Another alleged instance of Facebook’s data misuse hit the news cycle this week, after Business Insider revealed Thursday, April 18, that the social media giant had “harvested the email contacts of 1.5 million users without their knowledge or consent” at the time of creating their Facebook accounts.”
The latest privacy breach was exposed when a security researcher questioned why Facebook was asking for email passwords to sign up new users; it was then discovered that if they entered their email password, a message popped up saying it was ‘importing’ your contacts, without asking for permission first.
Facebook has claimed this automatic upload was unintentional and has been fixed. Till last month, email password verification was one of the options available for first-time users to access their new Facebook account.
Facebook just can’t stop mining data
All this leads necessarily back to an old and familiar quandary, i.e., Facebook’s habitual misuse of users’ personal information, presumably for commercial and advertising purposes.
Similar allegations in the recent past have completely robbed it of any benefit of the doubt. In fact, this is the second data scandal for Mark Zuckerberg’s company in a single week, and third in a month.
NBC reported Tuesday, April 16, that it had leaked documents showing that “Mark Zuckerberg leveraged Facebook user data to fight rivals and help friends”, like Amazon.
In March, Facebook “admitted exposing passwords belonging to hundreds of millions of users… storing them in a readable plain text format within its internal data storage systems”—making the passwords searchable by Facebook employees. Critics called this a flabbergasting breach of good data security practices.
But this latest instance is confounding on whole other level because, for a commercial platform to request a password for a separate application violates every security protocol imaginable. Downloading contacts without consent isn’t all there is to this newest instance of automation anxiety. That is because the breach not only places contact details in Facebook’s (and the third-party’s) hands, but leaves the contents of the email’s inbox and other drives itself, open to misuse.
Facebook’s defensive response
Facebook later admitted to uploading the contacts of 1.5 million users, but as always, it was a half-baked apology. Blaming it on unconscious harvesting, Facebook said the information seems to have been unintentionally uploaded when new users were creating their accounts.
“When we looked into the steps people were going through to verify their accounts we found that in some cases, people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” Facebook responded, as privacy activists came out to draw fresh blood.
“These contacts were not shared with anyone and we’re deleting them,” affirmed Facebook in a blog post.
Hard to believe, when commercialising user data is the company’s core business model.
“We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”
However, is this measure too little, too late?
A big network of tech friends and foes are driving this
The NBC investigation also found that Facebook’s senior management, including Zuckerberg, was looking for “ways to tap Facebook’s trove of user data—including information about friends, relationships, and photos—as leverage over companies it partnered with. In some cases, Facebook would reward favoured companies by giving them access to the data of its users. In other cases, it would deny user-data access to rival companies or apps.”
In a world where data is currency, Facebook (with annexed platforms like Instagram and WhatsApp) is king. Multiple individual revelations since the Cambridge Analytica scandal have shown Facebook’s readiness, if not eagerness, to trade user data for commercial advantage. Or as Forbes puts it, “a network of friendly tech giants conceiving of ways to commercialize the information gleaned from users on social media in an entirely non-transparent way,” while Facebook made advertising dollars on its platforms.
Improperly redacted documents have presented proof that among Facebook’ strategies was shutting down apps that don’t spend “$250k a year to maintain access to the data.” The company also reportedly looked at restricting access to data for companies it viewed as a competitive threat.
Time for some uncomfortable questions
Despite increasing scrutiny over its approach to securing and maintaining the security of its users, Facebook seems untouchable. As it gets on with its never-ending PR trainwreck, one is left wondering whether the company, with its scale and reach, will ever face punitive action for its egregious disregard for privacy. It also begs the question, is regulation enough or have we passed the point of no return? Will our data ever be safe?
Many would argue that data harvesting and misuse has gone so out of hand that radical and drastic changes need to be made to technocratic leadership and ownership structures. Perhaps even mandate the break-up of larger-than-life conglomerates, to keep the aforementioned gigantic tech network from colluding within itself.
Meanwhile, the UK recently announced proposals for “tough new measures to ensure that U.K. is the safest place in the world to be online.” The European Union’s Digital Single Market Directive also lays out a comprehensive revision of copyright law in Europe, offering new protections for authors, artists and creators.
It also lays down the world’s “first online safety laws”—a framework for data mining—which is critical to “big data” and much of AI research. The EU proposals include independent regulation with enforcement powers, and, critically, the potential for both social media companies and their execs to be held to account.
But with US-based firms acting like a mini-dictatorship, country by country regulations won’t amount to much, if the US doesn’t partake in taking action.
Prarthana Mitra is a Staff Writer at Qrius.