Facebook: Dumb or Evil?

There’s been lots of pretty negative news coming out of Facebook over the past few years.

I’ve only touched on a couple of things (smartphone privacy, social engineering), but it’s looking more and more like Facebook is either grossly incompetant or a bad actor when it comes to respecting their customers information and privacy.

The latest news (as of late April when I write this, that is), is Facebook violating users private email accounts.

This story started out when it came to light when the Daily Beast published the story “Facebook Demanding Some New User’s Email Passwords”. This isn’t a mistake either – Facebook didn’t deny the claim, they just reiterated that they “don’t store the passwords” and that they will stop the practice (after collecting thousands passwords).

Well, it looks like there’s a good reason that Facebook wasn’t storing these passwords. According to a new article by Business Insider, they were using the password to log into a user’s private, personal email address and upload that user’s contacts and address book to Facebook. All without the user’s permission or even a way to cancel the operation once it had begun.

At this point, it’s hard to see Facebook as anything but a siphon for all of your personal information. Whether or not you give them permission to have or use your data, they will take it.

Of course, Facebook claims that user’s contacts were “unintentionally uploaded”. I don’t know how Facebook has engineers and software developers so talented that they can accidentally write code to log into a wide variety of email servers, find a user’s address book, and upload that information to Facebook, but I guess that is the most logical explanation. Certainly they would do this without permission and stop it the moment it is discovered.

This accidental upload happened to about 1.5 million users, and has been accidentally ongoing since 2016. That’s a long time for Facebook to not notice what’s going on within it’s own system.

Naturally, Facebook claims they will delete the contacts that were uploaded “mistakenly”, but all that information has certainly been fed into the algorithms and databases that control the ad targeting and friend suggestions, so the fact that the raw data is deleted is of zero consequence to Facebook – they already have what they need.

To add (more) icing to the top of the shit sandwich that is Facebook and privacy, there’s more bad news.

Facebook “recently discovered” that passwords for some users of Facebook, Facebook Lite, and Instagram were being stored in plaintext in databases. Hundred of millions of Facebook Lite users, tens of millions of Facebook users, and millions of Instagram users had passwords potentially available for anyone who wanted to look.

Facebook claims that these databases with plaintext passwords were “not internally abused or improperly accessed”. But if you believe them, at this point you kind of deserve whatever you get.

This is yet another good reminder why you shouldn’t reuse passwords from site to site!

And also why Facebook is a site that you should stay away from.