Facebook Data Use Policy email sparks security fear amongst some users

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Has Facebook sent you an email about its data use policy?

Don’t feel too special – they sent it to an awful lot of people.

Here’s what you probably received, in an email entitled “Updates to Data Use Policy and Statement of Rights and Responsibilities”:

Facebook data policy email. Click for a larger version

Sign up to our free newsletter.
Security news, advice, and tips.

In case you’re still unsure – that is genuinely an email from Facebook.

Yes, Facebook has just given its one billion (and counting..) users seven days to comment on a change it is making to its data use policies.

That’s correct. You’ve only got until November 28th if you wish to respond. I’m sure that the fact Facebook has chosen to do this across a major US holiday is purely an unfortunate coincidence rather than a deliberate timing decision.

One of the company’s planned changes is to change the way it handles future changes to its data use policy (which explains how the site collects and uses data about you). Facebook says it wants to ditch user voting in favour of requesting feedback in the form of comments from users.

Additionally, as The Telegraph explains, the proposed new data use policy would allow Facebook to use data from “from our affiliates or our advertising partners.. to tell us information about you” and “improve the quality of ads.”

Part of Proposed Data Use Policy Redline

In all likelihood, this is part of Facebook’s plan to build up a more precise picture of its many users, targeting advertisements better, and using data not only from its own site but recently acquired companies such as Instagram.

“I’ve received an email from Facebook. Is it a scam or a virus?”

Some people are so used to being bombarded with bogus and malicious emails claiming to come from the likes of Facebook, LinkedIn and Twitter that they don’t believe the legitimate communications they receive any more.

It’s unfortunate that this latest legitimate email from Facebook, which is being sent to over a billion email accounts around the globe, has caught some social networking users off-guard.

In fact, Naked Security has received queries from readers who are worried that the email could be a phishing attack, or an attempt to infect their computers with malware.

Take this example from “Laura” (we’ve obscured some details to protect her identity):

Reader's question to the Naked Security team

Not sure what I'm reporting but myself and loads of others on FB have received emails from FB about "Data use policy"
I never opened mine but deleted it.
Is it a scam or a virus?
Have you received other complaints about it?
I see below you want URL etc, but a bit nervous to open the link to copy for you

Laura, although it would be perfectly possible for a malicious hacker to spam out a message pretending to be from Facebook, and they could even ape its wording, look-and-feel etc, I suspect that you’ve received the real thing.

Maybe if Facebook wants more users to respond and feedback regarding the changes to its data use policy it should display a message as users log into the site. That would, at the very least, go some way to reassure them that the emails are legitimate.

And, of course, it may encourage more feedback from users regarding the changes. As I imagine that’s what Facebook wants, right?


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.