> A Facebook spokesperson said before May 2016, it offered an option to verify a user's account using their email password and voluntarily upload their contacts at the same time. However, they said, the company changed the feature, and the text informing users that their contacts would be uploaded was deleted — but the underlying functionality was not.
> "Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account"
so Facebook discovered this bug in an audit of its code, fixed it, and planned to notify everyone who was impacted.
Can we please stop calling these privacy violations bugs? It sounds like a benign thing. These are not bugs anymore. It's unauthorized access to records of millions, and Facebook is the one who performed the violation.
I can give a dog walker or cleaning personel the keys to my apartment, still if they steal stuff and I have evidence they will be prosecuted. It's not a bug that they don't have business ethics.
So a hacker took all of Equifax's data including your SSNs, address, names, DOB etc. By your analogy, all of Equifax engineers should be in jail right now!
BTW, just in case you are unaware, Equifax got away with this hack with zero fines in US.
I am making a case for the OP's comment that Facebook may have made a genuine mistake by introducing this bug - like they literally called out in their statement.
A bug is a bug. Whether it allows a hacker to sneak in to steal all your data or whether it allows a company to collect data it wasn't supposed to (as in this case Facebook specifically mentioned that it didn't turn off the feature though it intended to).
> in this case Facebook specifically mentioned that it didn't turn off the feature though it intended to
What you are describing here is in fact a lack of action, or a lack of change policy (to cause such action). That's not a bug. A bug is unintentional behaviour of some code, not some folk who've said they'll do something, but then don't.
And as for whether the original behaviour is/was a bug is also a point of contention too: that's a lot of willfully bad behaviour that's got chained together somehow to do what it did, then reviewed, signed off, and deployed — that's quite some 'accident' — I write code, and to me this whole thing just smells of a cover-up (by FB calling this a 'bug', when it very much looks to be otherwise).
I'm curious, if the message saying that "FB will also import contacts if you proceed" were still visible, would you still consider it "unauthorized access"? Is it really "unauthorized" if users give informed consent?
I doubt it, so it seems that we're just bickering over whether the accidental removal of the message is considered a "bug" or a malicious act by some engineer to trick users into sharing their data because they (and their company) lack business ethics.
Move fast and break things is not what one should do when dealing with personal information of billions of people. People need to be held accountable, Facebook has to be held accountable.
Maybe a complete engineering stop for a few months, and development of new practices and processes.
Similar to what Microsoft did with Bill Gates Trustworthy Computing memo which led to the creation of the Secure Development Lifecycle is something Zuckerberg should order to do.
Yeah, this seems like punishing FB for being too honest. There was no technical reason to disclose the bug.
I mean if they just quietly deleted the data that they didn't mean to collect, it doesn't seem likely that anyone would even notice.
> A Facebook spokesperson said before May 2016, it offered an option to verify a user's account using their email password and voluntarily upload their contacts at the same time. However, they said, the company changed the feature, and the text informing users that their contacts would be uploaded was deleted — but the underlying functionality was not.
> "Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account"
so Facebook discovered this bug in an audit of its code, fixed it, and planned to notify everyone who was impacted.