Facebook's shadow profile data collection activities came to light Friday when the social network disclosed a bug fix.
The security researchers who found the vulnerability, Packet Storm Security, say Facebook is compiling "frightening" dossiers on everyone possible, including people without Facebook accounts.
Last week, Packet Storm discovered Facebook's vulnerability and contacted Facebook.
After extended dialogue with Facebook the researchers were compelled to reflect that, "The issue itself was not built with malice in mind it was simply an oversight. The significance of what it unearthed is the real problem that still remains."
Since 2012, Facebook had unintentionally combined user's shadow profiles with their Facebook profiles and shared it with those users' friends who used Facebook's Download Your Information (DYI) tool.
If only Facebook had explained the bug as clearly as Packet Storm in its post Facebook: Where Your Friends Are Your Worst Enemies:
When you open the downloaded archive, there is a file inside called addressbook.html. This file is supposed to house the contact information you uploaded.
However, due to a flaw in how Facebook implemented this, it also housed contact information from other uploads other users have performed for the same person, provided you had one piece of matching data, effectively building large dossiers on people.
In our testing, we found that uploading one public email address for an individual could reap a dozen additional pieces of contact information.
It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users.
Most people who found out they have a 'shadow profile' with contact info they never gave to Facebook - such as telephone numbers - were surprised and angry.
Facebook responded Sunday pointing to a page on its address book email collection policy and emphasizing that the data is uploaded voluntarily by people the users know.
- Updated with Facebook's response: Anger mounts after Facebook's 'shadow profiles' leak in bug
The real alarm rose when Packet Storm began to comprehend what this meant for the individual user - and what happened when the security researchers approached Facebook with its concrete fears:
The fact that I have no control over additional email addresses and phone numbers added to their data store on me is frightening. The questions we asked were very to the point but carefully constructed to reflect an equal balance between usability and user safety.
(...) Our first question asked that, in the name of common decency and privacy, would Facebook ever commit to automatically discarding information of individuals that do not have a known Facebook account? Possibly age it out X days if they don't respond to an invite due to a friend uploading their information without their knowledge?
Their response was essentially that they think of contacts imported by a user as the user's data and they are allowed to do with it what they want.
To clarify, it's not your data, it's your friends. We went on to ask them if Facebook would commit to having a privacy setting that dictates Facebook will automatically delete any and all data uploaded about me via third parties ("friends") if it's not in scope with what I've shared on my profile (and by proxy, is out of band from my privacy settings)?
We were basically met with the same reasoning as above and in their wording they actually went as far as claiming that it would be a freedom of speech violation.
Standing on its policy, Facebook is refusing to allow users to have control over their own personal information.
Facebook policy in this area is that your data is not yours; it belongs to your friends, and by its rules your friends - or merely peple you know - have more control over your data than you do.
Packet Storm praised Facebook for acting swiftly to patch the bug.
The security company emphasized that it is not Facebook security that is broken, but instead it is Facebook policy that is broken, and their disclosure is not meant to cast a negative light on the company.
Packet Storm remarked, "It was clear that Facebook attacked the disclosure flaw properly, but concerns still remain about the fact that dossiers are being built on everyone possible."
"You can run, but you can't hide"
Right now commenters across the Internet will be saying, Don't join Facebook or Delete your account. But it appears that we're subject to Facebook's shadow profiles whether or not we choose to participate.
I feel like we're only beginning to understand why Facebook's data is so very valuable to advertisers, governments, app makers and malicious entities.
Packet Storm wrote,
It is now publicly known that Facebook has all of this correlated information (or if it's not now, it can be) and everyone (read: governments and criminals alike) are going to aim for it, whether legally or illegally.
Facebook claims they will not disclose this additional information to the government when requests are received, but it still has the world's largest target painted on it asking for trouble.
Packet Storm thinks legislation is the answer. "What we need are governments to enact legislation that forces the hand, but given recent news items in the United States, it is clear that not all governments are making this a top priority."
We are well aware right now that our laws are woefully inept when it comes to keeping up with data privacy.
Some of us hope that this is an oversight that will be corrected.
There are no protections against shadow profiling. Just like with so-called "people search" websites, we have no legal mandates with which we can identify and remove our information from their systems, no protections that guarantee an opt-out, and no recourse other than to say "no."
Let's hope that Facebook policy listens to the anger and fear they're inspiring right now, and that it means something.
Because if there was ever a time Facebook needs to do the right thing, it's now.