The Facts on News Reports About Facebook Data (opens in new tab)

(about.fb.com)

70 pointseric595y ago58 comments

58 comments

52 comments · 19 top-level

yellowyacht5y ago· 13 in thread

Facebook is using doublespeak here.

> It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.

.. a couple paragraphs later ::

> We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019.

Gee, that sounds a lot like someone abused your contact importer tool to do something you didn't intend for it to do. Which is also the definition of other "hacks", like SQL injection

TechBro86155y ago

It reminds me of their Cambridge Analytica defense. Create an Open API, make all the data available to anyone who signs up for an API key, document and market the methods for extracting the data, define its boundaries and limitations, build a platform around it, and then claim you're the victim when one of your users does something bad with the data you gave them.

omnimike5y ago

> Gee, that sounds a lot like someone abused your contact importer tool to do something you didn't intend for it to do.

From the article it appears that the contact importer is an API endpoint which returns a set of Facebook profiles given a set of phone numbers. In that sense, it did exactly what the developer intended.

If I write a script to query google.com and get a response back you could say I'm not using google search as intended, but most software engineers would laugh at me if I claimed to have "hacked" Google in this way.

tyingq5y ago

See this from Sep, 2019: https://www.forbes.com/sites/zakdoffman/2019/09/12/new-insta...

"Facebook confirmed to me that the vulnerability was genuine, that the exploit would enable a “bad actor” to connect phone numbers and user details, and that it has prompted changes to be made. They pointed out to me that the exploit process is “complex,” but nonetheless did leave the platform open to abuse and put users at risk."

xmodem5y ago

At a certain level the question is academic, and lawyering over definitions only distracts from the bigger picture. I trusted Facebook with my mobile number. They permitted bad actors to mis-use their service, and now bad actors have that number. Facebook should be held accountable. Whether it was through SQL injection or a poorly-thought-out API is academic.

1 more reply

atleta5y ago

It's almost what they intended. It was an internal API that they never thought would be exploited. (I.e. used by third parties.) Calling it scraping is a pretty fat lie.

I've just checked. My phone number is in the data set. I've never set my phone number public so no one should have been able to 'scrape' it.

On a side note, I remember learning about this feature, or maybe an earlier incarnation, a few years ago when a friend showed the the profile of a girl he just met at a bar. The girl had a pretty common name so I asked my friend how he looked her up, did they have friends in common. I was really just curious how FB would now which person to show. He said "no, she gave me her number and you can look them up like so and so". (I can't remember whether you could search for the number or had to create a contact, but it's besides the point.)

I was pretty baffled because it was obvious that you could just create a very powerful white pages type of db pretty easily. Which someone apparently did for half a billion people.

This also explains how someone managed to call me from a UK number a few weeks ago trying to sell me some news paper subscription. They said they were from the "Herald digest". And they did know my name (so it wasn't just dialling random numbers.)

bostonsre5y ago

> In that sense, it did exactly what the developer intended.

Not sure they envisioned someone enumerating phone numbers and pulling all data. But that would be hilarious if they claim that's what they intended and that was a feature.

1 more reply

bredren5y ago

I thought the same thing. Is there another explanation for what this might mean?

Scraping to me is what google does, exploring links, saving and parsing data.

The contact importer presumably sourced data from iOS, google, outlook or similar address books.

You shouldn’t normally get data out that way, was it returning unexpected results from partial matches?

Maybe you could view a profile page by uploading an address book with partial, stubbed data. This page that then normally wouldn’t have been accessible to the user then was and those and any connected profiles were then crawled and scraped?

It seems to me you used to be able to view an otherwise private profile if the person had extended a friend request.

jszymborski5y ago

right, they make it sound like it was publicly available data, but it was data unintentionally made public.

Sort of like saying "people scraped publicly available information from our website" when someone grabs passwords from a public-facing MongoDB database without a password.

throwaway17775y ago

The data was from people’s public profiles, it’s not unintentionally public. the issue was making it scrapable.

2 more replies

kristofferR5y ago

Facebook also claimed that the only leaked data was "old data", phone numbers from 2019...

VectorLock5y ago

2 years is nothing in the age of mobile numbers that people port and keep for practically decades.

kerng5y ago

Yeah, seems like the definition of hacking what happened there. I mean Facebook could have at least rate limit or block this, but they had no mitigation. They even admit of having fixed it afterwards.

HappyTypist5y ago

Facebook has some of the worst and most disgusting ethics in tech. I feel repulsed that they are in the same industry I work in.

JMTQp8lwXL5y ago· 8 in thread

I'm curious if the repeated negative press Facebook has received has impacted their hiring. Boots on ground perspectives appreciated, but I can share a data point of one: I'm a very average developer, and I get at least quarterly reach outs from Facebook-- a higher frequency than I've ever heard from any FANG (or any company in general). I used to get ads on the platform for FB Engineering jobs. After I deleted the app, I started getting ads in my LinkedIn feed for FB engineering. They might have a hefty recruiting budget, or there could be challenges. On the other hand, all the negative press might attract some candidates that disagree with the media.

0xy5y ago

As long as they pay top of market (and they do), people will work for them. FB consistently beat Google and other top employers by non-inconsequential figures.

There's also the case of Google being ethically bankrupt as well (undisclosed DoubleClick tracking backdoor in Chrome).

I don't see the argument that FB is worse than Google. Google will snoop on your private messages for information that they can use to feed their advertising machine, and they have an entire browser dedicated to ad networks (they regularly implement insecure APIs that are immediately abused by DoubleClick customers, including on high profile sites).

MengerSponge5y ago

n=1, but a friend had offers from Google and Facebook, and went to Google largely because it wasn't Facebook. In my highly educated circles, McKinsey is held in higher esteem than Facebook. Thinking about that now, a few years of selecting for people who "disagree with the media" and are content with burning down society for a quick buck would really explain a lot.

If you work at Facebook and you feel compelled to tell me why your personal Faustian bargain was actually not such a bad thing, read Mistakes Were Made (But Not by Me).

https://www.goodreads.com/book/show/522525.Mistakes_Were_Mad...

esyir5y ago

Given that exact same choice, if I was looking for a job, I would unashamedly and gladly take Facebook over Google.

willhinsa5y ago

Great book

TameAntelope5y ago

I would bet a not-insubstantial amount of money that Facebook remains able to hire people more than qualified to execute the work of Facebook.

atleta5y ago

I know a guy who joined FB as a software dev manager a few years ago and left in less than a year. (Maybe after just six months.) He is definitely pretty critical and sometimes hints at how the internal culture is problematic and causing some of the issues visible from the outside. (He doesn't tell too much, though, for obvious reasons.)

mberning5y ago

They contact me constantly as well. I have zero interest in working for them.

Analemma_5y ago

I have also noticed that more than half of my recruiter emails seem to come from Facebook, i.e. that they amount for more than every other company put together.

sour-taste5y ago· 3 in thread

The attitude that this company (and many others) has towards the data they collect from billions of people is stunning. They claim that there was nothing they could do, even when one of their tools was misused to gather phone numbers. They don't take accountability for the fact that this likely already has and will continue to enable spammers and scammers to much more easily target their users. They refuse to send out notifications to affected users (which they should have done 2 years ago). We need legislation punishing companies for being negligent with the sensitive user data they collect or this shit is never going to end.

tmpz225y ago

Data they collect by abusing android and other permission systems, reading contacts in adjacent apps like WhatsApp, etc. Its gluttony that they are now pretending is a moral high ground.

shoeshoeshoey5y ago

I can only speculate but what I think we are seeing here is a statement made in earnest by a corporate communication team, crafted with significant input from a product team. To admit that this was an intrusion would be severely career limiting. So they explain it in a hand-wavy fashion, enough to get the Comms people off their back. The end result is this unsatisfying explanation.

Just speculation. There has to be a method to the madness that is Facebook press releases.

oferzelig5y ago

Same for the 'Sorry' word that is missing as I commented as well.

Any admission by Facebook can and will act against them in the [highly likely] class action that will be executed.

I'm sure their legal department checked every letter in this statement with a x100 magnifier.

adamsvystun5y ago· 2 in thread

Don't really want to defend Facebook, but the amount of cynicism and bad faith here is too much. This article should be welcome, it gives us more information on what happened. It clarifies that this was not some sort of database leak (which is much more damaging), but a API abuse that allowed bad actors to figure out people's phone numbers. Overall article brings transparency to the situation, which is good.

3grdlurker5y ago

Good for what purpose exactly? They’re not really taking accountability so where is the good that you’re talking about?

runeks5y ago

I would have preferred if this were a database leak. At least that would have shown some effort towards protecting user data. The fact that it was acquired through a public-facing API makes it much worse, in my opinion, as it shows Facebook isn’t that concerned about protecting sensitive data.

some1else5y ago· 2 in thread

Like when they used to show your name & profile picture after a failed login with just an email and empty password. Aside from being another inadvertant information leak, it would have been tragic if that was part of an attempt to decrease the (deliberate) login failure rates.

throwaway36995y ago

I had this only a few weeks ago. Is that 'feature' removed now?

some1else5y ago

Oh, wow. I can confirm that said "feature" is still live. People's names and profile pictures show up after entering their email address in the login form shrug

1 more reply

multiplegeorges5y ago· 2 in thread

> The information did not include financial information, health information or passwords.

Cool, should we assume everything else Facebook has was included?

tape_measure5y ago

And what sort of health and financial information does Facebook have?

atleta5y ago

They are profiling like crazy. I'm pretty sure they have at least an estimated income attached to almost every single of us. Also, they do have credit card numbers for those who buy ads.

But it may have just been a generic statement.

spondyl5y ago· 1 in thread

> The information did not include financial information, health information or passwords.

As someone who has an account (begrudgingly for Messenger since you can't solely use a phone number anymore) but doesn't use it, can I just say:

Wait, what?! Since when does Facebook have health information!

I don't know conceptually what portion of Facebook they're referring to but that's news to me.

aviraldg5y ago

One source of health information Facebook might have is the Oculus Move app (which tracks exercise in VR)

milofeynman5y ago· 1 in thread

My phone number was removed and my account deleted when they say this hack happened. My phone number is in the leak. Doesn that mean that my phone number was in it because other people's contacts were imported, or because they didn't actually delete my info?

HappyTypist5y ago

The contact importer should not be turning up deleted Facebook accounts, so it seems like Facebook was keeping data on you even after you deleted your account.

If you are an EU resident, this can be a GDPR violation so you should follow up.

ordx5y ago· 1 in thread

I thought US Court of Appeals established that web scraping is legal?

gruez5y ago

AFAIK the phone numbers were obtained via an account recovery exploit, not through scraping. The other fields were though.

ipnon5y ago

This is like your bank saying it's not their fault your money was stolen because someone took it away without permission. The point is that Facebook has a responsibility to keep the data you provide them secure. But the purpose of this press release is to make this responsibility seem either trivial or nonexistent.

You can show them that this responsibility is paramount. Stop giving them your data.

TechBro86155y ago

In the OP press release they say:

> It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.

But if you click on the "related post" at the bottom of the page, "Taking Legal Action Against Data Scraping" (Oct 2020) [0], you'll see this sentence:

> Scraping is a form of data collection that relies on unauthorized automation for the purpose of extracting data from a website or app.

It would be interesting to hear Facebook PR team describe the difference between "Hacking" and "Unauthorized Automation", and why apparently the latter is nothing to worry about now, but was sufficient to generate lawsuits in October.

[0] https://about.fb.com/news/2020/10/taking-legal-action-agains...

ALittleLight5y ago

"Scraping data using features meant to help people violates our terms. We have teams across the company working to detect and stop these behaviors."

Hmm, that's interesting. I read about a court case recently that seemed to say scraping was okay and also that companies shouldn't work to prohibit scraping.

https://parsers.me/us-court-fully-legalized-website-scraping...

deepspace5y ago

> "We’re focused on protecting people’s data by working to get this data set taken down".

I am sorry but that ship has sailed. I have already received several spam messages at the unique email address I used only for Facebook login, so the data has been spread very wide at this point.

oferzelig5y ago

Somehow I couldn't find one word I was looking for in this whole carefully-worded PR statement:

"Sorry".

qbasic_forever5y ago

Deleting my Facebook account has been one of the most mentally liberating and satisfying decision I have made in the last year. I used a Chrome addon to totally delete every post and clear everything out too--why let them have anything even when I'm gone.

jiofih5y ago

Why is the headline blaming the news reporting? That is idiotic and evil.

Spooky235y ago

Facebook is amazing to me, no matter what the issue, the company responds in a weird PR speak dialect that evokes circa 1990 Phillip Morris. They have a weird voice.

zwaps5y ago

I remember the pop ups to please add your phone number, you know, just for security! They promise to never show this to anyone... and then this happens.

It’s like a comedy.

TwoNineFive5y ago

If you want your jaw to drop in regards to facebook disingenuousness regarding truth telling and the media, listen to the recent Lawfare podcast here:

https://www.lawfareblog.com/lawfare-podcast-tech-ceos-head-h...

Go to 41:18 in and listen to the story regarding Facebook and NYU's AdObserver project.

Facebook has no credibility.

j / k navigate · click thread line to collapse

58 comments

52 comments · 19 top-level

yellowyacht5y ago· 13 in thread

Facebook is using doublespeak here.

> It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.

.. a couple paragraphs later ::

> We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019.

Gee, that sounds a lot like someone abused your contact importer tool to do something you didn't intend for it to do. Which is also the definition of other "hacks", like SQL injection

TechBro86155y ago

omnimike5y ago

> Gee, that sounds a lot like someone abused your contact importer tool to do something you didn't intend for it to do.

tyingq5y ago

See this from Sep, 2019: https://www.forbes.com/sites/zakdoffman/2019/09/12/new-insta...

xmodem5y ago

1 more reply

atleta5y ago

It's almost what they intended. It was an internal API that they never thought would be exploited. (I.e. used by third parties.) Calling it scraping is a pretty fat lie.

I've just checked. My phone number is in the data set. I've never set my phone number public so no one should have been able to 'scrape' it.

I was pretty baffled because it was obvious that you could just create a very powerful white pages type of db pretty easily. Which someone apparently did for half a billion people.

bostonsre5y ago

> In that sense, it did exactly what the developer intended.

Not sure they envisioned someone enumerating phone numbers and pulling all data. But that would be hilarious if they claim that's what they intended and that was a feature.

1 more reply

bredren5y ago

I thought the same thing. Is there another explanation for what this might mean?

Scraping to me is what google does, exploring links, saving and parsing data.

The contact importer presumably sourced data from iOS, google, outlook or similar address books.

You shouldn’t normally get data out that way, was it returning unexpected results from partial matches?

It seems to me you used to be able to view an otherwise private profile if the person had extended a friend request.

jszymborski5y ago

right, they make it sound like it was publicly available data, but it was data unintentionally made public.

Sort of like saying "people scraped publicly available information from our website" when someone grabs passwords from a public-facing MongoDB database without a password.

throwaway17775y ago

The data was from people’s public profiles, it’s not unintentionally public. the issue was making it scrapable.

2 more replies

kristofferR5y ago

Facebook also claimed that the only leaked data was "old data", phone numbers from 2019...

VectorLock5y ago

2 years is nothing in the age of mobile numbers that people port and keep for practically decades.

kerng5y ago

HappyTypist5y ago

Facebook has some of the worst and most disgusting ethics in tech. I feel repulsed that they are in the same industry I work in.

JMTQp8lwXL5y ago· 8 in thread

0xy5y ago

As long as they pay top of market (and they do), people will work for them. FB consistently beat Google and other top employers by non-inconsequential figures.

There's also the case of Google being ethically bankrupt as well (undisclosed DoubleClick tracking backdoor in Chrome).

MengerSponge5y ago

If you work at Facebook and you feel compelled to tell me why your personal Faustian bargain was actually not such a bad thing, read Mistakes Were Made (But Not by Me).

https://www.goodreads.com/book/show/522525.Mistakes_Were_Mad...

esyir5y ago

Given that exact same choice, if I was looking for a job, I would unashamedly and gladly take Facebook over Google.

willhinsa5y ago

Great book

TameAntelope5y ago

I would bet a not-insubstantial amount of money that Facebook remains able to hire people more than qualified to execute the work of Facebook.

atleta5y ago

mberning5y ago

They contact me constantly as well. I have zero interest in working for them.

Analemma_5y ago

I have also noticed that more than half of my recruiter emails seem to come from Facebook, i.e. that they amount for more than every other company put together.

sour-taste5y ago· 3 in thread

tmpz225y ago

Data they collect by abusing android and other permission systems, reading contacts in adjacent apps like WhatsApp, etc. Its gluttony that they are now pretending is a moral high ground.

shoeshoeshoey5y ago

Just speculation. There has to be a method to the madness that is Facebook press releases.

oferzelig5y ago

Same for the 'Sorry' word that is missing as I commented as well.

Any admission by Facebook can and will act against them in the [highly likely] class action that will be executed.

I'm sure their legal department checked every letter in this statement with a x100 magnifier.

adamsvystun5y ago· 2 in thread

3grdlurker5y ago

Good for what purpose exactly? They’re not really taking accountability so where is the good that you’re talking about?

runeks5y ago

some1else5y ago· 2 in thread

throwaway36995y ago

I had this only a few weeks ago. Is that 'feature' removed now?

some1else5y ago

Oh, wow. I can confirm that said "feature" is still live. People's names and profile pictures show up after entering their email address in the login form shrug

1 more reply

multiplegeorges5y ago· 2 in thread

> The information did not include financial information, health information or passwords.

Cool, should we assume everything else Facebook has was included?

tape_measure5y ago

And what sort of health and financial information does Facebook have?

atleta5y ago

They are profiling like crazy. I'm pretty sure they have at least an estimated income attached to almost every single of us. Also, they do have credit card numbers for those who buy ads.

But it may have just been a generic statement.

spondyl5y ago· 1 in thread

> The information did not include financial information, health information or passwords.

As someone who has an account (begrudgingly for Messenger since you can't solely use a phone number anymore) but doesn't use it, can I just say:

Wait, what?! Since when does Facebook have health information!

I don't know conceptually what portion of Facebook they're referring to but that's news to me.

aviraldg5y ago

One source of health information Facebook might have is the Oculus Move app (which tracks exercise in VR)

milofeynman5y ago· 1 in thread

HappyTypist5y ago

The contact importer should not be turning up deleted Facebook accounts, so it seems like Facebook was keeping data on you even after you deleted your account.

If you are an EU resident, this can be a GDPR violation so you should follow up.

ordx5y ago· 1 in thread

I thought US Court of Appeals established that web scraping is legal?

gruez5y ago

AFAIK the phone numbers were obtained via an account recovery exploit, not through scraping. The other fields were though.

ipnon5y ago

You can show them that this responsibility is paramount. Stop giving them your data.

TechBro86155y ago

In the OP press release they say:

> It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019.

But if you click on the "related post" at the bottom of the page, "Taking Legal Action Against Data Scraping" (Oct 2020) [0], you'll see this sentence:

> Scraping is a form of data collection that relies on unauthorized automation for the purpose of extracting data from a website or app.

[0] https://about.fb.com/news/2020/10/taking-legal-action-agains...

ALittleLight5y ago

"Scraping data using features meant to help people violates our terms. We have teams across the company working to detect and stop these behaviors."

Hmm, that's interesting. I read about a court case recently that seemed to say scraping was okay and also that companies shouldn't work to prohibit scraping.

https://parsers.me/us-court-fully-legalized-website-scraping...

deepspace5y ago

> "We’re focused on protecting people’s data by working to get this data set taken down".

I am sorry but that ship has sailed. I have already received several spam messages at the unique email address I used only for Facebook login, so the data has been spread very wide at this point.

oferzelig5y ago

Somehow I couldn't find one word I was looking for in this whole carefully-worded PR statement:

"Sorry".

qbasic_forever5y ago

jiofih5y ago

Why is the headline blaming the news reporting? That is idiotic and evil.

Spooky235y ago

Facebook is amazing to me, no matter what the issue, the company responds in a weird PR speak dialect that evokes circa 1990 Phillip Morris. They have a weird voice.

zwaps5y ago

I remember the pop ups to please add your phone number, you know, just for security! They promise to never show this to anyone... and then this happens.

It’s like a comedy.

TwoNineFive5y ago

If you want your jaw to drop in regards to facebook disingenuousness regarding truth telling and the media, listen to the recent Lawfare podcast here:

https://www.lawfareblog.com/lawfare-podcast-tech-ceos-head-h...

Go to 41:18 in and listen to the story regarding Facebook and NYU's AdObserver project.

Facebook has no credibility.

j / k navigate · click thread line to collapse