Facebook's Terrible, Horrible, No Good, Very Bad Privacy Week
from the isn't-that-every-week dept
I know that some will argue that "every week" is a bad week for Facebook with regards to privacy, but this week in particular is looking especially awful, with (last I checked!) three "big" stories regarding the company's bad decisions and handling regarding data. Of course, because this is Facebook, I still think the reporting is getting the story a bit wrong. The story that has gotten the most attention is the least concerning, while the ones getting less attention are the real problems.
First up is the NBC News story going through a big pile of leaked internal documents from its ongoing lawsuit with app developer Six4Three. If you don't recall, the company, which made a skeezy app to let you find pictures of other people on Facebook wearing bikinis, got mad and sued Facebook when Facebook (finally) realized that maybe it shouldn't give app developers access to so much data, and cut them all off (effectively killing Six4Three's entire ability to operate). Many people reacted to this week's story as if it was some big reveal that Facebook cut favorable data deals with some partners, and that it toyed around with business models selling access to data, but frankly, I don't see all that much that's different from the cache of documents that was released back in December.
As I said then, most of the stuff that people are freaking out about appears to be taken out of context. Facebook investigating different business models isn't inherently bad. And many people are framing those discussions completely outside of the context of what Facebook was actually doing at the time or how people viewed the data it had access to. A lot of focus is on the fact that Facebook put a dollar value on the data -- but that doesn't actually mean (as many are suggesting) that it ever planned to "sell the data." It did look at charging app developers to access the data, but that's not a particularly crazy idea -- and one that lots of people discussed at the time, and one that plenty of companies with lots of data use.
There are, certainly, reasonable concerns to be raised about Facebook looking to deliberately undermine competitive services via its platform -- and that was the part that most concerned me back in December as possible antitrust violations. But, there doesn't really appear to be that much new on that front. Facebook looks sketchy, but when hasn't it looked sketchy?
And, because some will erroneously call me a Facebook shill, let's look at the other two privacy blunders this week because there's nothing redeeming about either of them. Both are straight up awful. They're the kinds of security mistakes that tiny startups with no real understanding of security make. Not something that a company like Facebook should ever make. If you want to be concerned about Facebook and privacy, focus on these two stories that suggest not so much a cavalier attitude towards privacy as an incompetent implementation of basic security practices.
First up, Business Insider revealed that Facebook was asking users for their email password and then sucking up all your contacts without asking for permission. While you might wonder what idiot would hand Facebook his or her email password for no obvious reason (a valid question) that doesn't absolve Facebook from even asking. After pressing Facebook on this, the company admitted that it sucked up the email contacts of 1.5 million users this way, and that it's now deleting it.
Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network, Business Insider can reveal. The Silicon Valley company said the contact data was "unintentionally uploaded to Facebook," and it is now deleting them.
The revelation comes after pseudononymous security researcher e-sushi noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, a move widely condemned by security experts. Business Insider then discovered that if you entered your email password, a message popped up saying it was "importing" your contacts without asking for permission first.
This is a very bad security practice, and certainly could lead to legal issues for Facebook. Sucking up that kind of data without permission is super bad. Facebook's excuse here is not good either:
A Facebook spokesperson said before May 2016, it offered an option to verify a user's account using their email password and voluntarily upload their contacts at the same time. However, they said, the company changed the feature, and the text informing users that their contacts would be uploaded was deleted — but the underlying functionality was not.
How does someone not catch that? How does someone not catch that asking for your (non-Facebook!) email account is just a bad idea in general? This reflects extremely poorly on Facebook's security review process.
The second story may be even worse. TechCrunch has the story that Facebook is now admitting that the really bad screwup first reported last month, concerning the company "accidentally" storing plaintext passwords of some Instagram users, actually impacted millions of users, rather than just a few thousand as originally reported. This of course, goes back to the general law of security breaches that we've discussed for over a decade: it's always worse than originally reported. It's difficult to think of a big security breach where the number of impacted people wasn't updated upwards at a later date.
As we noted last month, what caused this was legitimately a bug, rather than nefarious intent, but for a company of Facebook's size, and with the security talent it has on staff, this is the kind of bug that is unacceptable -- especially with something such as protecting passwords (an area of security that is very well developed). I guess these are just more things to add to the neverending Facebook apology tour.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: contacts, data, passwords, plaintext, privacy, security breaches
Companies: facebook
Reader Comments
Subscribe: RSS
View by: Time | Thread
And in this week's edition of Egg On Your Face(book)...
[ link to this | view in chronology ]
"Investigating" different "business models" isn't inherently bad
Nothing wrong with a little plotting here and there. For example, just because some group of would-be terrorists are "investigating" how to blow up a building, it's really nothing to be concerned about unless it actually comes to pass, right? I mean, who knows, they might even decide it's not a good idea and change their minds at the last minute. No harm, no foul!
/s
[ link to this | view in chronology ]
Why, there's no magazine called Weird, is there?
There's a pretty great longread over at Wired called 15 Months of Fresh Hell Inside Facebook, too. The language is a little flowery in the introduction, but it gets better once it gets into the meat of the story, and it's extensively researched (they interviewed 65 people for the story).
[ link to this | view in chronology ]
Ok, so these oversights might, at first, look a little bit bad. But it is vitally import--immensely, crucially important--that we immediately do absolutely nothing aside from letting Facebook do whatever it likes. Thanks for reading my Techdirt column, and have a great night.
[ link to this | view in chronology ]
The black-pilled prediction I can't help but consider is that the negative attention is Zuckerberg's worse fear. He faces it. Comes out unscathed. And learns to act human with some personality while continuing the worst offenses unabated.
[ link to this | view in chronology ]
BIG, understanding..
Long ago, far far in the past...
a good program was about This big, and you could carry them around on a floppy disk and they did WHAT they did..
Now days a program is filled with Many parts and sections that all do different things, and it would take a Hard drive/Large SD chip to hold even Parts of the data..
We had Operating systems(OS) that fit on a floppy disk or 2...
NOW, you need 10-20 gigs...thats 10,000-20,000 Floppy disks..for the same thing NOW...
In the past there were 2 parts.. the OS, for Running the basic system, then the Environment...and we could load up anything for an environment, we could customize everything...NOW...The environment has everything, and is interlocked with the parts that let you Play/USE games and programs...
Anyone want to change to Linux yet?? It might be alittle complicated but you have FULL control over everything.
[ link to this | view in chronology ]
Re: BIG, understanding..
This has nothing to do with Linux v Windows v OS X. I can promise you that a platform like Facebook is almost invariably using a bunch of Linux servers in the mix; mainly because they are open source, you have full control, and the OS is free.
Of course the OS used to be small, it was text only and had very few features. Even the most stripped down version of Linux doesn't fit on a floppy. Your comparison is like stating that since someone used an Escalade to commit a crime, we need to think about going back to the Model-T.
[ link to this | view in chronology ]
Re: Re: BIG, understanding..
Wow, you must be young...
From my C64, my 128, my Amiga(unix/linux Structure)...
BeOs..and a few others.. ANd a Tape player or 5,25" floppy...when IBM was still using 8" floppy...(not MS, it was INTEL)
[ link to this | view in chronology ]
Re: Re: BIG, understanding..
And go look up Somba..
[ link to this | view in chronology ]
Mike, I hear Josh Constine is looking for an assistant stenographer to help him write stories for Facebook at Techcrunch. Might be right up your alley.
[ link to this | view in chronology ]
Re:
I like the ones where Josh Constine teams up with Swamp Thing.
[ link to this | view in chronology ]
Sign spotted somewhere or the other
You don't even need a whiteboard for this sign, permanent ink is fine:
"It has been zero days since Facebook's most recent privacy violation"
[ link to this | view in chronology ]
newby question
i'm thinking about setting up a facebook account, should i use my real name?
[ link to this | view in chronology ]
Nobody else is saying it so I will - what if these "mistakes" aren't mistakes at all? This is one of the largest tech companies in the world, with some of the best devs on the planet working for them, and they screw up in this basic a way? Twice?? <br>
Seems unlikely. Another explanation might be that this was more a "do it and ask forgiveness later" situation. Maybe the whole point was data collection, privacy be damned, because they knew they'd never be held seriously accountable anyway.
[ link to this | view in chronology ]
Re:
I completely agree with mephistophocles.
Accepting Facebook's explanation for the password incident as an 'oopsie' is unnecessarily generous. Facebook has lied on multiple occasions during the past couple of years about what it, and others, have been doing with the data they have collected from us. Given that, why would anyone be willing to believe their explanations and excuses now. If you are willing to believe them, does it make you feel any better to be saying that you think their motives are true, but they are just incompetent? Either way Facebook is simply not a trustworthy company.
[ link to this | view in chronology ]
Get facebook off the internet. That shitty company has many times over shown the world they don't give two fucks about your private data. or who leaks it. Coming up with pure bullshit responses to massive data breaches when they should be yanked offline doesn't make them even sweat. Sum10wonghere.
[ link to this | view in chronology ]
Email passwords
What about the other side of asking for email passwords? Popular providers such as Gmail must have been seeing certain computers logging into lots of unrelated accounts. Did none of them flag it as suspicious and start banning IPs and sending security breach notifications?
[ link to this | view in chronology ]