Sounds like Facebook’s got enough, intentionally or unintentionally, holes to qualify as Swiss Cheese. I’m not sure what’s worse: unintentional holes or the ones created for the government to spy on. As a writer, I loathe the idea of limiting the right of free speech, which I’m afraid is really happening here.
Anger mounts after Facebook’s ‘shadow profiles’ leak in bug
Summary: Facebook said Friday it fixed a bug that exposed contact info for over six million accounts. The admission revealed its ‘shadow profile’ data collection activities, and users are furious.
By Violet Blue for Zero Day | June 23, 2013 — 01:54 GMT (18:54 PDT)
Friday Facebook announced the fix of a bug it said inadvertently exposed the private information of over six million users when Facebook’s previously unknown shadow profiles accidentally merged with user accounts in data history record requests.
According to Reuters, the data leak spanned a year beginning in 2012.
The personal information leaked by the bug is information that had not been given to Facebook by the users – it is data Facebook has been compiling on its users behind closed doors, without their consent.
A growing number of Facebook users are furious and demand to know who saw private information they had expressly notgiven to Facebook.
Facebook was accidentally combining user’s shadow profiles with their Facebook profiles and spitting the merged information out in one big clump to people they ‘had some connection to’ who downloaded an archive of their account with Facebook’s Download Your Information (DYI) tool.
According to the admissions in its blog, posted late Friday afternoon, Facebook appears to be obtaining users’ offsite email address and phone numbers and attempting to match them to other accounts. It appears that the invisible collected information is then being stored in each user’s ‘shadow profile’ that is somehow attached to accounts.
Users were clearly unaware that offsite data about them was being collected, matched to them, and stored by Facebook.
Looking at comments on Facebook’s blog and community websites such as Hacker News, Facebook users are extremely angry that the phone numbers and email addresses that are not-for-sharing have been gathered and saved (and now accidentally shared) by Facebook.
Facebook stated in its post yesterday that the bug was resolved, but Facebook users are telling a different story today in the comments.
One man commented this afternoon, “I just downloaded the “extended backup” and I’m still viewing emails and phone numbers that are NOT PUBLIC!!!!”
Facebook explained in its post that the bug shared information about a user that had been scraped from a source other than the personal data the user had ever entered into Facebook about themselves.
The action of the bug is that if a user downloaded their own Facebook history, that user would also download email addresses and phone numbers of their friends that other people had in their address books, without their friends ever knowing Facebook had gathered and stored that information.
This data is being gathered by Facebook about individuals through their friends’ information about them – harvested when a user grants Facebook address book or contact list access.
Facebook did not specify which app or contact database tool was utilized when collecting and matching offsite-sourced data about users.
The social network said that it was harvesting and matching the offsite-sourced data to user profiles – creating these shadow profiles – “to better create friend suggestions” for the user.
Facebook users are deftly reading between the lines. One commenter on Hacker News observed wisely,
The blog says the fix was made in the DYI tool. That means they would continue to maintain “shadow profiles”, but would stop letting others know that FB has a shadow profile on you.
Facebook’s post downplays the significance of the data breach by telling users that while six million accounts were exposed, very few people saw the personal phone and email data because it could only be seen when a user downloaded their Facebook history.
The social giant assured users their shadow profiles were shared only with Facebook users they were somehow connected to,
if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.
Facebook did not specify in its post what is meant by “somehow connected to” and comment speculation is attempting to fill in the gaps.
According to Reuters, who spoke with a Facebook representative, the data was being exposed in this manner for about a year.
What the revelation means is that Facebook has much more information on us than we know, it may not be accurate, and despite everyone’s best efforts to keep Facebook from knowing our phone numbers or work email address, the social network is getting our not-for-sharing numbers and email addresses anyway by stealing them (albeit through ‘legitimate’ means) from our friends.
The yearlong gap of exposure as described by Reuters creates a scenario of horrifying possibilities for any woman who has begin to experience harassment, abuse or stalking by an ex within the past year. Or, anyone being maliciously stalked and harassed by a tech-savvy aggressor (or a stalker’s Facebook sock puppet) they may have accidentally friended over the past year.
This could be remedied and harm would be greatly reduced if Facebook addressed and answered the growing demands of its users to know who has seen their non-Facebook private data.
What it means for me is that even though I’ve been very careful not to give my phone number to Facebook or the men in my “friends,” the guys I’ve ‘friended’ might have gotten my phone number anyway, regardless of my consent. I did not know they may have been able to get my phone number throughout the course of a year, and now I have no way of finding out who might have gotten my phone number.
I am glad I’ve never used a Facebook app or allowed Facebook access to my contacts in any way whatsoever. (Yay paranoia.) The private numbers and emails of my friends and colleagues should remain exactly that: private.
Facebook has officially stated that it does not know of any malicious use derived from the bug.
This appears to be the first time Facebook has publicly admitted that users’ shadow profiles contain more than native data (such as posts or information you deleted but are retained by Facebook) and also contain data that Facebook has harvested.
Meanwhile, anger continues to rise on the Facebook post, and as of this writing there are no representatives from Facebook in the comments to quell the storm.
Topics: Security, Data Management, Privacy