” stories regarding the company’s bad decisions and handling regarding data. Of course, because this is Facebook, I still think the reporting is getting the story a bit wrong. The story that has gotten the most attention is the least concerning, while the ones getting less attention are the real problems.

First up is the NBC News story going through a big pile of leaked internal documents from its ongoing lawsuit with app developer Six4Three. If you don’t recall, the company, which made a skeezy app to let you find pictures of other people on Facebook wearing bikinis, got mad and sued Facebook when Facebook (finally) realized that maybe it shouldn’t give app developers access to so much data, and cut them all off (effectively killing Six4Three’s entire ability to operate). Many people reacted to this week’s story as if it was some big reveal that Facebook cut favorable data deals with some partners, and that it toyed around with business models selling access to data, but frankly, I don’t see all that much that’s different from the cache of documents that was released back in December.

As I said then, most of the stuff that people are freaking out about appears to be taken out of context. Facebook investigating different business models isn’t inherently bad. And many people are framing those discussions completely outside of the context of what Facebook was actually doing at the time or how people viewed the data it had access to. A lot of focus is on the fact that Facebook put a dollar value on the data — but that doesn’t actually mean (as many are suggesting) that it ever planned to “sell the data.” It did look at charging app developers to access the data, but that’s not a particularly crazy idea — and one that lots of people discussed at the time, and one that plenty of companies with lots of data use.

There are, certainly, reasonable concerns to be raised about Facebook looking to deliberately undermine competitive services via its platform — and that was the part that most concerned me back in December as possible antitrust violations. But, there doesn’t really appear to be that much new on that front. Facebook looks sketchy, but when hasn’t it looked sketchy?

And, because some will erroneously call me a Facebook shill, let’s look at the other two privacy blunders this week because there’s nothing redeeming about either of them. Both are straight up awful. They’re the kinds of security mistakes that tiny startups with no real understanding of security make. Not something that a company like Facebook should ever make. If you want to be concerned about Facebook and privacy, focus on these two stories that suggest not so much a cavalier attitude towards privacy as an incompetent implementation of basic security practices.

First up, Business Insider revealed that Facebook was asking users for their email password and then sucking up all your contacts without asking for permission. While you might wonder what idiot would hand Facebook his or her email password for no obvious reason (a valid question) that doesn’t absolve Facebook from even asking. After pressing Facebook on this, the company admitted that it sucked up the email contacts of 1.5 million users this way, and that it’s now deleting it.

Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network, Business Insider can reveal. The Silicon Valley company said the contact data was “unintentionally uploaded to Facebook,” and it is now deleting them.

The revelation comes after pseudononymous security researcher e-sushi noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, a move widely condemned by security experts. Business Insider then discovered that if you entered your email password, a message popped up saying it was “importing” your contacts without asking for permission first.

This is a very bad security practice, and certainly could lead to legal issues for Facebook. Sucking up that kind of data without permission is super bad. Facebook’s excuse here is not good either:

A Facebook spokesperson said before May 2016, it offered an option to verify a user’s account using their email password and voluntarily upload their contacts at the same time. However, they said, the company changed the feature, and the text informing users that their contacts would be uploaded was deleted ? but the underlying functionality was not.

How does someone not catch that? How does someone not catch that asking for your (non-Facebook!) email account is just a bad idea in general? This reflects extremely poorly on Facebook’s security review process.

The second story may be even worse. TechCrunch has the story that Facebook is now admitting that the really bad screwup first reported last month, concerning the company “accidentally” storing plaintext passwords of some Instagram users, actually impacted millions of users, rather than just a few thousand as originally reported. This of course, goes back to the general law of security breaches that we’ve discussed for over a decade: it’s always worse than originally reported. It’s difficult to think of a big security breach where the number of impacted people wasn’t updated upwards at a later date.

As we noted last month, what caused this was legitimately a bug, rather than nefarious intent, but for a company of Facebook’s size, and with the security talent it has on staff, this is the kind of bug that is unacceptable — especially with something such as protecting passwords (an area of security that is very well developed). I guess these are just more things to add to the neverending Facebook apology tour.

Filed Under: , , , , ,
Companies: facebook

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Facebook's Terrible, Horrible, No Good, Very Bad Privacy Week”

Subscribe: RSS Leave a comment
Anonymous Coward says:

"Investigating" different "business models" isn't inherently bad

Nothing wrong with a little plotting here and there. For example, just because some group of would-be terrorists are "investigating" how to blow up a building, it’s really nothing to be concerned about unless it actually comes to pass, right? I mean, who knows, they might even decide it’s not a good idea and change their minds at the last minute. No harm, no foul!


ECA (profile) says:

BIG, understanding..

Long ago, far far in the past…
a good program was about This big, and you could carry them around on a floppy disk and they did WHAT they did..

Now days a program is filled with Many parts and sections that all do different things, and it would take a Hard drive/Large SD chip to hold even Parts of the data..

We had Operating systems(OS) that fit on a floppy disk or 2…
NOW, you need 10-20 gigs…thats 10,000-20,000 Floppy disks..for the same thing NOW…

In the past there were 2 parts.. the OS, for Running the basic system, then the Environment…and we could load up anything for an environment, we could customize everything…NOW…The environment has everything, and is interlocked with the parts that let you Play/USE games and programs…

Anyone want to change to Linux yet?? It might be alittle complicated but you have FULL control over everything.

TripMN says:

Re: BIG, understanding..

This has nothing to do with Linux v Windows v OS X. I can promise you that a platform like Facebook is almost invariably using a bunch of Linux servers in the mix; mainly because they are open source, you have full control, and the OS is free.

Of course the OS used to be small, it was text only and had very few features. Even the most stripped down version of Linux doesn’t fit on a floppy. Your comparison is like stating that since someone used an Escalade to commit a crime, we need to think about going back to the Model-T.

mephistophocles (profile) says:

Nobody else is saying it so I will – what if these "mistakes" aren’t mistakes at all? This is one of the largest tech companies in the world, with some of the best devs on the planet working for them, and they screw up in this basic a way? Twice?? <br>

Seems unlikely. Another explanation might be that this was more a "do it and ask forgiveness later" situation. Maybe the whole point was data collection, privacy be damned, because they knew they’d never be held seriously accountable anyway.

velox (profile) says:

Re: Re:

I completely agree with mephistophocles.

Accepting Facebook’s explanation for the password incident as an ‘oopsie’ is unnecessarily generous. Facebook has lied on multiple occasions during the past couple of years about what it, and others, have been doing with the data they have collected from us. Given that, why would anyone be willing to believe their explanations and excuses now. If you are willing to believe them, does it make you feel any better to be saying that you think their motives are true, but they are just incompetent? Either way Facebook is simply not a trustworthy company.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...