Facebook’s privacy gaffes keep coming. On Wednesday, the social media company said it collected the stored email address lists of as many as 1.5 million users without permission. On Thursday, the company said the number of Instagram users affected by a previously reported password storage error was in the “millions,” not the “tens of thousands” as previously estimated.
Facebook said the email contact collection was the result of a highly flawed verification technique that instructed some users to supply the password for the email address associated with their account if they wanted to continue using Facebook. Security experts almost unanimously criticized the practice, and Facebook dropped it as soon as it was reported.
In a statement issued to reporters, Facebook wrote:
Facebook is working on developing an AI voice assistant similar in functionality to Amazon Alexa, Google Assistant, or Siri, according to a report from CNBC and a later statement from a Facebook representative.
The CNBC report, which cites “several people familiar with the matter,” says the project has been ongoing since early 2018 in the company’s offices in Redmond, Washington. The endeavor is led by Ira Snyder, whose listed title on LinkedIn is “Director, AR/VR and Facebook Assistant at Facebook.” Facebook Assistant may be the name of the project. CNBC writes that Facebook has been reaching out to vendors in the smart-speaker supply chain, suggesting that Portal may only be the first of many smart devices the company makes.
When contacted for comment, Facebook sent a statement to Reuters, The Verge, and others, saying: “We are working to develop voice and AI assistant technologies that may work across our family of AR/VR products including Portal, Oculus, and future products.”
Back in March, Facebook announced that millions of Facebook passwords were stored on its servers in plain text with no encryption. At the time, Facebook also said that “tens of thousands” of Instagram passwords were also stored in the same unencrypted format, but as it turns out, the actual number was much, much higher.
In an update to its original blog post, Facebook now says that millions of Instagram passwords were stored on its servers in a readable format.
Update on April 18, 2019 at 7AM PT: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed.
These unencrypted, plain text passwords were accessible to thousands of Facebook employees, and while Facebook says that there’s no “evidence to date” that anyone within Facebook abused or improperly accessed the passwords, it’s highly concerning.
Instagram user names, unlike Facebook usernames, can be highly appealing to thieves. Short names can sell for quite a lot of money, which makes Instagram passwords rather valuable.
Facebook was not forthcoming about the discovery of additional impacted Instagram accounts, burying it in a month-old blog post and, as Recode points out, releasing the update just before the Mueller report came out and media sites were distracted.
Facebook will be notifying Instagram users whose passwords were improperly stored, and Instagram users who are concerned about their accounts should change their passwords and make sure two-factor authentication is enabled.
Facebook’s latest security leak comes just a day after news spread that Facebook harvested the email contacts of 1.5 million Facebook users without their consent and used the data to build a web of social connections.
Earlier this week, a scathing report also outlined how Facebook leveraged user data to punish its rivals and reward companies who paid heavily into Facebook advertising and shared data of their own.
“We discovered additional logs of Instagram passwords being stored in a readable format,” the company said. “We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.”
“Our investigation has determined that these stored passwords were not internally abused or improperly accessed,” the updated post said, but the company still has not said how it made that determination.
The social media giant did not say how many millions were affected, however.
Last month, Facebook admitted it had inadvertently stored “hundreds of millions” of user account passwords in plaintext for years, said to have dated as far back as 2012. The company said the unencrypted passwords were stored in logs accessible to some 2,000 engineers and developers. The data was not leaked outside of the company, however. Facebook still explained how the bug occurred
After nearly two years of investigation and months of delays — not to mention partisan bickering the whole time, Special Counsel Robert Mueller’s report on the president’s campaign and Russian interference in the 2016 election is out today.
We’re not a politics news site but we’re still looking into it — tech has figured more prominently than ever in the last few years and understanding its role in what could be a major political event is crucial for the industry and government both.
The report and discussion thereof is bound to be highly politically charged from the get-go and the repercussions from what is disclosed therein are sure to reach many in and out of office. But there are also interesting threads to pull as far as events and conspiracies that could only exist online or using modern technology and services, and for these the perspective of technology, not politics, reporting may be best suited to add context and interpretation.
What do we expect to find in the report that is of particular interest to the tech world?
The topic that is most relevant and least explored already is the nature of Russia’s most direct involvement in the 2016 election, namely the hack of the Democratic National Committee email server, attributed to Russia’s GRU intelligence unit, and funneling of this information to WikiLeaks and the Trump campaign. The recent arrest of Julian Assange may prove relevant here.
The report will illuminate many things relating to these events, not necessarily technical details — although they may have been furnished by any number of parties — but plans, dates, people involved, and networks through which the hack and resulting data were communicated. Why was this added to Mueller’s pile in the first place? What about Assange? Who knew about the hack and when, and what does that imply?
Another topic, which seems more well trodden but about which we can never seem to know enough, is the origin and extent of Russian “troll farm” activity through the so-called Internet Research Agency. We’ve seen a great deal of their work as part of the ongoing barbecue of Facebook’s leadership, and to a lesser extent other social media platforms, but there’s much we don’t know as well.
Was there coordination with some U.S. entities? How was the content created, and the topics chosen? Was there a stated outcome, such as dividing the electorate or damaging Clinton’s reputation? Was this contiguous with earlier operations? How, if at all, did it change once Trump was named the Republican candidate, and was this related to other communications with his campaign?
The last of our topics of most likely interest is that of the technological methods employed by Mueller in his investigation. Previous investigations of this scale into the activities of sitting presidents and their campaigns have occurred in completely different eras, when things like emails, metadata, and encrypted messaging weren’t, as they are today, commonplace.
How did Mueller pursue and collect privileged communications on, for example, private email servers and hosted web services? What services and networks were contacted, and how did they respond? How were the U.S.’ surveillance tools employed? What about location service from tech giants or telecoms? Was other garden-variety metadata — the type we are often told is harmless and which is often unregulated — used in the investigation to any effect?
We will be poring over the report with these thoughts and ideas in mind but also with an eye to any other interesting tech-related item that may appear. Perhaps that private server used “admin/password” as their login. Perhaps GRU agents were communicating using a cryptographic method known to be unsafe. Perhaps the vice-president uses a Palm Pre?
We’ll leave the politics to cable news and D.C. insiders, but tech is key to this report and we aim to explain why and how.
Facebook harvested the email contacts of 1.5 million users without their knowledge or consent and used the data to build a web of their social connections, it emerged today. Business Insider reports that Facebook began collecting the contact lists in May 2016 when new users opened a new account on the social network.
Image via Business Insider
The harvesting occurred when users were offered email password verification as an option to verify their identity when signing up to Facebook, a method widely condemned by security experts. In some cases if users did enter their password, a pop-up message would appear informing them that it was “importing” their contacts, without even asking their permission to do so.
These contacts were then fed into Facebook’s database systems and used to build a map of users’ social links and inform recommended friends on the social network. It’s not clear if the data was also used for ad-targeting purposes.
In a statement given to Business Insider, the company said that these email contacts had been “unintentionally uploaded” to Facebook when users created their account.
It also said that prior to May 2016, it offered an option to verify a user’s account and voluntarily upload their contacts at the same time. However, the feature was changed and the text informing users that their contacts would be uploaded was deleted, but the underlying functionality was not. Facebook says at no point did it access the content of users’ emails.
We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.
The news is just the latest addition to a long list of privacy blunders and violations by Facebook. In March, for example, it emerged that between 200 and 600 million Facebook users may have had their account passwords stored in plain text in a database accessible to 20,000 Facebook employees. Some Instagram passwords were also included.
That was followed earlier this month by news that cybersecurity researchers had discovered millions of Facebook records publicly accessible on Amazon’s cloud servers, after the data was uploaded by third-party companies that work with Facebook.
In yet another development just this week, over 4,000 pages of documents from 2011 to 2015 were leaked which provide insight into how Facebook took advantage of user data while publicly promising to protect user privacy before and after its 2015 move to end broad access to user data.
No, you’re not misremembering the details from that young adult dystopian fiction you’re reading — Facebook really does sell a video chat camera adept at tracking the faces of you and your loved ones. Now, you too can own Facebook’s poorly timed foray into social hardware for the low, low price of $99. That’s a pretty big price drop considering that the Portal, introduced less than six months ago, debuted at $199.
Unfortunately for whoever toiled away on Facebook’s hardware experiment, the device launched into an extremely Facebook-averse, notably privacy-conscious market. Those are pretty serious headwinds. Of course, plenty of regular users aren’t concerned about privacy — but they certainly should be.
As we found in our review, Facebook’s Portal is actually a pretty competent device with some thoughtful design touches. Still, that doesn’t really offset the unsettling idea of inviting a company notorious for disregarding user privacy into your home, the most intimate setting of all.
Facebook’s premium Portal+ with a larger, rotating 1080p screen is still priced at $349 when purchased individually, but if you buy a Portal+ with at least one other Portal, it looks like you can pick it up for $249. Facebook advertised the Portal discount for Mother’s Day and the sale ends on May 12. We reached out to the company to ask how sales were faring and if the holiday discounts would stick around for longer and we’ll update when we hear back.
Facebook’s executive team, including Mark Zuckerberg, used the data of Facebook users as leverage over partner companies, according to leaked emails, webchats, presentations, spreadsheets, and more obtained by NBC News.
More than 4,000 pages of leaked documents from 2011 to 2015 provide insight into how Facebook was taking advantage of user data while publicly promising to protect user privacy before and after its 2015 move to end broad access to user data.
The documents were sent to NBC News by British journalist Duncan Campbell and originated from a 2015 lawsuit filed against Facebook by startup Six4Three after Facebook cut back on third-party data access. Six4Three had an app called Pikinis that let users find photos of their friends in swimsuits that was not able to function after Facebook’s data changes.
Facebook has claimed that it limited data access to protect user privacy and to keep its users safe from companies that mishandled data, but internally, privacy was not the concern Facebook was addressing when making the move. Instead, the documents suggest Facebook ended access to user data to give it more power over third-party apps and partner companies.
However, among the documents leaked, there’s very little evidence that privacy was a major concern of Facebook’s, and the issue was rarely discussed in the thousands of pages of emails and meeting summaries. Where privacy is mentioned, it is often in the context of how Facebook can use it as a public relations strategy to soften the blow of the sweeping changes to developers’ access to user data. The documents include several examples suggesting that these changes were designed to cement Facebook’s power in the marketplace, not to protect users.
Companies favored by Facebook were given access to the data of Facebook users through exclusive deals struck before the data changes, while rival companies or apps were denied access. Amazon, for example, was provided with “extended access” to Facebook user data because of its spending on Facebook advertising and its Fire phone partnership, while data was restricted from other apps.
Facebook believed app developers were getting more value from Facebook user data than Facebook was getting from app developers, a factor that led Facebook to limit access to user data and consider other monetization tactics.
According to NBC News and previously leaked documents, Facebook mulled ways for third-party apps to provide monetary compensation for user data, ranging from direct payment to advertising spending and data sharing setups, but ultimately decided on providing access to app developers who were “personal friends” of Zuckerberg or who spent money on Facebook and shared their own data.
Facebook has previously confirmed that it considered charging companies for access to user data, but has downplayed the discussions as a mere consideration of different business models. Approximately 400 pages of the 4,000 that NBC News obtained have been leaked previously, and Facebook has called these past documents “cherry-picked” and “misleading.”
NBC News says that the new documents suggest charging for user data was more than a cursory exploration of different business models, as Facebook discussed plans to sell user data for years. Senior executives, including Zuckerberg, COO Sheryl Sandberg, and CPO Chris Cox were in favor of selling data.
In emails to one of his friends in 2012, Zuckerberg explained that without limiting access to Facebook data, Facebook wouldn’t have “any way to get developers to pay [Facebook] at all.” He also said that he didn’t feel that data leaks were a risk factor.
“I’m generally skeptical that there is as much data leak strategic risk as you think,” he wrote in the email to Lessin. “I think we leak info to developers but I just can’t think of any instances where that data has leaked from developer to developer and caused a real issue for us.”
Facebook considered 100 deals with app developers to figure out the “real market value” of Facebook user data to learn “what developers would actually pay.”
Zuckerberg ultimately decided not to charge outright for data access, but before implementing the sweeping changes in 2015, he explained in 2012 that access to Facebook data should be contingent on developers sharing “social content” generated by their apps back to Facebook and paying for advertising.
According to NBC News, the newly leaked documents could further an antitrust case against Facebook by establishing the value that Facebook placed on user data.
But if regulators can show that users were paying for access to Facebook with their personal data, and that Facebook valued that data as leverage against competitors, that could expose Facebook to an antitrust complaint, said Jason Kint, CEO of Digital Content Next, a trade association representing digital publishers.
“These emails clearly establish the value of consumer data to Facebook,” Kint said. “It shows that it is not free.”
The full exploration into Facebook’s data sharing practices and additional details gleaned from the leaked documents can be read over at NBC News and is well worth checking out for anyone interested in Facebook’s motivations.