Facebook has admitted to collecting up the email contacts of up to 1.5m of its users without their knowledge or consent – the latest in a long string of privacy-related issues to come out of the social network.
The data harvesting occurred when new users were asked to verify their identities by supplying the password for their email account, at which point Facebook uploaded their contacts to its servers without providing any permission prompt.
These contacts began being taken in May 2016. Prior to this, new users were given the option to verify their account and voluntarily upload their contacts at the same time. However, Facebook changed the feature and the text informing users that their contacts would be uploaded was deleted, but the underlying code that scraped contacts was left behind, Facebook told Business Insider, which broke the story.
Facebook says it had no knowledge that contacts were being automatically stored and only found out recently. As a result, it has stopped offering email password verification. The company also said that it never accessed the emails of users and the lists had not been shared with anyone outside of Facebook. Nonetheless, it will notify the affected users and delete their contacts from its systems.
"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time,” said a Facebook spokesperson. “When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account.”
This email mishap is just the latest in a series of instances where Facebook has mishandled user data over the last few years. Some other recent additions to the list include leaving the passwords of hundreds of millions of users freely accessible to Facebook employees and leaving the private photos of 7m users exposed. If we take it back a little further there were also a couple of big ones: Cambridge Analytica and a data breach hitting nearly 50m accounts.
Despite Facebook’s long list of privacy-related failures, its not the only one to make privacy blunders.
The UK’s Department for Digital, Culture, Media and Sport – a department responsible for data protection laws – openly shared the email addresses of more than 300 journalists when it failed to use the blind carbon copy (Bcc) feature when sending out a press release to them.