PogoWasRight.org

Menu
  • About
  • Privacy
Menu

From the “No good deed shall go unpunished and why is Facebook getting away with this” edition….

Posted on May 27, 2024May 27, 2024 by Dissent

“JLT” is not happy with Facebook. Not at all. The independent researcher from the EU contacted me to ask, “Hey I just found out something and you know way more than me about US law so maybe you can help me with this: isn’t it illegal for a company to not allow you to unsubscribe from their email listing? Like this “unsubscribe” doesn’t work:

This message was sent to [redacted]. If you don't want to receive these emails from Meta, please unsubscribe.

“What do you mean, it doesn’t work? The link doesn’t lead anywhere, or you submit it but haven’t been unsubscribed?” PogoWasRight asked.

JLT replied:

Well I created a FB account to try and msg a company. Since I created it with a VPN, as soon as it registered, the account got hit with captcha. After I fought the captcha for 5 minutes because of my VPN IP address, it asked for my email code confirmation. So I input that and got that welcome to FB email and then my account got instantly suspended.

I tried unsubscribing from the email list until the account gets deleted in 180 days but I get this instead:

Upload a verification selfie. Upload a photo that clearly shows your face. Make sure that the photo is well-lit and isn't blurry. We'll store an encrypted copy of your selfie for up to 1 year to improve our ability to detect fake photos, keeping Facebook safe from impersonation. Change how long we store your selfie for. Learn more.

By now, PogoWasRight was thoroughly baffled. As someone who doesn’t have a Facebook account, it was not obvious why it should take 180 days to delete an account or how they can demand biometric data like a facial picture to delete an account they suspended when the user wanted an account.

The message JLT received demanded a “verification selfie” that would clearly show his face — a selfie that they would then keep for up to a year to help them train themselves to detect fake photos unless he tried to change the length of time.

There seemed to be no option for him not to provide a selfie if he wanted the account deleted.

Not only were they demanding a selfie to delete the account in 180 days, but they were also demanding a selfie if he tried to get them to unsuspend his account.

The only reason JLT had tried to open a FB account was to reach a FB user to alert them that they had an exposed server leaking personal information. Not only did he wind up unable to use FB to contact the leaking company, but now FB seemed to have him trapped, unable to delete himself unless he turned over more personal information on himself.

“Pretty sure this shit shouldn’t be legal lol,” JLT muttered. “Basically they are holding my email hostage until I provide a picture of me? ”

Not to go down without a fight, JLT wrote to Facebook’s data protection office:

Hello, I’m reporting what I believe is a privacy violation of users. I tried registering an account to contact a company about a server they have with exposed data and used my VPN to register, after going through a captcha to verify I wasn’t a bot and confirming my email with the 6 digit code I got a welcome to facebook email and at the same time got my account instantly suspended.

I tried unsubscribing from the email listing so I don’t get spam while I wait for the account deletion in 180 days and the unsubscribe link redirects me to a page asking me to upload a photo with my face that facebook will hold onto for a minimum of a month up to a whole year.

Why do I need to provide a photo of my face to remove my email from your listing, are we holding peoples emails hostage until they provide private data to facebook?

The following was Facebook’s non-responsive response to JLT:

“Guess I’ll try Ireland data protection commission now,” JLT told us.

We hope they respond to him.


A previous version incorrectly located JLT in the UK. It was corrected to read EU.

Related posts:

  • “We would be less confidential than Google” – Proton threatens to quit Switzerland over new surveillance law
Category: Blog

Post navigation

← Italian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research
White House Publishes Steps to Protect Workers from the Risks of AI →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • Flightradar24 receives reprimand for violating aircraft data privacy rights
  • Nebraska Attorney General Sues GM and OnStar Over Alleged Privacy Violations
  • Federal Court Allows Privacy Related Claims to Proceed in a Proposed Class Action Lawsuit Against Motorola
  • Italian Garante Adopts Statement on Health Data and AI
  • Trump administration is launching a new private health tracking system with Big Tech’s help
  • Attorney General James Takes Action to Protect Sensitive Personal Information of Tens of Millions of People
  • Searches of Your Private Data in the Cloud Amount to Illicit State Action

RSS Recent Posts on DataBreaches.net

  • Are Scattered Spider and ShinyHunters one group or two? And who did France arrest?
  • Why we shouldn’t just repeat ransomware groups’ claims, Sunday edition
  • Aftermath: More than 99% of providers opted to have Change Healthcare notify patients of its massive data breach
  • Qilin Ransomware Affiliate Panel Login Credentials Exposed Online
  • HCA Healthcare settled two lawsuits this week; one was over its 2023 data breach
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy