As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
They dodge by saying, "Describing what caused the bug can get pretty technical", but it's pretty simple.
- Alice (that's you) does not share their private email address or phone number with Facebook.
- Alice has two friends, Bob and Carol.
- Bob knows Alice's secret phone number. Carol does not.
- Bob uses the "Find Friends" tool and uploads his phone's address book to Facebook.
- Facebook now adds Alice's private information to their dossier, since Bob disclosed it.
- Carol uses the "Download Your Information" tool. Carol now has Alice's secret phone number.
However, Facebook's PR flacks are being circumspect about the source of the data in these "shadow profiles". They used the "upload your address book" scenario as an example, so we know that's happening. But it also seems extremely likely to me that they also populate these shadow profiles with data sourced from other "partners", e.g., advertisers, merchants, or sites that use Facebook logins as their authorization mechanism.
It's also not clear whether Alice and Carol had to actually be friends for Carol to get Alice's data, as they say "their contacts or people with whom they have some connection". That last bit could mean "friends of friends". It could mean they both play Zynga games. Who knows.
I would be surprised if this information was not also available to the creators of any apps you use. Once you've authorized an app, they get basically everything on you and your friends.
They also don't say what other information is in these "shadow profiles". This bug disclosed email addresses and phone numbers, but presumably they have collected a lot more than that, e.g., home addresses. Because why would they not? Bob "gave" it to them.
The fact that these shadow profiles are being compiled at all is horrible. That it takes a monumental privacy fuck-up for people to become aware of it at all is a problem.