SAN FRANCISCO — The New York State attorney general’s office plans to open an investigation into Facebook’s unauthorized collection of more than 1.5 million users’ email address books, according to two people briefed on the matter.
The inquiry concerns a practice unearthed in April in which Facebook harvested the email contact lists of a portion of new users who signed up for the network after 2016, according to the two people, who spoke on condition of anonymity because the inquiry had not been officially announced.
Those lists were then used to improve Facebook’s ad-targeting algorithms and other friend connections across the network.
The investigation was confirmed late Thursday afternoon by the attorney general’s office.
“Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data,” said Letitia James, the attorney general of New York, in a statement. “It is time Facebook is held accountable for how it handles consumers’ personal information.”
Facebook said the unauthorized practice, first reported by Business Insider earlier this month, was “unintentional,” a mistake resulting from a method the company once used to verify the identity of new users that required sending Facebook your email password. Though that practice — which security experts said left users vulnerable to identity theft — ended in May 2016, Facebook continued to gain access to the email address books of at least 1.5 million new users.
Users were not notified that their contact lists were being harvested at the time. Facebook shuttered the contact list collection mechanism shortly after the issue was discovered by the press.
Facebook said it was in touch with the attorney general’s office and was responding to questions about the issue.
The attorney general’s investigation will focus on how the practice came about, and whether or not the email contact collection spread to hundreds of millions more people across the social network, according to the two people. Nearly 2.4 billion people use Facebook each month, with 1.56 billion people visiting the site at least once every day.
The investigation comes on the heels of a difficult year for the social networking giant, which has been rocked by a series of scandals regarding how it handles user data and privacy. In March 2018, The New York Times reported how a third-party political firm, Cambridge Analytica, harvested and exploited the personal information of millions of Facebook users.
Last fall, Facebook announced it had fallen victim to the largest data breach in the company’s 15-year history, exposing the accounts of tens of millions of its users. And more recently, Facebook admitted it had stored the passwords of hundreds of millions of its users in “plaintext,” a security practice frowned upon by industry experts.
The attorney general’s action is the latest in a string of such moves by lawmakers and regulators, many of which have set their sights on Big Tech over the past two years. In December, the attorney general of the District of Columbia sued Facebook for its role in the Cambridge Analytica scandal and for its failure to protect the privacy of its users.
And on Wednesday, Facebook announced it expected to pay a fine of up to $5 billion to the Federal Trade Commission for its privacy violations, the biggest penalty ever imposed by the agency on a technology company. It was the latest sign that Washington, after years of ignoring the growing power of Silicon Valley, is taking tech regulation more seriously.