Facebook in more hot water, now over 'shadow dossiers'

As if admitting a data breach exposing personal information for 6 million of its members wasn't bad enough, now Facebook is facing growing ire over its data gathering practices.

Last Friday, the social network announced it fixed a bug that affected about six million people that allowed some of its members to see additional information about their contacts when using Facebook's "Download Your Information" tool. The tool allows a person to download an archive copy of their Facebook account.

"We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing," Facebook said in a blog post.

"Although the practical impact of this bug is likely to be minimal, since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again," Facebook wrote.

However, as it turns out the bug is the least of Facebook's worries generated by the incident. That's because during the course of an investigation of the flaw by a security company, it was discovered that Facebook keeps "shadow dossiers" on its members. Those dossiers contain information about people not volunteered by them but scraped from third-party sources.

Worse yet, such dossiers aren't only kept for Facebook members, but also for people who are only associated with members.

"It was clear that Facebook attacked the disclosure flaw properly, but concerns still remain about the fact that dossiers are being built on everyone possible," the security company Packet Storm wrote in a blog post.

"The fact that I have no control over additional email addresses and phone numbers added to their data store on me is frightening," it added.

Facebook sees no cause for alarm, though. "The distinction to be made here is that you can control the information you provide, but not necessarily information about you," Facebook spokesman Frederick Wolens explained in an email.

[Also see:Ã'Â The best social networks for private people]

"For example," he continued, "it would be a sad world if politicians could simply remove any information they found unflattering from Facebook."

"We do allow you to control the information you provided about your contacts," he said. "However, we do not allow you to delete information provided by your friends."

"Would you ask Gmail if you can delete your email address from other people's contact books?" he asked rhetorically.

Not everyone agrees with Facebook's analysis of the situation. "The system essentially latches onto Facebook users, invites them to import their contacts, and then appropriates these contacts for a separate, hidden purpose, creating these shadow profiles of both members and non-members," said Sarah A. Downey, a privacy analyst and attorney with Abine.

"And we know any data stored by private companies must be given to law enforcement, like the NSA, when those agencies request it," she said in an email. "The end result could be that Facebook turns over extensive contact information to law enforcement on people who haven't even signed up."

Downey cautioned anyone signing up for any online services to avoid using features like "find friends" or "upload your contacts" because by using them, they're adding their contacts to those companies' databases.

"Your intentions may be good -- to connect with your friends or easily find people to follow -- but you're spreading data collection to uninvolved, unaware people," she said.

Many services like Facebook keep their members in the dark about the data they hold on them. "When users don't know that particular pieces of data about them are part of Facebook's dossiers, how can they exert a responsible level of control to ensure their own privacy?" asked Adi Kamdar, an activist with the Electronic Frontier Foundation.

The lesson to be learned from this latest Facebook gaffe is a harsh one, said David Britton, vice president of industry solutions at 41st Parameter.

"The message to consumers is that they need to know that any data they may upload online may at some point be available to individuals that they never intended to have access to it," Kamdar said.

"Even more importantly -- even if they don't upload it themselves -- someone else may have," he added.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssoftwaredata protectionData Protection | Data Privacyshadow dossierFacebook

More about Electronic Frontier FoundationFacebookNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts