Facebook 'dossier' find raises contact list privacy questions

A Facebook bug that accidentally shared information on people's contact lists with others on the social network highlights the precariousness of privacy in the digital world.

About 6 million Facebook users had their email addresses or telephone numbers shared with others without permission. The information was made available through Facebook's Download Your Information tool, which provides an archive of a person's Facebook account.

The bug, reported by the security site Packet Storm, started when people uploaded their contact list from another application into Facebook. A person using the DYI tool would get back the list in a file called "addressbook.html," along with other account information.

Rather than contain only the information in the retriever's original contact list, the address book file also contained additional information on the same people who appeared on other lists. Packet Storm notified Facebook of the problem last week.

Once notified, Facebook said it immediately disabled the DYI tool, fixed the problem and had the application back up the next day. The site also paid Packet Storm a $500 bug bounty.

The reason contact information became commingled stemmed from Facebook aggregating the information in its database. The site then looks for common contacts among users, so it can suggest people they may want to become friends with.

Facebook apologized, and assured users that there was no evidence the bug had been exploited maliciously. The site also said it had not received any complaints by users. Packet Storm said the bug had been live since last year.

[Also see: Facebook in more hot water, now over 'shadow dossiers']

The mistaken data sharing demonstrates the risk of providing personal information to others. Facebook treats contact lists as the property of the people who upload it to the site. Whether people on the lists would want their information shared is left up to the owner of the list to decide.

"Whenever you hand information to another person you lose control of that information," said Andrew Walls, an analyst with Gartner. "You can fiddle with contracts and blood oaths, but once it is out of your hands you have no control over security or privacy."

Facebook is bound to the limits people place on the use of their contact lists, even if people on the lists may have more stringent controls on the sharing of their personal data on the site. Therefore, people from the start should only provide contact information they accept as public.

"My feeling is that once I pass my contact information to a third party, i.e. a friend, I no longer control that data because the friend, or business contact, or charity, now has access and I can't be sure it won't be passed on," Charles Kolodgy, an analyst with IDC, said. "There is no assumption of privacy."

Given the lack of privacy, people need to separate their personal contact lists from their business address book. "I do not think that my employer's email contact book is mine to share," said Anton Chuvakin, a Gartner research director of risk management.

To avoid problems, many companies have policies for handling business contact lists, Chuvakin said.

In 2011, the Federal Trade Commission (FTC) announced a broad settlement with Facebook over its handling of user data. The agreement involved Facebook agreeing to honor people's privacy wishes, and to subject itself to regular audits for the next 20 years.

"Facebook is under a consent order with the FTC that requires the company to develop a comprehensive privacy program," said David Jacobs, a consumer protection fellow for the Electronic Privacy Information Center. "It will be interesting to see if this bug causes the FTC to take a closer look at the effectiveness of that program."

In the meantime, people have to assume when contact information is handed out, it will be shared.

"The value of contact information is based on sharing that data with others," Walls said. "This means the data will be held by multiple people using a wide variety of tools and platforms. Something will break somewhere."

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssoftwaredata protectioncontact list privacyData Protection | Data PrivacyFacebook

More about Andrew Corporation (Australia)Electronic Privacy Information CenterFacebookFederal Trade CommissionFTCGartnerIDC Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts