Fail Facebook Application

Fail Facebook Application (Photo credit: xalk).

Many articles have been penned in the last several years about privacy and personal data in the context of social networks. They usually focus on your own information — what you’ve read, liked, or commented on — and how easily others can access it.

Today, let’s think about how you don’t even have to actually be on Facebook in order to have it compromise your privacy. Via Slate:

When you join a social network, it usually asks if you’d like help finding friends who also use the service. It sounds like a nice offer — much easier than manually searching the site. So you click ‘yes,’ put check marks next to the people you want to follow, and go merrily on your way.

Congratulations: You’ve just donated all of your friends’ and colleagues’ email addresses and phone numbers to that social network’s internal database. If you’re lucky, its employees will treat your friends’ contact information with more respect than you just did.

But they might not. They might use it to blast everyone from your boss to your mother-in-law with text messages at 6 a.m., like the fledgling social network Path did to at least one user in April. Or they might do something more subtle: cross-check your contacts list against their internal database, adding phone numbers and emails that your friends had chosen, for whatever reason, not to associate with their account. They might even collect the emails and phone numbers of people who aren’t members at all. And if you’re really unlucky — or rather, if your friends are really unlucky — they’ll accidentally reveal those secret phone numbers and email addresses to everyone else in your friends’ networks. That’s what Facebook was doing for the past year, until the security research site Packet Storm pointed out the gaffe last week, and Facebook scrambled to fix the bug.

That “gaffe” was a data breach that compromised the accounts of at least 6 million users (at the time of this writing, there are reports I have yet to substantiate that indicate much larger numbers). Now think about the amount of data held in those accounts, including that of the users’ friends, which was being deliberately kept segregated from their own profiles.

Most Americans don’t seem to think much about the fact that their data is not 100% secure. Even further off your radar may be the thought that some of that sensitive info might make it onto those platforms because your friends are storing their personal info about you there. This is what is called a social media “shadow profile.” It consists of all the information about you that’s stored on Facebook’s servers but not revealed to anyone other than the people who uploaded it — not even you.

Will Oremus, author of the Slate article quoted above, uses just the right word for this: Kafkaesque. Even if you were aware that data — a private phone number, for instance — was being added to the shadow profile without your consent, you have no way to contest it.

Technically, once you gave your phone number or email address to your friends and they added it to their address book, it became their personal information, not yours. Once Facebook is granted access to that address book, it became their information as well. Since the data is “not yours,” any requests relating to it will be ignored. As Packet Storm sums it up, “Facebook feels that your friends should have more control over your data than you.”

From Facebook’s perspective, it’s a service. If they collate the data about you that other people enter, then they can allow people to find you even if they are searching with an address not associated with the account. Of course, I know many people who keep addresses completely separate from FB in order to prevent exactly that.

What makes this breach different is that we now know it involved non-users’ data. There are people who eschew Facebook and who never joined it. Due to the data harvesting, that creates shadow profiles on people who have never signed off on a usage agreement with the platform. People who, at present, have no real recourse since the information “belongs” to their friends, not them.

Packet Storm has noted that Facebook seems to be under-reporting the break and the amount of data that has found its way into the wild:

We asked Facebook what this means for non-Facebook-users who had their information also disclosed. The answer was simple — they were not contacted and the information was not reported. As a billion users upload their contacts, their associates on and off of Facebook will all become stored and correlated.

So, even if you are not a Facebook user, there is a good chance they have your private phone number, your email addy, and perhaps even your favorite color. What do you think of that?

George Williams
WordPress Image Lightbox