Facebook wants to "normalize" the idea that large scale scraping of user data from social networks like its own is a common occurrence, as the company continues to face fallout from a leak of over 500 million Facebook users' phone numbers.
Facebook's position came to light in an internal email accidentally sent by a Facebook representative to a journalist at Dutch publication DataNews. Facebook confirmed the authenticity of the email to Motherboard.
Under the heading "LONG-TERM STRATEGY," the email reads that "Assuming press volume continues to decline [around the recent 500 million phone numbers leak], we're not planning additional statements on this issue. Longer term, though, we expect more scraping incidents and that it's important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly." The email adds that Facebook is planning to publish a blog post that talks about the company's anti-scraping work.
"While this may reflect a significant volume of scraping activity, we hope this will help to normalize the fact this activity is ongoing and avoid criticism that we aren't being transparent about particular incidents," the email adds.
Do you work at Facebook, or know about another data breach? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
In January, Motherboard reported on a Telegram bot that offered to sell the phone number linked to specific Facebook users, and claimed to have an underlying database of 500 million accounts. It included the phone number of someone who deliberately takes steps to try and keep that information private, Motherboard found. In March, a data trader then dumped that dataset on a low-level hacking forum, Business Insider reported. The 500m dataset was created by attackers exploiting an issue with Facebook's address book contacts import feature.
Facebook faced criticism for downplaying the severity of the leak, with Facebook executives describing the data as "old" because it dated from 2019. As far as personal data is concerned, phone numbers are often one piece of information that people retain for years if not decades.
"Publications have offered more critical takes of Facebook's response framing it as evasive, a deflection of blame and absent of an apology for the users impacted," the internal Facebook email continues.
In a statement, a Facebook spokesperson told Motherboard that “It shouldn’t surprise anyone that our internal documents reflect what we’ve said publicly. As LinkedIn and Clubhouse have shown, data scraping is an industry-wide challenge which we are committed to tackling and educating users about. We understand people's concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it."
The LinkedIn dataset included names, email addresses, and phone numbers. The Clubhouse cache contained data such as which user invited another to the platform.
Subscribe to our cybersecurity podcast CYBER, here.