back to article Facebook sues scraper who sold 178 million phone numbers and user IDs

Facebook has sued a Ukrainian national for allegedly harvesting and selling personal data describing 178 million of the Social NetworkTM's users – actions it says violates the service's terms of service. The suit alleges that Alexander Alexandrovich Solonchenko created millions of virtual Android devices, each with a different …

  1. sanmigueelbeer Silver badge

    If Zuck really wants to stop this guy from doing it again, HIRE HIM.

    1. Precordial thump

      No. Clever enough to get for free what Cambridge Analytica paid $$$ for? Sue his nadgers off!

      Please try not to notice that Faecebook let him do it.

  2. andy 103
    Stop

    So Facebook are actually in the right here, for once

    There'll be a lot of Facebook-bashing since this is The Reg but this is actually one instance where I'm on their side.

    There's no "presumably" about "presumably so they could contact them on Messenger rather than through other means". When users do this, they are knowingly supplying their entire contacts list to Facebook and it's clear from the Terms (that nobody has read) that that's what they do with the data. Last time I looked there were over 1 billion people who use Messenger on at least a monthly basis - that's quite a lot of people!

    There's scraping where you're telling people what you're doing and they're agreeing to it..... then there's scraping and selling data illegally. In this case Facebook have done the former whilst this moron has done the latter.

    1. werdsmith Silver badge

      Re: So Facebook are actually in the right here, for once

      Then there’s Facebook telling person A that it will access their phone contacts, and person A agrees to it. But person B is in that contact list and doesn’t agree to it, but doesn’t get asked and Facebook don’t give a shit. The shadow profile doesn’t seem to involve consent.

      1. andy 103

        Re: So Facebook are actually in the right here, for once

        Yes, but from a legal perspective they don't have to give a shit.

        If you give somebody your phone number and they store it in their phone, you don't each agree to a set of legal T+C's about what that person may or may not do with your number. If they want to write it on a wall of a public toilet and say phone this number for sex what are you going to do about it? You've given them your data but there's no legal basis to restrict what they do with it...

        1. tiggity Silver badge

          Re: So Facebook are actually in the right here, for once

          No

          Lots of people have my phone number in case of needing to get in touch with me in an emergency, family, friends, even elderly next door neighbour.

          I have no option (other than deciding to be absolutely selfish instead of being a normal person who cares about welfare of others) to give these people my number... I can tell them not to share it around etc, but you know most people are numpties (yes lots of my family / friends included) and will happily accept the "improve your experience by importing your contacts" BS that FB and other social media slurpers pummel them with until they submit.

          FB etc rely on people giving in to "better experience worded" demands for contacts, which means, even though I do not use FB, they probably have my number from relatives or friends.

          As far as I am concerned, that should be illegal under GDPR as FB do not need it, I have not consented to it.

          1. andy 103

            Re: So Facebook are actually in the right here, for once

            I have not consented to it.

            This is exactly the point I was making. It's called a loophole. You personally do not need to consent to Facebook having your number, in order for them to obtain it. Because the people who are asked to give consent are the ones who are giving it away. But it's funny how people such as yourself point the finger at Facebook, when it's actually their "friends" who are knowingly and willingly giving Facebook that data.

            The loophole works because whilst your phone number is yours, the people (e.g. your friends / neighbours) who have your number stored in their phones are the owners of that data - and the ones who are consenting to it being given away. If those people did not give consent for Facebook to have it then yes that is illegal.

            But nobody ever blames the people who have actually given it away... it's easier to say it's Facebook's fault.

            As far as I am concerned, that should be illegal under GDPR

            It isn't, and that's what you really have a problem with.

            1. Anonymous Coward
              Anonymous Coward

              Re: So Facebook are actually in the right here, for once

              > The loophole works because whilst your phone number is yours, the people (e.g. your friends / neighbours) who have your number stored in their phones are the owners of that data - and the ones who are consenting to it being given away.

              It is not a loophole from a GDPR perspective, it is specifically "allowed" (with regard to those individuals, i.e. family & friends, having your details and sharing them) as GDPR does not apply "in the course of a purely personal or household activity".

              However the same Article (18) of GDPR then says "However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities." which means that GDPR does cover Facebook both for the direct social/unsocial services they then provide to their users (likely to be compliant), and *also* for the additional processing (likely to be non-compliant), e.g. building up shadow profiles, sharing with 3rd parties, etc, that they do in addition.

            2. Anonymous Coward
              Anonymous Coward

              Re: So Facebook are actually in the right here, for once

              Even if that doesn't apply to private persons, there is that little ugly fact that every business person who has client numbers in their phone and then installs WhatsApp is effectively in direct breach of the GDPR unless they sought prior permission from said private persons to transmit their personal details to unregulated third parties (I'm summarising, the correct phrase is a bit longer but you get the gist).

              Right now. No excuses.

              1. Anonymous Coward
                Anonymous Coward

                Re: So Facebook are actually in the right here, for once

                > there is that little ugly fact that every business person who has client numbers in their phone and then installs WhatsApp is effectively in direct breach of the GDPR unless they sought prior permission from said private persons to transmit their personal details to unregulated third parties

                When you say "business person" are you referring to sole traders or employees of companies/PLCs? Typically for employees acting in the course of their job then any breach of GDPR will have been made by the company/PLC rather than the employee as the company carries the responsibility of compliance. Obviously for sole traders there is no company and so they themselves as individuals may be breaching GDPR.

                Also when you say "their phone" do you mean their employer's phone or their own personal phone? Employees should *not* be using personal devices for company business and indeed their employer should have a policy in place to ensure this does not happen (including supplying employees with company phones/tablets if needed). Employeers should *not* for example be checking company email (which will including personal data and possibly special category data) on their own personal devices (phones, tablets, PCs). Likewise company policy should define/control the installation of apps, such as WhatsApp, on devices and MDM should enforce any restrictions necessary (blocking certain apps, autoconfiguring other apps) for GDPR compliance.

                What about bring-your-own-device (BYOD) I hear you say? Well that is risky with regards to GDPR. Yes you could BYOD if your employer required you to install device management software (MDM) to "partition" the device between work-related storage and non-work - personally I'd never install an employer's MDM software as then, from my own perspective, I'd be losing control (and potentially security/privacy) of my own device.

                For many years I've been used to carrying 2 phones - my own and my employer's. The employer's phone gets turned off out-of-hours unless I'm on call.

          2. Alan Brown Silver badge

            Re: So Facebook are actually in the right here, for once

            "I can tell them not to share it around etc, but you know most people are numpties"

            Those of us under GDPR coverage (including the UK for now) have a few more legal rights on this than left pondians

            we don't HAVE to agree to terms. It's not legal to spread third party phone numbers around without their permission

        2. Doctor Syntax Silver badge

          Re: So Facebook are actually in the right here, for once

          "If you give somebody your phone number and they store it in their phone, you don't each agree to a set of legal T+C's about what that person may or may not do with your number."

          If I give someone my phone number it's for their use to contact me. There's an implied limitation there. I'd hope that if someone else asked them for my number they'd check with me first as that's what I'd do in the reciprocal situation.

          As to your straw man argument - that would very likely be an offence under some aspect of common law.

    2. DS999 Silver badge

      Re: So Facebook are actually in the right here, for once

      What really sucks about the contact list importing is that it brings a bunch of names/numbers into Facebook's data collection maw without the consent of that person.

      If I have you in my contact list and I'm dumb enough to allow Facebook to import my contacts, now they have your name, phone number, and anything else about you I might have in my contacts (i.e. email, home address, birthday, even a photo) even if you have never used Facebook.

      If you are a Facebook user and we share some of the same contacts, Facebook will show us each other in "people you may know". The first time I saw that for someone I did know but vaguely remembered working alongside during a consulting engagement years ago I was shocked. How the fuck did Facebook know I might know this person? It wasn't until I figured out that we must both be in the contact lists for a few people we worked alongside at that client who were dumb enough to upload those to Facebook and it figured out we might know each other. Creep factor: maximum!

      1. Anonymous Coward
        Anonymous Coward

        Re: So Facebook are actually in the right here, for once

        If I have you in my contact list and I'm dumb enough to allow Facebook to import my contacts, now they have your name, phone number, and anything else about you I might have in my contacts (i.e. email, home address, birthday, even a photo) even if you have never used Facebook.

        Installing WhatsApp does that to a degree already automatically. No need for you to do thus upload said set explicitly to FB, that merely provides Zuck with validation.

    3. Dan 55 Silver badge
      Meh

      Re: So Facebook are actually in the right here, for once

      Perhaps Facebook should have an API which IP and rate limits and requires a login to access contact data, instead of leaking everything like a sieve and relying on EULAs afterwards because the developer didn't pay enough or wasn't one of Zuckerborg's bestest friends, if he has such things.

    4. Chris G Silver badge

      Re: So Facebook are actually in the right here, for once

      Don't forget, it was FaceBarf's system that enabled him to do what he did.

    5. Anonymous Coward
      Anonymous Coward

      Re: So Facebook are actually in the right here, for once

      There'll be a lot of Facebook-bashing since this is The Reg but this is actually one instance where I'm on their side.

      Really? Here is a question for you:

      How did this person have open access to that dataset in the first place?

      Either FB's security sucks, or they provided this data willingly without ensuring any controls. Whatever way you turn this, it starts with Facebook.

  3. Shady
    Joke

    178 meeeeelion phone numbers?

    That's a helluva lot of effort, wouldn't it be better to write something like for(var x = 07000000000; x < 07999999999; x++) ?

    1. Anonymous Coward
      Anonymous Coward

      Re: 178 meeeeelion phone numbers?

      Octal phone numbers?

      1. ICL1900-G3 Bronze badge

        Re: 178 meeeeelion phone numbers?

        It's the way ahead.

  4. jollyboyspecial

    I never understand why people make personal details like phone numbers and email addresses public on social media platforms. However I do think it's more than just a little bit dodgy to set things like that as the default behaviour from which the user has to opt out.

    The default should be publish nothing, but on most platforms publish everything seems to be the default. Surely under at least one jurisdiction the very act of publishing everything would be a breach of data protection law. After all stuff like that should be opt in.

    1. Cereberus
      Devil

      I think you missed something. If you print out the full T&C's then go to:

      Page 382

      section 163

      sub section 8

      part iv

      sub section 2

      clause a

      it clearly states

      The person of the 3rd person is hereby notified of the person in the 1st person by way of section 86, sub section 12, sub sub section 15 clause D that the permitted use of data is subject to paragraph 83iiii where activities that meet section 181 where it does not conflict with section 14 unless exceptions as listed in Appendix R, part 15a, will be classed under the 4th person justification of authorisation by notification of the 3rd person relating to the 2nd person under section 199 subject to clause 23a part xiv of section 99 excluding conflict under the 5th person position against the 3rd person in accordance with section 118 of the codex of standardised field excavation operational impacts on clause 55 of section 87 of the 2nd person prioritised solution based incentivising of the 4th person except where prior exclusions apply where accompanied by supporting evidence in the agreed format according to Appendix V.

      That should clearly let you know your position with regard to how we are able to use any data that becomes available to us.

      1. Vometia has insomnia. Again.

        That was actually rather poetic.

  5. Anonymous Coward
    Anonymous Coward

    "These terms prohibit misleading or fraudulent activity, collecting data from Facebook products through automated means, and selling or making platform data available without written consent" ... "That's our job"

    1. elsergiovolador Silver badge

      It would be great to know if they have a special agreement with Google about having Google bot not scraping their endpoints.

      Regular Joe cannot make Google bot to stop scraping. You can make it "ignore" the page, but it will still have to fetch it in order to see the "noindex" meta tag or a response header.

  6. elsergiovolador Silver badge

    Scraping

    Is only okay when we do it!

    I mean if Facebook wins, does it mean people will be able to sue Google for scraping their websites without consent?

    1. Anonymous Coward
      Anonymous Coward

      Re: Scraping

      I suppose someone will be along to mention "robots.txt" very shortly.

      But it occurs to me that "no robots.txt => implied consent for scraping" is somewhat along the lines of having to "opt out" (of scraping); rather than being the "opt in" model often preferred around here for many things.

      Either way, I would doubt there is a lawsuit in it.

      1. elsergiovolador Silver badge

        Re: Scraping

        Robots.txt does not stop Google bot from scraping. There is no way to stop it apart from checking reverse DNS and then dropping the packets if matches Google.

      2. andy 103

        Re: Scraping

        That isn't how robots.txt works. It tells search engines whether they can index *publically accessible* content on a website. Unless there's a page which is readable to anybody which lists all users phone numbers, robots.txt simply isn't involved in this equation.

        1. Anonymous Coward
          Anonymous Coward

          Re: Scraping

          (1) Scraping of websites, as mentioned in the head comment, is a general term and not one that only applies to "all users phone numbers" (or indeed any other specific type of data on the website that you may consider of particular interest).

          (2) A robots.txt might request that the site was not scraped (indexed). If Google was polite, then at the request of that file, Google might indeed *not* index (scrape) the content of the site.

          (3) Therefore, a robots.txt might indeed stop "Google [...] scraping their websites without consent", always assuming google was well-behaved in this regard.

          However, as pointed out, having to put in place an appropriate robots.txt to stop a (notionally well-behaved) Google from scraping is an opt-out process; and not one where the absence of robots.txt is taken by webcrawlers to mean "no content is to be indexed".

          1. andy 103
            Mushroom

            Re: Scraping

            It's quite worrying how poorly educated Reg readers are.

            What do you think is being indexed exactly? robots.txt tells search engine crawlers whether or not they should index content - content which is accessible to anybody, i.e. on public web pages - not behind a login or stored in a database that's otherwise inaccessible except for authorised/authenticated users. A Google bot cannot get around a login screen (hint: it doesn't have any credentials to enable it to log in!).

            The only way that Google could "scrape" phone numbers - with reference to this story - is if there was a publically accessible web page (or pages) on Facebook which listed out individuals phone numbers. There isn't. To see somebody's phone number you have to be:

            1. Logged in

            2. Either a connection, or the user has set their phone number to "public", which isn't even the default setting.

            In any case (1) still applies and a Google bot cannot index phone numbers on peoples Facebook accounts.

            It really does concern me how Reg readers make posts like they know what they're talking about. Go and actually try it if you think otherwise. Google your phone number and see if there's anything on the domain facebook.com for it. (There won't be).

            If you're going to be really pedantic about it indexing the names of people's profiles, there's even a setting in Facebook where you can stop search engines indexing your page.

  7. Howard Sway Silver badge

    Hope they're successful

    Then I'll be able to sue them for no doubt having obtained my phone number and stored it without my consent via some of my friends contact lists, thus violating MY terms of service. And if Facebook didn't consult my terms of service before doing this, that's no defence, according to them.

    1. Twanky Silver badge
      Trollface

      Re: Hope they're successful

      They'll be able to afford better lawyers than you - and possibly also judges.

  8. LazLong

    Fuck Zuck, and his harmful products. Boycott Facebook and all their products.

    1. Version 1.0 Silver badge
  9. Mark 85 Silver badge

    'Tis a strange beast, indeed this Fecesbook.

    I don't have an account nor have I ever. Yet, I note that I get "notifications" from FB about Friends Requests. People (allegedly) that I've never heard of in places I'm not familiar with are all from allegedly women. I suspect that this article explains it all. And not just email to my real addy but also some throwaway accounts. Maybe one of these days I should actually open an account and search myself there and see how many accounts are me?. Nah...that's just opening Pandora's box.

    1. Twanky Silver badge

      Re: 'Tis a strange beast, indeed this Fecesbook.

      Opening Pandora's box:

      Releasing all the evils of the world but leaving Hope behind trapped?

      Yup.

  10. russmichaels

    its a bit pot calling the kettle black isn;t it....

    we all know that Facebook sells our data to everyone who wants it.

  11. Sam Therapy

    Online shoe salesman?

    The utter, utter bastard!

    1. VulcanV5

      Re: Online shoe salesman?

      Dreadful to think how many people have innocently given him their feet sizes and color preferences.

      Never trust a Ukrainian bearing shoes is an old adage yet as true now as it never was.

  12. arachnoid2 Bronze badge

    Phone spamming software

    There are phone spamming software apps that work in a similar fashion like Truecaller, it too collects others phone numbers without their consent. In that they download your phone book and many thousands more to use as a database to inform you who is calling you up and if its a spam caller.

    I just came across one with an answerbot which seems so hilarious https://www.youtube.com/watch?v=WNq_i7mmb2E

  13. Drone Pilot

    But are the ramifications?

    An American court has no jurisdiction over a Ukrainian citizen. So if Zuck wins, what then?

    The Ukrainian creates a profile called "HonestJoe99" and sells it anyway.

  14. Rob Davis

    solidproject.org - Tim Berners-Lee - profile information stored at the edge and permission to share

    This issue with regard to contact sharing looks like it could benefit from the work Tim Berners-Lee is doing, as reported in TheRegister recently: https://www.theregister.com/2021/10/04/column_data_privacy/

    I think this is about his work on the solidproject.org

  15. Jonjonz

    Those terms of service are BS, and any judge should have the sense to see that.

  16. Nocroman

    ow where do I sign up to sue facebook for allowing my data to be stolen due to their incomitance and to get a cut of the money facebook gets from this thief that stole my data from facebook? I am the victim here and I and others should be the ones getting billions from both of them as we own the data stolen.

  17. Tree
    Pirate

    FaceBUTT wants its monopoly back

    Your private information is very important to US. We don't want others to acquire it without paying us. Did not you read our Terms of Service? If you did read, and did not understand, you deserve to be spammed, scammed and swindled. That is why we change it all the time so the average trial lawyer cannot figure it out.

  18. grumpy-old-person

    But surely Facebook (and zuckerberg) should be held reponsible for the leak?

    The person who used the flaw is guilty of USING the leak not having a piss-poor system that made it possible.

    Don't hold your breath until Facenook is held accountable - it will probably never happen!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021