A bug that has been in Facebook’s network for about a year has exposed private information on about 6 million of its users to other users during that period. This has revived concern that the company maintains a database of shadow profiles of members and their friends, even if the latter are non-members.
Since Facebook has more than 1 billion members worldwide at last count, its shadow database would be the envy of any intelligence agency.
Facebook has found and squashed the bug, but the news has angered some users, who have filed comments on the company’s blog in response to its announcement.
Shadow profiles “should be one of the biggest privacy concerns people have on the Internet, as most often marketing companies like Facebook and Google don’t divulge how they’re tracking and using your information and what sources they’re combining it with,” Ken Pickering, director of engineering at Core Security, told TechNewsWorld.
Facebook’s loss of shadow profile details mean users are “not just prone to their security flaws at that point, but to their security flaws on information you did not opt in for them to build against you,” Pickering continued.
The Breach
In order to understand how the bug impacted victims of the breach, it’s necessary to comprehend how Facebook collates data.
Facebook seeks to cross-match contact lists or address books uploaded by members to generate friend recommendations of people who are not already members.
The bug apparently stored some of the email and address information used to make “friend” recommendations in the contact books of members as part of their Facebook accounts so that, when users downloaded an archive of their Facebook account through the company’s “Download Your Information” tool, they obtained that additional information, which was not supposed to be disclosed to them.
Each individual email address or telephone number was downloaded once or twice, Facebook said, so in almost all cases, an email address or phone number was exposed to only one person. The company did not, however, disclose how many email addresses or phone numbers were revealed to more than one person.
No other type of personal or financial information was included, and only Facebook members, not advertisers or developers, have access to the DYI tool, Facebook said.
Facebook has squashed the bug, notified regulators in the United States, Canada and Europe, and is notifying affected users by email.
Move Over, Santa, Your Database Isn’t Good Enough
Although only Facebook members can use the DYI tool, this does not mean that developers or advertisers cannot get their hands on the information leaked. Nor does it mean that the information leaked won’t be abused.
Finding secret shadow files among the data that seem to be analyzed and correlated data points of every user ranging from their real-life details to private information input by members “is shocking, although not surprising,” Sean Bodmer, chief researcher at CounterTack, told TechNewsWorld.
“Who is to say this isn’t one of the data sources that have been sold to the target-marketing firms placing specific ads in view of members based on their likes, interests and habits?” Bodmer asked.
History Repeats Itself
Complaints about Facebook maintaining a shadow profile database first surfaced in 2011, when Max Schrems, who set up Europe versus Facebook, filed a complaint with the Irish Data Protection Commissioner.
That eventually led the commissioner to audit Facebook Ireland in 2011. The audit’s report “found no evidence” of the creation of shadow profiles, commissioner spokesperson Ciara O’Sullivan told TechNewsWorld.
Facebook has reported the latest bug to the office, and “we are satisfied with Facebook Ireland’s response to our data breach procedures to date,” she added.
“These findings apply across Facebook, including the U.S. and other parts of the world,” Facebook spokesperson Frederic Wolens told TechNewsWorld.
However, getting data about users from other people “is illegal under EU laws,” Schrems told TechNewsWorld. His case against Facebook over shadow profiles “is still ongoing.”