Facebook learned it will face yet another probe into its data practices on Thursday when the New York state attorney general’s office announced it will investigate the social media company’s unauthorized harvesting of more than 1.5 million users’ email address books. Facebook, it was discovered in April, had been slurping up contact lists of new users without their knowledge or consent. The practice reportedly began in May 2016 and appears to have continued up until it was reported on in the media earlier this month.
Facebook was able to access the contact lists by prompting certain new users to enter the password to their personal emails accounts, as a means of identification verification the company said, but would then simply import all of the users’ contacts. The company then used the data to target ads and other services to the users. When Business Insider broke the story last week about the surreptitious data collection, Facebook said the contact data was “unintentionally uploaded to Facebook” and that it would delete it. The company has said it didn’t access any of the content in the users’ emails, but Facebook has a pretty serious credibility problem at this point.
“While 1.5 million people’s contact books were directly harvested by Facebook, the total number of people whose contact information was improperly obtained by Facebook may well be in the dozens or even hundreds of millions, as people sometimes have hundreds of contacts stored on their email accounts,” Business Insider reported last week. “The spokesperson could not provide a figure for the total number of contacts obtained this way.”
The New York attorney general’s investigation is the latest in a string of inquiries into the company’s data and privacy practices. Facebook told investors yesterday it expects a $3 billion–$5 billion fine from the Federal Trade Commission for privacy violations revealed during the Cambridge Analytica scandal. Also, the Financial Times reports, “earlier on Thursday, Irish regulators announced a new privacy probe into the company, while Canadian regulators published a report saying it had breached local privacy laws.”