April 18, 2019 | 11:46
Facebook has admitted to capturing the email contact lists of more than 1.5 million of its users without their permission, but claims it did so 'unintentionally'.
In what is only the latest in a string of privacy gaffes for the social networking giant, which has included storing hundreds of millions of user passwords in a plain text file accessible by staff and abuse of enterprise security certificates to sneak data-gathering applications aimed at teenagers onto iOS and Android devices without submitting to the usual app publication process, Facebook has admitted that it has captured the email address books of some 1.5 million of its worldwide users - but that it did so 'unintentionally'.
The issue was brought to light this week by Business Insider, which had noted that Facebook's new approach for verifying a user's third-party email address in which the user is asked for the password to the email account - a request which has already been lambasted by security and privacy experts, seemingly with good reason - sees it automatically 'import' email contact lists without giving the user an opportunity to decline.
Having contacted Facebook about the issue, Business Insider discovered that this 'import' process saw users entire email contacts lists uploaded to Facebook automatically and without warning - and has been doing since May 2016, before which users were asked whether they would like to import their contacts or not.
In a statement on the matter, Facebook has denied accessing email content - although having gathered the password for third-party email accounts, there was absolutely nothing to stop it doing so - and claims that the harvesting of contacts was entirely accidental. 'Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account,' the company claims. 'We estimate that up to 1.5 million people's email contacts may have been uploaded.'
Facebook has indicated that the contact lists were not shared outside the company, and that it is in the process of deleting them. It has also stopped requesting new users to submit the password for their third-party email accounts during sign-up, as of last month.
April 7 2020 | 14:00