Firm: Facebook's shadow profiles are 'frightening' dossiers on everyone

Firm: Facebook's shadow profiles are 'frightening' dossiers on everyone

Summary: The security researchers who found Facebook's 'shadow profiles' bug have rung the alarm that Facebook is compiling "frightening" dossiers on everyone possible.

SHARE:

Facebook's shadow profile data collection activities came to light Friday when the social network disclosed a bug fix.

The security researchers who found the vulnerability, Packet Storm Security, say Facebook is compiling "frightening" dossiers on everyone possible, including people without Facebook accounts. 

facebook shadow profile

Last week, Packet Storm discovered Facebook's vulnerability and contacted Facebook.

After extended dialogue with Facebook the researchers were compelled to reflect that, "The issue itself was not built with malice in mind it was simply an oversight. The significance of what it unearthed is the real problem that still remains."

Since 2012, Facebook had unintentionally combined user's shadow profiles with their Facebook profiles and shared it with those users' friends who used Facebook's Download Your Information (DYI) tool.

If only Facebook had explained the bug as clearly as Packet Storm in its post Facebook: Where Your Friends Are Your Worst Enemies:

When you open the downloaded archive, there is a file inside called addressbook.html. This file is supposed to house the contact information you uploaded.

However, due to a flaw in how Facebook implemented this, it also housed contact information from other uploads other users have performed for the same person, provided you had one piece of matching data, effectively building large dossiers on people.

In our testing, we found that uploading one public email address for an individual could reap a dozen additional pieces of contact information.

It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users.

Most people who found out they have a 'shadow profile' with contact info they never gave to Facebook - such as telephone numbers - were surprised and angry.

Facebook responded Sunday pointing to a page on its address book email collection policy and emphasizing that the data is uploaded voluntarily by people the users know.

The real alarm rose when Packet Storm began to comprehend what this meant for the individual user - and what happened when the security researchers approached Facebook with its concrete fears:

The fact that I have no control over additional email addresses and phone numbers added to their data store on me is frightening. The questions we asked were very to the point but carefully constructed to reflect an equal balance between usability and user safety.

(...) Our first question asked that, in the name of common decency and privacy, would Facebook ever commit to automatically discarding information of individuals that do not have a known Facebook account? Possibly age it out X days if they don't respond to an invite due to a friend uploading their information without their knowledge?

Their response was essentially that they think of contacts imported by a user as the user's data and they are allowed to do with it what they want.

To clarify, it's not your data, it's your friends. We went on to ask them if Facebook would commit to having a privacy setting that dictates Facebook will automatically delete any and all data uploaded about me via third parties ("friends") if it's not in scope with what I've shared on my profile (and by proxy, is out of band from my privacy settings)?

We were basically met with the same reasoning as above and in their wording they actually went as far as claiming that it would be a freedom of speech violation.

Standing on its policy, Facebook is refusing to allow users to have control over their own personal information.

Facebook policy in this area is that your data is not yours; it belongs to your friends, and by its rules your friends - or merely peple you know - have more control over your data than you do.

Packet Storm praised Facebook for acting swiftly to patch the bug.

The security company emphasized that it is not Facebook security that is broken, but instead it is Facebook policy that is broken, and their disclosure is not meant to cast a negative light on the company.

Packet Storm remarked, "It was clear that Facebook attacked the disclosure flaw properly, but concerns still remain about the fact that dossiers are being built on everyone possible."

"You can run, but you can't hide"

Right now commenters across the Internet will be saying, Don't join Facebook or Delete your account. But it appears that we're subject to Facebook's shadow profiles whether or not we choose to participate.

I feel like we're only beginning to understand why Facebook's data is so very valuable to advertisers, governments, app makers and malicious entities.

Packet Storm wrote,

It is now publicly known that Facebook has all of this correlated information (or if it's not now, it can be) and everyone (read: governments and criminals alike) are going to aim for it, whether legally or illegally.

Facebook claims they will not disclose this additional information to the government when requests are received, but it still has the world's largest target painted on it asking for trouble.

Packet Storm thinks legislation is the answer. "What we need are governments to enact legislation that forces the hand, but given recent news items in the United States, it is clear that not all governments are making this a top priority."

We are well aware right now that our laws are woefully inept when it comes to keeping up with data privacy.

Some of us hope that this is an oversight that will be corrected.

There are no protections against shadow profiling. Just like with so-called "people search" websites, we have no legal mandates with which we can identify and remove our information from their systems, no protections that guarantee an opt-out, and no recourse other than to say "no."

Let's hope that Facebook policy listens to the anger and fear they're inspiring right now, and that it means something.

Because if there was ever a time Facebook needs to do the right thing, it's now.

Topics: Security, Data Management, Government US, Legal, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

69 comments
Log in or register to join the discussion
  • TOO FUNNY!

    Still enjoying Farcebook kids?

    Zuckerberg...the little snot...has NEVER been concerned with ANYONE'S privacy. Except his own, of course.

    I've said it a million times...if people are STUPID enough to put personal data on ANY asinine social network...then be prepared to deal with the consequences, when it gets accessed by people you do not want to have access to it.
    IT_Fella
    • From the sounds of it, it doesn't matter if you belong to a social network

      But, your friend does, or your sister does, or your son does, or your co-worker does, and people you've met once at party belong too. Your profile is there, even if you are not.

      I don't see what grants Facebook the right to invade the privacy of people's lives, more than another company. I'm actually surprised that Facebook isn't partially funded by the American government. They seem to like to watch everyone illegally, even though they say "It's for your safety". Anyway Bad Facebook.
      bill.tkach@...
      • their logic is

        It's the user's phone book data. We won't delete it. if you sync your android address book to Google should Google delete your data because it has someone's email address in it?
        LarsDennert
        • The difference is that Google doesn't share it (as much)

          Violet Blue's contention that Facebook's policy is "your data is not yours" is incorrect. It's more accurately described as "information about you *that's created by others* is not your data."

          I reluctantly have to agree, but problems arise when the data repository, in this case Facebook, defaults to sharing most data.
          Spatha@...
          • Re: The difference is that Google doesn't share it (as much)

            How do you know that?
            danbi
      • Look up the amount of corporate welfare Facebook gets...

        http://www.southernstudies.org/2012/02/facebooks-dubious-social-mission.html

        Or search words like "facebook-the-coolest-cutest-corporate-welfare-queen-of-them-"
        HypnoToad72
      • The Worm Girds The Earth

        "Some of us hope that this is an oversight that will be corrected." -- V.B.

        I'm holding out hope that I'll wake up tomorrow hung like Sean Michaels. I'm not sure which of us is more deluded.

        "I don't see what grants Facebook the right to invade the privacy of people's lives, more than another company." -- bill.tkatch

        Nothing does. They're engaged in a power struggle. The lives of untold generations hangs in the balance. If you're inclined to Pollyannaism, then comfort yourself with not-so-Grimm fairy tales.

        "I'm actually surprised that Facebook isn't partially funded by the American government. They seem to like to watch everyone illegally, even though they say 'It's for your safety'." -- bill.tkach

        It's adorable that you imagine that there's any longer any difference. Had you been paying closer attention, you'd realize that both this President and the last are 'counseled' by Goldman Sachs, as is the Fed. The leaders of the junior 'member' nations of the old Warsaw Pact were no less window dressing than are our own 'Dear Leaders'.

        Ouroboros tightens its grip with our every frantic breath. Next, Google Glass. Then, nano-RFI. (In the fiber of your clothing and the food that you eat.)
        jack_sprat2
        • is this the Jack who created twitter??? Sure sounds like you! :)

          Yes, the negativity is full force on this site & lucky I stopped by to offer some light & truth! Obviously Facebook has made strides for public privacy & protection by filing against NSA. Does it make you feel better to attempt to discredit & degrade the worthy? It will destroy you if you continue on like this, for it's not healthy nor fair.
          A smart girl!
    • It's not the personal data I put there

      It's the personal data about me that somebody else puts there. The point is I/you/nobody can control the personal data about ourselves used by other people and stored by Facebook. You can ask that your phone number not appear in the phonebook and it won't but if your friend stores your name and phone number in Facebook, even if you don't have an account, it ends up in a shadow profile about you. That's very powerful.
      djp64
    • The nasty comments are not becoming of you, nor does anyone want to hear it

      IT_Fella, obviously you are a not a happy person, so sorry to hear it. First off, Zucerkberg is awesome! Second, I love posting everything public & I only use Facebook since it captures all my needs in one comprehensive, safe, unparalleled network who has stood the test of a decade & will triple it's users in the blink of an eye. I've connected with family all over the world which I'm so grateful for. They continually make advancements on FB & I'm grateful for that kind of dedication & expertise. If you're really an IT guy, then I'm beyond shocked you cannot give a super smart guy a pat on the back for this creations & leading the mission of making a better world! I post publically to everyone, not just my 3K friends, since I actually want people to hear the kind things I speak of. I hope you can follow my lead. I've also made quite a bit of progess in my business and personal life by using the resources FB offers like sponsoring ads for $6.99 only! I like that I can donate to charities and world relief funds all in one place & then buy goods cheaper than I can get at the store, saving & earning money. I guess you're looking at it from dirty glasses, for the truth is much better than you're expressing, please refrain the negativity because it hurts you more than anyone!
      A smart girl!
      • it's great to discover such a happy idiot!

        Listen girl, when it comes down to it, ALL YOU HAVE is your privacy. Everything else can be taken away from you.
        Value it!
        pikeman666
    • HELLO, FACEBOOK FILED AGAINST NSA FOR OUR PRIVACY RIGHTS!!!

      & won
      A smart girl!
  • TOO FUNNY!

    Still enjoying Farcebook kids?

    Zuckerberg...the little snot...has NEVER been concerned with ANYONE'S privacy. Except his own, of course.

    I've said it a million times...if people are STUPID enough to put personal data on ANY asinine social network...then be prepared to deal with the consequences, when it gets accessed by people you do not want to have access to it.
    IT_Fella
  • What a moronic comment

    You sir, are exactly why this country is not Switzerland, and needs gun control, if only for you alone.
    And FYI, a few murders would not stop Facebook.
    Moron.
    .DeusExMachina.
    • Huh?

      (nt)
      fairportfan
      • Apparently the post to which I replied was pulled

        .DeusExMachina.
  • NSA v's Facebook

    Wonder who is the dodgiest organization - The NSA, CIA or Facebook.

    Guess the NSA/CIA, as Facebook do not carry out extraordinary rendition. Well, not yet anyway - LOL
    neil.postlethwaite
    • The NSA

      The NSA is supposed to support and defend the Constitution of the United States. Facebook isn't under any such obligation. So at least Facebook is somewhat more honest about it.
      Dr_Zinj
    • Tips of a single iceberg

      Don't assume that under the sheets there is actually any line of delineation between any of these organizations. You need to add Google to the fold as well. Do you think that these kids really built these companies without help? Who funded Google's amazing rise to fame from behind the scenes? I'll let you all figure that one out. All of those servers didn't just materialise out of thin air in the early days when it was just getting going.
      Astringent
      • Who helped, um, not the NSA

        .DeusExMachina.