BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Facebook Demands Email Passwords Then Quietly Uploads Contact Lists But Once Again We Don't Care

Following
This article is more than 4 years old.

Getty

Just weeks after Facebook acknowledged it had been secretly storing its users’ passwords in cleartext on its servers where they had been accessed more than 9 million times by its employees, the Daily Beast reported earlier this month that the company had quietly begun requiring some users to verify their accounts by handing over the password to the email account they had used to create their Facebook profile. At the time, the outlet noted that “the company has recently been criticized for repurposing information it originally acquired for ‘security’ reasons.” It turns out this was exactly what happened, as Facebook logged into users’ outside email accounts and “unintentionally” silently uploaded a copy of their address book to its servers without their knowledge or consent, making off with more than 1.5 million people’s contact lists. The company has promised to delete the data but did not respond when asked to commit to a specific date by which it would agree to delete the illicitly obtained lists. How did we reach a point where a major company felt it acceptable to demand users hand over to it the passwords to their email accounts and then quietly harvested their contact lists?

Perhaps the most remarkable aspect of Facebook’s latest privacy scandal is not that it happened at all, but rather that it generated so little outrage and that none of us will actually leave the platform.

Looking globally, the story was barely a blip on the tech media radar. Certainly, it garnered a few headlines, but it was far from the kind of all-encompassing week-long deluge of outrage that was once associated with such massive privacy and security breaches.

It is almost unheard of in today’s cyber-conscious digital world for an online service to demand that its users hand over their passwords to outside services as sensitive as their email just for the right and privilege to use their product.

There are plenty of products that offer value-add to email and social media services and thus require permission to access those accounts on behalf of a user, but in those cases there is an explicit need for the access and the user understands why access is needed and explicitly grants that access.

More to the point, there is no major service today that requires users hand over their passwords to facilitate its access. In fact, with two-factor hardware authentication, password-based logins from one service into another are increasingly impossible.

Instead, services use streamlined authentication processes that never require outside services to ever access a user’s password and explicitly grant what privileges that service is granted to the user's data.

Facebook never actually needed access to a user’s email account for the purposes of authenticating them. Since the dawn of the modern web, services have authenticated users’ email accounts simply by sending them an email with a link to click or a code to copy-paste back into an authentication form to verify that they have access to the account in question.

Requiring users to fork over their password to verify that they have access to an email account is simply unheard of and an unprecedented breach of modern security practices.

Beyond confirming that the password request was indeed an officially sanctioned product and not the work of a rogue coder or an internal error, Facebook has remained silent on why it believed it was acceptable security practice to request users hand over their email passwords. The company unsurprisingly did not respond to a request for comment.

It turns out one of the reasons for needing this password is that Facebook was quietly logging into users’ email accounts and silently harvesting their contact lists, which it was uploading to its own servers.

When confronted with its activities, the company has remained largely silent about its actions other than to claim that the harvesting was “unintentional” and that it would be deleting the harvested lists at some point.

Yet, the company has declined to commit to a specific date by which it would delete the illicitly acquired data and it did not respond to a request for comment on why.

In fact, since users legally, if not willingly, consented to the harvesting, it is unclear whether the company actually faces any legal obligation to delete the data it acquired. It did not respond when asked whether there were any GDPR implications of the harvesting.

It is especially notable that for such a serious and consequential breach, the company did not offer a more forcible apology, coupled with a top-down external review of its security practices and did not promise to delete all of the acquired data within 24 hours.

To date, the company has either declined to comment or simply not responded at all to every request for comment as to whether it would commit to permitting an external independent third-party review of its entire security infrastructure and stance.

With breach after breach, it seems we know why: the company is too afraid of what such an audit would reveal.

Putting this all together, it is truly extraordinary that in 2019 Facebook would consider it acceptable security practice to demand that users hand over their passwords and permitted more than 1.5 million users’ address books to be harvested and has resisted requests to offer a timeline by which the illicitly acquired data would be deleted.

Facebook’s actions remind us just how cavalier of an approach it takes to safety and security.

In the end, however, it really doesn’t matter because Facebook has successfully convinced the public and policymakers not to care about their safety, security or privacy online.

Once again, we will just sit back and wait for the next revelation of another massive Facebook security breach but none of us will ever leave the platform no matter what it does to us.