Is Facebook phishing for email passwords?
There are really only two rules for keeping an email account secure: choose a strong password and don’t share that password with anyone else. Follow these two rules and you reduce your chances of being hacked to almost zero. If you do share your password, you have lost control of it. It’s as simple as that. Even if you trust the person you have given it to, and made them promise really really hard that they won’t tell anyone else, there is nothing you can do to stop them.
So why is Facebook asking me for my email account password?
I have recently re-joined Facebook after deleting my old account some four years ago. My old account was such an unholy mess of personal and professional that the thought of untangling it all seemed to be more trouble than it was worth, hence the nuclear option.
Now I’m back, I find that Facebook hasn’t changed much at all. Old friends are easy to find and there is the snowball effect that for each friend request I send, I receive many more requests in return.
One thing that is new, or at least something I’d never seen before, is the option to have Facebook scrape the contact list of my email address for people I know, and they will automatically be sent friend requests on my behalf. What a great tool!
But wait. The only way Facebook can access this contact list is if I hand over the password to that account. That’s worth repeating: Facebook is asking for the password to my email account so that they can scrape my address book and match any emails gathered to other users on Facebook. This is not the behaviour of a legitimate company, but of a crook phishing for user data to exploit for fraudulent activities.
But we know that Facebook aren’t the bad guys
I’m not suggesting that Facebook is trying to steal my identity or commit fraud in my name. The truth is, they don’t need to. That type of activity is small-time stuff compared to selling the personal information of users to advertisers. I know how the cliché goes: if the service is free, I am the product and I will be sold to the highest bidder. But I’m happy with that, right? I know how Facebook works. I know the deal I’ve entered into: I hand over personal information; they provide a free service that I find useful.
However, asking me to hand over a password goes beyond a reasonable request for information and Facebook knows this. They know the risks and dangers of revealing passwords, even if their users may not. Don’t believe me? Well, such activity is not allowed under Facebook’s own Ts&Cs. That’s right, you are forbidden from sharing your Facebook password with anyone.
The reason for this should be obvious: if someone has the password to your Facebook account, they are effectively impersonating you. So you give a friend your password so they can update your profile, post a pic, whatever, fine, no harm done there. If they access your account again, though this time without your consent, well, that there is identity theft, which carries a stiff penalty in most jurisdictions.
What this means is that your Facebook and email passwords are as much a part of your identity as anything else you share online. Yet Facebook only care to protect the one and are happy to compromise the other.
Yeah, but who reads the Ts&Cs anyway? And Facebook is unlikely to enforce that rule. Well, probably not. But what about your email provider? They also have Ts&Cs that you’ve probably not read, but you can guarantee they’ll have something in them about your responsibility in keeping your password secure.
What’s the harm?
Who would be happy for advertisers to know which medical companies they’ve contacted or what medical products they may have bought? How about how often they’ve contacted their GP or local MP? What about political parties? What about that dating agency they secretly joined (If you are on Facebook and cheating on your partner, then Facebook probably already knows)? What about the newsletters from any pro/anti pressure groups? All that online shopping generates a lot of useful information about buying habits, too.
Many people may not care about sharing potentially sensitive information such as this; after all, much of what used to be private is now shared freely online anyway. So clearly this isn’t the issue. The issue is that, if a password isn’t changed immediately afterwards, anyone using this service has lost control of their email account regardless of how benign Facebook’s intentions may be.
At the time of writing, 50% of my friends had used this service. That’s half of my friends who have intentionally compromised the security of their email accounts and this points toward a bigger issue: Facebook are normalising insecure behaviour online which is at the same time making it easier for criminals to harvest passwords through phishing attacks. When a genuine phishing attack is encountered (ironically, this may well be on Facebook itself), people have been conditioned to be more trusting of requests for such information.
In this way, Facebook are no longer neutral providers of a service, but actively involved in a hostile action that will result in a less secure online environment for everyone. Worse still, Facebook is using people’s friends, who it assumes are trusted, to endorse this really dodgy service.
Also, I don’t know how it works and, more importantly, how it’s limited. The text that reads, “See how it works” in the image above, isn’t a link to more information (at least it isn’t with my setup of Chrome 48.0.2564.116 for Mac). Searches for more information on the service have also drawn a blank. This has left many questions unanswered:
- How long does Facebook store the password?
- Is it stored encrypted or in plain text?
- Is the processing of the scraped data performed by Facebook’s algorithms, or can a human access it too?
- At what interval is the address book scraped for new contacts?
- Are they scraping the email subject line?
- Are they scraping the email body text?
- Do they measure the frequency that messages are sent and received to each contact?
- If an email address isn’t associated with a Facebook account, is it then deleted from Facebook’s servers?
- If multiple email addresses are associated with a single Facebook user, are these also stored against that account?
Should I give Facebook my email password?
No, of course you shouldn’t. You shouldn’t give a password to anyone. Will you, though? Probably. If you do, you should change that password immediately.