• by Ray Schultz , Columnist, April 18, 2019

On top of all its other privacy offenses, Facebook has unintentionally uploaded 1.5 million email addresses of new users.

It claims the emails were not shared with anyone, and says it is deleting them, according to reports. But the potentially actionable breach puts the social media giant under additional scrutiny.

Business Insider reported Wednesday night that Facebook had “harvested” the email contacts “without their knowledge or consent when they opened their accounts.”

Facebook describes it this way: "When we looked into the steps people were going through to verify their accounts, we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account," according to CNN.

That’s enough of an offense in GDPR terms.

Facebook reportedly claims that it discovered the problem — the result of a design change in its email verification process — this month. 

But it instituted that design change two years ago, it says. And in 2016, it allegedly removed language that said contact information could be uploaded, thus removing any chance for consent. 

“If the company was prepared to download contacts without permission, why would it not also metadata tag email content inside those third-party services for commercial advertising purposes?” asks Zak Doffman on Forbes.

Facebook says it has notified affected users, but it remains to be seen whether it did so within the 72 hours required by the GDPR.

Ashkan Soltani, a former chief technology officer for the Federal Trade Commission, called the breach "one of the most legally actionable behaviors by @facebook to date,” according to CNN. 

Dan Goldstein, president of digital marketing agency Page 1 Solutions, comments that "Facebook's principal defense to many of the privacy criticisms in the last year-plus is that malicious third parties misused the platform to access private user data. This claim really doesn't hold water at this point, now that we know that Facebook actively rode roughshod over issues of consumer consent in order to collect data.”

Goldstein continues that, “taken in concert with recent revelations that Mark Zuckerberg approached third parties to gauge the market value of user data, this latest headline is chilling. It paints Facebook as a glutton for data, even among internet users who aren't signed up on the platform.” 

Zuckerberg has put out the dubious notion that Facebook’s new model is going to be built on privacy, and that the U.S. should have a GDPR-style law. But the firm can’t seem to get out of its own way.

For instance, Cisco Talos Intelligence Group claims that it has compiled a list of 74 groups “whose members promised to carry out an array of questionable cyber dirty deeds, including the selling and trading of stolen bank/credit card information, the theft and sale of account credentials from a variety of sites, and email spamming tools and services.”

These groups have 350,000 members altogether, it adds. 

The 1.5 million addresses that Facebook uploaded would make a nice email list for sale on the dark web. Goldstein says, while not linking to that issue, says, “We'll likely never know what if anything Facebook intended to do with non-user email addresses.”

And don’t forget that just last month, passwords on hundreds of millers of Facebook users were exposed, and tthey were searchable by employees.

Then there’s that NBC report earlier this week that Zuckerberg “leveraged Facebook user data to fight rivals and help friends."

Zuckerberg has plenty to keep him awake at night. Facebook could also be hit with massive fines in Europe for allegedly not shutting down terrorist sites.

But here’s the real question about the privacy breach: How many more?