Facebook sues scraper who sold 178 million phone numbers and user IDs Facebook has sued a Ukrainian national for allegedly harvesting and selling personal data describing 178 million of the Social NetworkTM's users – actions it says violates the service's terms of service. The suit alleges that Alexander Alexandrovich Solonchenko created millions of virtual Android devices, each with a different …
There'll be a lot of Facebook-bashing since this is The Reg but this is actually one instance where I'm on their side.
There's no "presumably" about "presumably so they could contact them on Messenger rather than through other means". When users do this, they are knowingly supplying their entire contacts list to Facebook and it's clear from the Terms (that nobody has read) that that's what they do with the data. Last time I looked there were over 1 billion people who use Messenger on at least a monthly basis - that's quite a lot of people!
There's scraping where you're telling people what you're doing and they're agreeing to it..... then there's scraping and selling data illegally. In this case Facebook have done the former whilst this moron has done the latter.
Then there’s Facebook telling person A that it will access their phone contacts, and person A agrees to it. But person B is in that contact list and doesn’t agree to it, but doesn’t get asked and Facebook don’t give a shit. The shadow profile doesn’t seem to involve consent.
Yes, but from a legal perspective they don't have to give a shit.
If you give somebody your phone number and they store it in their phone, you don't each agree to a set of legal T+C's about what that person may or may not do with your number. If they want to write it on a wall of a public toilet and say phone this number for sex what are you going to do about it? You've given them your data but there's no legal basis to restrict what they do with it...
No
Lots of people have my phone number in case of needing to get in touch with me in an emergency, family, friends, even elderly next door neighbour.
I have no option (other than deciding to be absolutely selfish instead of being a normal person who cares about welfare of others) to give these people my number... I can tell them not to share it around etc, but you know most people are numpties (yes lots of my family / friends included) and will happily accept the "improve your experience by importing your contacts" BS that FB and other social media slurpers pummel them with until they submit.
FB etc rely on people giving in to "better experience worded" demands for contacts, which means, even though I do not use FB, they probably have my number from relatives or friends.
As far as I am concerned, that should be illegal under GDPR as FB do not need it, I have not consented to it.
I have not consented to it.
This is exactly the point I was making. It's called a loophole. You personally do not need to consent to Facebook having your number, in order for them to obtain it. Because the people who are asked to give consent are the ones who are giving it away. But it's funny how people such as yourself point the finger at Facebook, when it's actually their "friends" who are knowingly and willingly giving Facebook that data.
The loophole works because whilst your phone number is yours, the people (e.g. your friends / neighbours) who have your number stored in their phones are the owners of that data - and the ones who are consenting to it being given away. If those people did not give consent for Facebook to have it then yes that is illegal.
But nobody ever blames the people who have actually given it away... it's easier to say it's Facebook's fault.
As far as I am concerned, that should be illegal under GDPR
It isn't, and that's what you really have a problem with.
> The loophole works because whilst your phone number is yours, the people (e.g. your friends / neighbours) who have your number stored in their phones are the owners of that data - and the ones who are consenting to it being given away.
It is not a loophole from a GDPR perspective, it is specifically "allowed" (with regard to those individuals, i.e. family & friends, having your details and sharing them) as GDPR does not apply "in the course of a purely personal or household activity".
However the same Article (18) of GDPR then says "However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities." which means that GDPR does cover Facebook both for the direct social/unsocial services they then provide to their users (likely to be compliant), and *also* for the additional processing (likely to be non-compliant), e.g. building up shadow profiles, sharing with 3rd parties, etc, that they do in addition.
Even if that doesn't apply to private persons, there is that little ugly fact that every business person who has client numbers in their phone and then installs WhatsApp is effectively in direct breach of the GDPR unless they sought prior permission from said private persons to transmit their personal details to unregulated third parties (I'm summarising, the correct phrase is a bit longer but you get the gist).
Right now. No excuses.
> there is that little ugly fact that every business person who has client numbers in their phone and then installs WhatsApp is effectively in direct breach of the GDPR unless they sought prior permission from said private persons to transmit their personal details to unregulated third parties
When you say "business person" are you referring to sole traders or employees of companies/PLCs? Typically for employees acting in the course of their job then any breach of GDPR will have been made by the company/PLC rather than the employee as the company carries the responsibility of compliance. Obviously for sole traders there is no company and so they themselves as individuals may be breaching GDPR.
Also when you say "their phone" do you mean their employer's phone or their own personal phone? Employees should *not* be using personal devices for company business and indeed their employer should have a policy in place to ensure this does not happen (including supplying employees with company phones/tablets if needed). Employeers should *not* for example be checking company email (which will including personal data and possibly special category data) on their own personal devices (phones, tablets, PCs). Likewise company policy should define/control the installation of apps, such as WhatsApp, on devices and MDM should enforce any restrictions necessary (blocking certain apps, autoconfiguring other apps) for GDPR compliance.
What about bring-your-own-device (BYOD) I hear you say? Well that is risky with regards to GDPR. Yes you could BYOD if your employer required you to install device management software (MDM) to "partition" the device between work-related storage and non-work - personally I'd never install an employer's MDM software as then, from my own perspective, I'd be losing control (and potentially security/privacy) of my own device.
For many years I've been used to carrying 2 phones - my own and my employer's. The employer's phone gets turned off out-of-hours unless I'm on call.
"I can tell them not to share it around etc, but you know most people are numpties"
Those of us under GDPR coverage (including the UK for now) have a few more legal rights on this than left pondians
we don't HAVE to agree to terms. It's not legal to spread third party phone numbers around without their permission
"If you give somebody your phone number and they store it in their phone, you don't each agree to a set of legal T+C's about what that person may or may not do with your number."
If I give someone my phone number it's for their use to contact me. There's an implied limitation there. I'd hope that if someone else asked them for my number they'd check with me first as that's what I'd do in the reciprocal situation.
As to your straw man argument - that would very likely be an offence under some aspect of common law.
What really sucks about the contact list importing is that it brings a bunch of names/numbers into Facebook's data collection maw without the consent of that person.
If I have you in my contact list and I'm dumb enough to allow Facebook to import my contacts, now they have your name, phone number, and anything else about you I might have in my contacts (i.e. email, home address, birthday, even a photo) even if you have never used Facebook.
If you are a Facebook user and we share some of the same contacts, Facebook will show us each other in "people you may know". The first time I saw that for someone I did know but vaguely remembered working alongside during a consulting engagement years ago I was shocked. How the fuck did Facebook know I might know this person? It wasn't until I figured out that we must both be in the contact lists for a few people we worked alongside at that client who were dumb enough to upload those to Facebook and it figured out we might know each other. Creep factor: maximum!
If I have you in my contact list and I'm dumb enough to allow Facebook to import my contacts, now they have your name, phone number, and anything else about you I might have in my contacts (i.e. email, home address, birthday, even a photo) even if you have never used Facebook.
Installing WhatsApp does that to a degree already automatically. No need for you to do thus upload said set explicitly to FB, that merely provides Zuck with validation.
Perhaps Facebook should have an API which IP and rate limits and requires a login to access contact data, instead of leaking everything like a sieve and relying on EULAs afterwards because the developer didn't pay enough or wasn't one of Zuckerborg's bestest friends, if he has such things.
There'll be a lot of Facebook-bashing since this is The Reg but this is actually one instance where I'm on their side.
Really? Here is a question for you:
How did this person have open access to that dataset in the first place?
Either FB's security sucks, or they provided this data willingly without ensuring any controls. Whatever way you turn this, it starts with Facebook.
I never understand why people make personal details like phone numbers and email addresses public on social media platforms. However I do think it's more than just a little bit dodgy to set things like that as the default behaviour from which the user has to opt out.
The default should be publish nothing, but on most platforms publish everything seems to be the default. Surely under at least one jurisdiction the very act of publishing everything would be a breach of data protection law. After all stuff like that should be opt in.
I think you missed something. If you print out the full T&C's then go to:
Page 382
section 163
sub section 8
part iv
sub section 2
clause a
it clearly states
The person of the 3rd person is hereby notified of the person in the 1st person by way of section 86, sub section 12, sub sub section 15 clause D that the permitted use of data is subject to paragraph 83iiii where activities that meet section 181 where it does not conflict with section 14 unless exceptions as listed in Appendix R, part 15a, will be classed under the 4th person justification of authorisation by notification of the 3rd person relating to the 2nd person under section 199 subject to clause 23a part xiv of section 99 excluding conflict under the 5th person position against the 3rd person in accordance with section 118 of the codex of standardised field excavation operational impacts on clause 55 of section 87 of the 2nd person prioritised solution based incentivising of the 4th person except where prior exclusions apply where accompanied by supporting evidence in the agreed format according to Appendix V.
That should clearly let you know your position with regard to how we are able to use any data that becomes available to us.
It would be great to know if they have a special agreement with Google about having Google bot not scraping their endpoints.
Regular Joe cannot make Google bot to stop scraping. You can make it "ignore" the page, but it will still have to fetch it in order to see the "noindex" meta tag or a response header.
I suppose someone will be along to mention "robots.txt" very shortly.
But it occurs to me that "no robots.txt => implied consent for scraping" is somewhat along the lines of having to "opt out" (of scraping); rather than being the "opt in" model often preferred around here for many things.
Either way, I would doubt there is a lawsuit in it.
(1) Scraping of websites, as mentioned in the head comment, is a general term and not one that only applies to "all users phone numbers" (or indeed any other specific type of data on the website that you may consider of particular interest).
(2) A robots.txt might request that the site was not scraped (indexed). If Google was polite, then at the request of that file, Google might indeed *not* index (scrape) the content of the site.
(3) Therefore, a robots.txt might indeed stop "Google [...] scraping their websites without consent", always assuming google was well-behaved in this regard.
However, as pointed out, having to put in place an appropriate robots.txt to stop a (notionally well-behaved) Google from scraping is an opt-out process; and not one where the absence of robots.txt is taken by webcrawlers to mean "no content is to be indexed".
It's quite worrying how poorly educated Reg readers are.
What do you think is being indexed exactly? robots.txt tells search engine crawlers whether or not they should index content - content which is accessible to anybody, i.e. on public web pages - not behind a login or stored in a database that's otherwise inaccessible except for authorised/authenticated users. A Google bot cannot get around a login screen (hint: it doesn't have any credentials to enable it to log in!).
The only way that Google could "scrape" phone numbers - with reference to this story - is if there was a publically accessible web page (or pages) on Facebook which listed out individuals phone numbers. There isn't. To see somebody's phone number you have to be:
1. Logged in
2. Either a connection, or the user has set their phone number to "public", which isn't even the default setting.
In any case (1) still applies and a Google bot cannot index phone numbers on peoples Facebook accounts.
It really does concern me how Reg readers make posts like they know what they're talking about. Go and actually try it if you think otherwise. Google your phone number and see if there's anything on the domain facebook.com for it. (There won't be).
If you're going to be really pedantic about it indexing the names of people's profiles, there's even a setting in Facebook where you can stop search engines indexing your page.
Then I'll be able to sue them for no doubt having obtained my phone number and stored it without my consent via some of my friends contact lists, thus violating MY terms of service. And if Facebook didn't consult my terms of service before doing this, that's no defence, according to them.
I don't have an account nor have I ever. Yet, I note that I get "notifications" from FB about Friends Requests. People (allegedly) that I've never heard of in places I'm not familiar with are all from allegedly women. I suspect that this article explains it all. And not just email to my real addy but also some throwaway accounts. Maybe one of these days I should actually open an account and search myself there and see how many accounts are me?. Nah...that's just opening Pandora's box.
There are phone spamming software apps that work in a similar fashion like Truecaller, it too collects others phone numbers without their consent. In that they download your phone book and many thousands more to use as a database to inform you who is calling you up and if its a spam caller.
I just came across one with an answerbot which seems so hilarious https://www.youtube.com/watch?v=WNq_i7mmb2E
This issue with regard to contact sharing looks like it could benefit from the work Tim Berners-Lee is doing, as reported in TheRegister recently: https://www.theregister.com/2021/10/04/column_data_privacy/
I think this is about his work on the solidproject.org
ow where do I sign up to sue facebook for allowing my data to be stolen due to their incomitance and to get a cut of the money facebook gets from this thief that stole my data from facebook? I am the victim here and I and others should be the ones getting billions from both of them as we own the data stolen.
Your private information is very important to US. We don't want others to acquire it without paying us. Did not you read our Terms of Service? If you did read, and did not understand, you deserve to be spammed, scammed and swindled. That is why we change it all the time so the average trial lawyer cannot figure it out.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
