A Blog by Jonathan Low

 

Jun 23, 2013

Facebook Bug Alert Reveals Vast Shadow Data Collection Effort

Friday afternoons are a great time to release controversial information that might do a corporation harm. People are focused more on their weekend plans than anything else and such revelations tend to placed in the 'I'll deal with it next week' box.

So it was fitting and entirely predictable that Facebook sent out one of those Ooopsy here-we-go-again notices about some people's data being inadvertantly released due to a computer malfunction or human error or some other reassuring 'we've-heard-it-all-before message designed to put us back to sleep. The assumption being that we will mutter to ourselves about 'those idiots' and why they cant ever seem to get this data security thing right. End of story. Or so they hoped.

Except that as so often happens, it was what was not revealed intentionally that turned out to be the real story. The bug or error was what it was. But the information released was apparently part of a massive Facebook effort to quietly capture offline, which is to say unapproved, data about Facebook members and their networks. The effort was intended, according to Facebook, to help people more easily connect with friends. But it is evident, as the following article explains, that the real intent was to gather more data to make it more productive for advertisers to more accurately target those in question.

The level of outrage has not yet achieved NSA Prism levels - and may never. People seem to have a more visceral fear of the government than they do of the hoodies at 1 Hacker Way. But the parallels are eery. Two very large institutions, both claiming to protect or promote citizen-friends interests use not quite transparent methods to get data about individuals that said persons might be reluctant to share if they were extended the courtesy of actually being asked. This is no longer the exception or the anomaly. This is the world in which we live, work and play. It is a world its denizens have passively enabled and overtly supported through both participation and refusal to protest. It appears to be what The People want. But the scope and scale suggest that should that attitude change, it is probably already too late to do anything about it. Welcome to your world, what did you say your password was? JL

Violet Blue comments in ZDNet:

Facebook appears to be obtaining users' offsite email address and phone numbers and attempting to match them to other accounts. It appears that the invisible collected information is then being stored in each user's 'shadow profile' that is somehow attached to accounts.
Friday Facebook announced the fix of a bug it said inadvertently exposed the private information of over six million users when Facebook's previously unknown shadow profiles accidentally merged with user accounts in data history record requests.
According to Reuters, the data leak spanned a year beginning in 2012.
The personal information leaked by the bug is information that had not been given to Facebook by the users - it is data Facebook has been compiling on its users behind closed doors, without their consent. A growing number of Facebook users are furious and demand to know who saw private information they had expressly not given to Facebook.
Facebook was accidentally combining user's shadow profiles with their Facebook profiles and spitting the merged information out in one big clump to people they 'had some connection to' who downloaded an archive of their account with Facebook's Download Your Information (DYI) tool.
Users were clearly unaware that offsite data about them was being collected, matched to them, and stored by Facebook.
Looking at comments on Facebook's blog and community websites such as Hacker News, Facebook users are extremely angry that the phone numbers and email addresses that are not-for-sharing have been gathered and saved (and now accidentally shared) by Facebook.
Facebook stated in its post yesterday that the bug was resolved, but Facebook users are telling a different story today in the comments.
One man commented this afternoon, "I just downloaded the "extended backup" and I'm still viewing emails and phone numbers that are NOT PUBLIC!!!!"
Facebook explained in its post that the bug shared information about a user that had been scraped from a source other than the personal data the user had ever entered into Facebook about themselves.
The action of the bug is that if a user downloaded their own Facebook history, that user would also download email addresses and phone numbers of their friends that other people had in their address books, without their friends ever knowing Facebook had gathered and stored that information.
This data is being gathered by Facebook about individuals through their friends' information about them - harvested when a user grants Facebook address book or contact list access.
Facebook did not specify which app or contact database tool was utilized when collecting and matching offsite-sourced data about users.
The social network said that it was harvesting and matching the offsite-sourced data to user profiles - creating these shadow profiles - "to better create friend suggestions" for the user.
Facebook users are deftly reading between the lines. One commenter on Hacker News observed wisely,
The blog says the fix was made in the DYI tool. That means they would continue to maintain "shadow profiles", but would stop letting others know that FB has a shadow profile on you.
Facebook's post downplays the significance of the data breach by telling users that while six million accounts were exposed, very few people saw the personal phone and email data because it could only be seen when a user downloaded their Facebook history.
The social giant assured users their shadow profiles were shared only with Facebook users they were somehow connected to,
if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.
Facebook did not specify in its post what is meant by "somehow connected to" and comment speculation is attempting to fill in the gaps.
According to Reuters, who spoke with a Facebook representative, the data was being exposed in this manner for about a year.
What the revelation means is that Facebook has much more information on us than we know, it may not be accurate, and despite everyone's best efforts to keep Facebook from knowing our phone numbers or work email address, the social network is getting our not-for-sharing numbers and email addresses anyway by stealing them (albeit through 'legitimate' means) from our friends.
The yearlong gap of exposure as described by Reuters creates a scenario of horrifying possibilities for any woman who has begin to experience harassment, abuse or stalking by an ex within the past year. Or, anyone being maliciously stalked and harassed by a tech-savvy aggressor (or a stalker's Facebook sock puppet) they may have accidentally friended over the past year.
This could be remedied and harm would be greatly reduced if Facebook addressed and answered the growing demands of its users to know who has seen their non-Facebook private data.
What it means for me is that even though I've been very careful not to give my phone number to Facebook or the men in my "friends," the guys I've 'friended' might have gotten my phone number anyway, regardless of my consent. I did not know they may have been able to get my phone number throughout the course of a year, and now I have no way of finding out who might have gotten my phone number.
I am glad I've never used a Facebook app or allowed Facebook access to my contacts in any way whatsoever. (Yay paranoia.) The private numbers and emails of my friends and colleagues should remain exactly that: private.
Facebook has officially stated that it does not know of any malicious use derived from the bug.
This appears to be the first time Facebook has publicly admitted that users' shadow profiles contain more than native data (such as posts or information you deleted but are retained by Facebook) and also contain data that Facebook has harvested.
Meanwhile, anger continues to rise on the Facebook post, and as of this writing there are no representatives from Facebook in the comments to quell the storm.

0 comments:

Post a Comment