Facebook Imported 1.5 Million Users' Email Contacts Without Permission

By Lucian Armasu
published

(Image credit: Denys Prykhodov/Shutterstock)

Facebook admitted that it has uploaded the contact lists of 1.5 million users since 2016 without their consent, Business Insider reported today. Since most people tend to have tens or hundreds of contacts in their email address books, this uploading of contacts, which the company called "unintentional," may have affected hundreds of millions of users. Regardless of the intent behind this action, Facebook still admitted that it used the collected contacts to to improve its ad targeting capabilities.

Since May 2016, Facebook has been asking some new users for their email account passwords. According to Business Insider's report, the company then promptly started harvesting those emails for the users’ email contact lists, but Facebook says this contact data was “unintentionally uploaded” to the company’s servers.

"These contacts were not shared with anyone, and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings," a spokesperson for the social media giant told Business Insider. 

A user with the Twitter username e-sushi made the discovery and shared his revelation online. He noticed that when a new account was created, Facebook asked the user for their email password. Then, the social media company would show a message about importing the user’s contacts without first asking for permission. The user would not be able to stop the importing of contacts once the process started.

Facebook Stopped Informing Users About The Upload

A Facebook spokesperson said that the company used to ask users for their permission before uploading their contact lists, but the company deleted the message informing users in 2016. There was no explanation provided as to why. The contact uploading functionality remained, but it now worked in the background without first asking users’ consent.

Facebook has promised to delete the data it gathered through this operation; however, without some sort of third-party audit or government investigation there’s no way to know if Facebook follows through and stops using the data for its ad business.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
8 Comments Comment from the forums
  • Dark Lord of Tech
    You mean DARPA imported without permission.
    Reply
  • Math Geek
    i can't even be bothered to be surprised anymore. if this still shocks anyone, then they seriously need to wake up and smell the coffee.
    Reply
  • -Fran-
    The obvious ruling here is for them to delete all that data and start from scratch; no questions asked about it.

    I'm pretty damn sure out of all the scummy ways they've obtained data of people outside their network/system, this is the scummiest by friggin' far.

    Cheers!
    Reply
  • Math Geek
    i don't have a FB nor any other FB owned account nor have i ever used any of them other than FB over 10 years ago.

    yet i still know they likely have a pretty accurate up to date file on me and all things mine. no tin foil hat needed here, cause it's sadly true. and for some reason, this fact does not bother most people....
    Reply
  • randomizer
    For what purpose does Facebook claim to use your email account credentials other than this? There's no way I'd be giving out credentials to anyone without a very good reason (this isn't one, also it's Facebook), and even then it's unlikely.
    Reply
  • Math Geek
    these emails were not from users but rather from users' contact lists. which means mostly from non-users. and of course they are only saying email addresses but my contact lists includes phone numbers, physical addresses and other info for those in my list.

    so they actually got names, physical address, likely work info, and phone numbers on top of the email addresses they admit to getting due to "accidentally" uploading people's contact lists.

    it should simply be criminal to invade people's privacy like this but of course the gov is not gonna make em stop since they enjoy access to all that info whenever they want, and their not likely to shoot themselves in the foot stopping a great source of surveillance footage for themselves.
    Reply
  • jsmithepa
    I dunno if the U.S. Congress is serious or they are just so much behind the times. Facebook whole business is Selling Information, because they don't make anything, they don't do consulting. Information Broker is what they are. Surprised? Faking Outrage? Best business after selling water.

    These folks hide behind, "we'll facilitate targeted advertising!" Yeah right, after I do a very précised search, they pop me an ad, "Walmart Sells this" and take me to their main website and it's up to me to search their 5 zillions items catalog. Targeted is most certainly not.
    Reply
  • Dark Lord of Tech
    Facebook is run by the CIA , it's a data collection tool.
    Reply