New York’s attorney general is investigating why Facebook helped itself to the email contact lists of 1.5 million people who gave the company their passwords as part of Facebook’s new account setup process.
“It is time Facebook is held accountable for how it handles consumers’ personal information,” said Attorney General Letitia James in a statement announcing the latest probe of Facebook’s privacy practices. “Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data.”
Early this month The Daily Beast reported that Facebook’s onboarding system was demanding some new users turn over the password for their email account, so the company could log in as the user and confirm it was really their address—a system one security expert called “beyond sketchy.”
The additional login step had been noticed by a cybersecurity watcher on Twitter called “e-sushi.” Within hours of The Daily Beast’s report, Facebook announced it was ending the practice. “We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” the company wrote in a statement at the time.
Facebook explained the password demand as a misbegotten but well-intended feature meant to simplify sign-ups. But last week, Facebook confessed to Business Insider that it used the passwords for more than just email verification.
The company also “unintentionally” used the proffered password to slurp down the users’ address books without permission, grabbing an estimated 1.5 million contact lists from May 2016 to the day it ended the practice this month.
The harvesting was not done in secret. Facebook showed the user a progress bar as it ingested the names and email addresses of their friends, colleagues, and loved ones, but didn’t provide a way to stop the process.
According to the attorney general’s announcement, the purloined contact lists were used for “targeted marketing” and affected far more people than Facebook’s official numbers reflect.
“While Facebook has admitted that 1.5 million people’s contact books were directly harvested, the total number of people whose contact information was improperly obtained by Facebook may be hundreds of millions, as people can have hundreds of contacts stored on their contact databases,” the attorney general’s office said in its statement.
It’s not the first time Facebook has repurposed personal information handed over by users.
Last year Facebook was caught allowing advertisers to target its users using phone numbers users provided for two-factor authentication; users handed over their numbers so Facebook could send a text message with a secret code when they log in. More recently the company drew the ire of privacy advocates when it began making those phone numbers searchable, so anyone can locate the matching user “in defiance of user expectations and security best practices,” wrote the Electronic Frontier Foundation, a civil liberties group.
In a statement Thursday, a Facebook spokesperson said the company was cooperating in the new probe.
“We're in touch with the New York State attorney general’s office and are responding to their questions on this matter."