Report: Facebook Harvesting New Users’ Email Contacts ‘Without Consent’

Facebook is reportedly harvesting its users’ email contacts “without consent,” and asking new users to give their email account passwords to the social network. One security researcher called the practice “indistinguishable to a phishing attack.”

According to Business Insider, the company, which has been plagued by dozens of privacy and security scandals over the past few years, is asking “some new users to provide the social network with the password to their email accounts,” which Facebook then reportedly uses to import the user’s contacts, “despite not asking the user for permission to do so.”

Business Insider explained that “when users try to register with certain email providers, including Yandex and GMX, it asks to ‘confirm your email address’ by entering their password directly into Facebook.”

“Users of other email providers like Google’s Gmail don’t see the option, as it makes use of authorization tool OAuth — a common tool for securely verifying your identity without requiring you to input your password as Facebook is doing here,” the report continued, adding that a Facebook spokesman claimed to be “discontinuing the feature.”

The spokesman claimed, “These passwords are not stored by Facebook. A very small group of people have the option of entering their email password to verify their account when they sign up for Facebook for the first time. People can always choose instead to confirm their account with a code sent to their phone or a link sent to their email… That said, we understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.”

Electronic Frontier Foundation security researcher Bennett Cyphers, however, claimed Facebook’s actions were “indistinguishable to a phishing attack.”

“This is basically indistinguishable to a phishing attack,” Cyphers declared. “This is bad on so many levels. It’s an absurd overreach by Facebook and a sleazy attempt to trick people to upload data about their contacts to Facebook as the price of signing up. Even when you consent to uploading contact information to Facebook, you should never have to put in your email password to do it.”

“No company should ever be asking people for credentials like this, and you shouldn’t trust anyone that does,” he continued. “This goes against all conventional security wisdom, basic decency, and common sense.”

Last year, former Facebook platform operations manager Sandy Parakilas claimed the company’s “horrifying” misuse of user data was routine.

“My concerns were that all of the data that left Facebook servers to developers could not be monitored by Facebook, so we had no idea what developers were doing with the data,” claimed Parakilas. “Once the data left Facebook servers there was not any control, and there was no insight into what was going on.”

In the same year, staffers on former president Barack Obama’s 2012 campaign claimed Facebook had allowed them to harvest masses of user data.