back to article Would be so cool if everyone normalized these pesky data leaks, says data-leaking Facebook in leaked memo

Facebook wants you to believe that the scraping of 533 million people’s personal data from its platform, and the dumping of that data online by nefarious people, is something to be “normalised.” A blundering Facebook public relations operative managed to send a journalist a copy an internal document detailing the antisocial …

  1. b0llchit Silver badge

    Tactics of the ...

    Lets see, can I write a story about the problems we are facing. Dear sir, we are vigorously defending the privacy of all our customers and will...

    LOOK OVER THERE! See that cute cat? We love to see cats on our platform. Everybody likes cats. Many sites have cute cats and we have the best cute cats of 'm all.

    The problem we are facing is a common industry problem. We are only a diminishing small part of that problem. We are currently in talks with our partners and industry leaders to see how we effectively can solve any possible and potential issues. By the way, we have also been discussing how we can make sharing our cute cats more easy between platforms and will make a public announcement soon.


    Yes, I hate it too, this sarcasm thingy, but it almost writes itself, doesn't it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Tactics of the ...

      What was that? I loved the pictures of cats!!!!!

    2. Precordial thump Silver badge

      Re: Tactics of the ...

      Given the weasel words which make up Faecebook's statement, cute pictures of mustelidae are about to start trending.

      Committed to tackling it, but not actually tackling it.

      1. WanderingHaggis

        Re: Tactics of the ...

        Weasels and cats wow

  2. Chris G

    The nitty gritty

    Is this: "make scraping from Facebook without our permission more difficult and go after the people behind it."

    Because they don't care about people's privacy or even their their data being stolen, as long as it is Feacebook doing the stealing and so long as they can monetise it when that data is exposed to the world.

    A quote from WebMD:

    Some experts see sociopaths as “hot-headed.” They act without thinking how others will be affected. Psychopaths are more “cold-hearted” and calculating. They carefully plot their moves, and use aggression in a planned-out way to get what they want.

    FB are certainly the latter.

  3. James O'Shea

    time for some joy

    Let's just say that the guys behind The Joy of Tech are NOT fans of Facebook or Zuckerbgorg.

    1. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    normalise what exactly?

    1. You put a piece of information on a public website.

    2. You set the visibility of that information to "public".

    3. Other people come along and read that information, then use it for whatever purpose they like.

    There is nothing to normalise here. "Scraping" is merely reading. If you don't want someone to read your information, you have two choices:

    1. Don't put it on Farcebook (preferred option).

    2. Set its visibility to private.

    Of course, Farcebook don't want to admit this because then people might post less and read less and view fewer ads in the process. But the simple fact is that every aspect of this was and is to be expected. That's what setting the visibility of your information to public means. You can't normalise what's already normal.

    If you ask me, this wasn't an accidental leak of their strategy, it *is* the strategy. By pretending there's something unexpected about someone reading public information, they get the proles to imagine they see something wrong with that, which in turn will (a) make the gullible think Farcebook do care about preventing those bad nasty people reading their publicly accessible publicly readable public information that they chose to share publicly and are perhaps slightly less evil for it, and (b) generate an uproar among people who still don't know what "public" means so that Farcebook can then pretend to walk this back and impose a lot of tedious controls to limit this reading of public information by third parties. Why? Because they want to keep their monopoly on the use of that data. They have no interest in treating "public" as what it's meant to be, they want it to mean "Farcebook can read and use this data however we want, but no one else can". Pffft.

    You know what I'd like to see normalised? Not having a Farcebook account. Let the time come when saying you have one elicits a response akin to that you'd get when admitting you eat toe cheese.

    1. DCdave

      Re: normalise what exactly?

      The point is that the data likely did not come from scraping. Look at the amount of it.

      As an aside, Facebook have my number even though I did not give it to them. I assume they have it from one or more of my friends and acquaintances sharing their contacts. The only reason I know that Facebook have the number is because a couple of years ago their website asked me to confirm that it was my number, which I did not.

    2. iron Silver badge

      Re: normalise what exactly?

      If you don't know anything about a story and didn't bother to read it, it would be best to keep quiet lest you demonstrate your ignorance.

    3. Kane

      Re: normalise what exactly?

      "2. Set its visibility to private."


    4. Cliffwilliams44 Silver badge

      Re: normalise what exactly?

      From what I've seen Facebook "WANTS" as much of your information public as they can. In trying to secure my wife's Facebook account it is an exercise in tedium to make sure things are not public. These setting are public by default, are hard to find and cryptic. And in some cases once set, will revert back to the defaults (public) some time in the future without your knowledge or consent!

  5. Short Fat Bald Hairy Man

    Self run? Paid for?

    I have always wondered why we accept free accounts and expect no problems.

    I had a student who did a big data course with all the gory details. The word she used to describe the companies (we know who they are) was "creepy". This was at least six years ago. I doubt whether things are any better now or will ever be.

    I try to keep away from these accounts but inertia!

    Maybe we should have a paid service or self run a mastodon server?

  6. Anonymous Coward
    Anonymous Coward


    chicken or egg?

  7. Archivist

    No accident

    Was this an accident? I think not. This is part of the "normalisation" process.

  8. ghp


    Just want to register that flemish journalist Pieterjan writes his articles in Dutch, and rather flawless, as all flemish do - in Dutch that is, not flawless. In case you wanted to apply Hoehl translate. "Hoehl" is Flemish.

    1. sabroni Silver badge

      Re: Flemish?

      Corrections link, bottom right of the story.

      Might take a while for them to notice a comment.

    2. onemark03

      Re: Flemish?

      The article is indeed in standard Dutch (Algemeen Beschaafd Nederlands, or ABN).

      Flemish is a dialect of Dutch spoken mostly in Flanders:

  9. don't you hate it when you lose your account

    the information is already public

    Facebook will bleed you for their own profit. The horror is so often the blood is real.

  10. Security nerd #21

    People still forgetting the Facebook financial model

    The data that was leaked, was scraped "accidently" from Facebook's site. They would have sold it to whoever paid them anyway - that is how they make their millions / billions.

    The fact that that someone acquired it for nothing, is bad in Facebook's eyes, so they closed the door on this.

    If something is free - you are the product...

    And re the above comment about it being creepy - yes Facebook / Google et al tracking & monetisation is insidious - web marketeers give them the data for their customers, and buy their own customers data back in bulk ...meh

    1. Sgt_Oddball

      Re: People still forgetting the Facebook financial model

      It was scraped accidentally.... People are supposed to pay for the access to the data, not get it for free.

  11. Anonymous Coward
    Anonymous Coward

    They were already doing it....

    Re-read what they told The Register in the article about the IDPC investigation: "“These features are common to many apps and we look forward to explaining them and the protections we have put in place.”

    "Common"... so "nothing to see here, please, move on"... as if being "common" means it is "acceptable" and "legal".

    It looks now utterly unable to find other arguments they'll try to defend themselves it's unavoidable so eat it, and they are "too big too fail". And they will graciously explain it to you, because it looks you don't understand the Facebook New World.

    If there is a perfect company to test the the effects of the whole 4% GDPR fine that's Facebook.

  12. Anonymous Coward
    Anonymous Coward

    Genuinely curious....

    But don't they sort of have a point to a certain extent? Bear with me here....

    People do not think twice about posting personal information in the public domain. In which case, that information is fair game, right?

    Back in my early innocent days, I had my email links lifted from my little, innocuous web site that are *still* doing the rounds. I made that info public and in a form that could be scraped. My fault entirely. That's from over 21 years ago!

    So, data scraping by people with ulterior motives is something that happens all the time. Has been for years. This is the norm I'd say, like it not.

    However, if its information that is marked as 'private' being held by another company - that's a little bit murkier. If that gets leaked from a company site that claims to protect it, then indeed this type of event should NOT be normalized. People will be using that site in the belief that the data is safe, both from internal and external scraping.

    So, when "miscreants helped themselves to 70GB of names, phone numbers, dates of birth, email addresses, and more from people's Facebook profiles, thanks to a security weakness in the platform" - this is something NOT to be normalized. The data was scraped due to a security weakness, not an individual's desire to share information.

    But here is the sting in the tail....."that they will frame the recent 533 million data leak as a ‘broad industry issue’ and that they want to normalize this".

    To me it seems to suggest that FB believe that, in general, sites that claim to hold data securely are actually not that secure at all, and that is the 'normal' state of things. The sad thing is, given the number of data breaches that get reported, FB may actually have a point.

    I am interested to hear what others think.

    1. Doctor Syntax Silver badge

      Re: Genuinely curious....

      Facebook are arguing to legitimise this use of personal data. In the EU and even in the post-EU UK GDPR illegitimatises it. Bring on the 4% - in each jurisdiction.

      1. Anonymous Coward
        Anonymous Coward

        Re: Genuinely curious....

        I'm the OP.

        Ahh - OK. That's an angle I didn't spot. I was concentrating more on the fact that data breaches happen all the time, and I get the feeling we're all getting desensitized to it.

        To clarify, I don't agree with what FB are saying, I'm just playing Devil's advocate!

        Thanks for pointing that out!

    2. Graham Cobb Silver badge

      Re: Genuinely curious....

      People do not think twice about posting personal information in the public domain.

      Some people post personal information. Others don't. Yet others may have done in the past, but have changed their mind. GDPR requires that all three of these are supported and Facebook must both protect the data it has with permission and comply with the user's wishes about changes to those permissions.

      Facebook is attempting to change the narrative by convincing people that "everyone has your data and the industry can't solve the problem". That is just not true. Other companies, competitors of Facebook, are protecting data and even providing tools to control the data they collect. We owe it to those companies to make sure Facebook are hit with the full costs of their failure to do the same. That is what massive fines are for - not to help us but to help the competitors of firms who are ignoring the law.

      1. Anonymous Coward
        Anonymous Coward

        Re: Genuinely curious....

        I'm the OP.

        I completely agree. I say in my original post that such security breaches should not be normalised. Its an event that should be dealt with in the prescribed manner applicable in each country (GDPR or otherwise).

        What I was trying to get across is that we see far too many security breaches, and *that* seems to be becoming the norm (how many times have we all sat here and read of yet another data breach, we all furiously tap away on the keyboard and have our say).

        I don't condone FB using that as an excuse for them not doing anything, and you are absolutely correct in that FB should be held to account.

    3. Cliffwilliams44 Silver badge

      Re: Genuinely curious....

      But the gist is that information on Facebook "IS PUBLIC BY DEFAULT"! One can only surmise that this is what Facebook wants. Yes, they are upset that someone monetized "their" data without their permission but what did they expect when "they" by default make that data public.

      The fact that they make it difficult to make the data private only enforces the idea that they want it public. People are stupid, they will accept the default settings on any app you throw at them unless the defaults settings explicitly don't work for them or you throw it in their face that the default setting are not safe!

      It is just like the 50 email address CC. You can tell people until your blue in the face not to do that and to use BCC, will they listen? No. This is why you put limits on the number of CCs on an email leaving your organization.

  13. Doctor Syntax Silver badge

    a spokesperson said: "It shouldn’t surprise anyone that our internal documents reflect what we’ve said publicly."

    And then said it publicly so as to validate the statement.

  14. Graham Cobb Silver badge

    Don't collect that data!

    "As LinkedIn and Clubhouse have shown, data scraping is an industry-wide challenge which we are committed to tackling and educating users about. We understand people's concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it."


    Just don't collect that data. Then you can't lose it.

    If there is some personal data that you have which is essential to delivering your service (such as a delivery address for Amazon, or an email address) then I expect it to be protected as well as credit card data is protected. And if it isn't, the regulator should be coming straight to the door with a percentage of turnover fine.

    Also, they must not process one customer's data to collect data on another. If I found that Facebook thought it knew my email address or phone number because of something someone else told it (like uploading their contacts) then I would raise an immediate GDPR complaint for processing my data without my permission. I have never had a Facebook account, and never will, and they must not have any personal data of mine in their system.

    1. Cliffwilliams44 Silver badge

      Re: Don't collect that data!

      Your missing the point! They want the data public. They want people to find other people on Facebook and be able to contact them. They want that user to search for the girl he knew in High School, find her profile, See her current picture (wow she's still hot), see her email, (Maybe i'll send her an email), see her phone number (Maybe I'll give her a call), see her relationship status (Oh yes, I will definitely call her).

      If the data isn't public this does not work and the allure of Facebook vanishes.

      They are trying to weasel their way out of this while still keeping the default setting for this data to be public.

  15. ForthIsNotDead


    There's some quite confusing nomenclature in this article. It makes reference to 'vulnerabilities' and 'scraping'. But scraping is not a vulnerability - it's merely the act of code 'reading'/parsing the output of a page (in a web context). That is not a vulnerability. It's just software, and is very very difficult to defend against.

    I'm no fan of Facebook at all, but I have some sympathy with their argument at least at the technical level. It is very very difficult to defend against scraping simply because, server-side, it is is very difficult to discern a human reader from a (cleverly developed) scraping application. Therefore, I can (up to a point) see where they are coming from. To be clear, I'm not defending the lifting of 533 million users records - and maybe that's where the vuln crept in - nefarious persons had access to more than they should have had access to. But the scraping itself is not a vuln.

    "Longer term, though, we expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact this activity happens regularly.

    I hate to say this, but that sounds reasonable enough. It does happen regularly. Heck, Google do it to most news websites the world over! In fact, they do it to YOUR site when they index it. The fight against scraping is an arms race, just like the fight against web tracking. Sophisticated, custom-written scraping apps will pause, scroll the 'screen' up and down, interact with 'like' buttons, share content etc to mimic the actions of a human user. I don't think there's much that can be done about it.

    More nefarious, and the article doesn't really point this out (though I noticed a commenter above spotted it immediately) is the obvious attempt at distraction/re-direction away from the fact that 533 freaking MILLION records were snarfed, and instead, they respond to the scraping side of the issue.

    We see you Facebook.

    1. Graham Cobb Silver badge

      Re: Confusing

      There is nothing wrong with scraping.

      There are two problems here:

      1. Facebook should not make the data they have on a user visible to anyone, without explicit permission from that user. If it isn't visible, it can't be scraped.

      2. Facebook should not be collecting information they don't need, and should not be retaining information for any longer than they need it.

      If there are really some legitimate business reasons for retaining important personal data (such as an email address) it should never be disclosed, even to close business partners. For example, if there is some scenario where a FB business partner needs your email address (and you have given permission) then FB should provide a time-limited and easily changeable forwarding address to the partner, instead of the actual email address.

      If the emails lost in the scraping incident were of the form "" then they could have all been immediately invalidated when they were lost. This is the same as credit card companies issuing new cards when a card is lost.

  16. First Light

    Accidental leak?

    Wondering if it was "accidentally on purpose" by someone disgusted at the concept. I'd like to believe that someone at FB thought it was BS.

  17. Beeblebrox
    IT Angle

    How to check?

    How can I check whether I feature in the leaked data?

    I don't have a facebook account, although I'm pretty sure some contacts of mine have, so my details could be there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like