Facebook "Shadow Profiles"

I'm shocked, shocked that they could let this happen.

As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.

They dodge by saying, "Describing what caused the bug can get pretty technical", but it's pretty simple.

  • Alice (that's you) does not share their private email address or phone number with Facebook.
  • Alice has two friends, Bob and Carol.
  • Bob knows Alice's secret phone number. Carol does not.
  • Bob uses the "Find Friends" tool and uploads his phone's address book to Facebook.
  • Facebook now adds Alice's private information to their dossier, since Bob disclosed it.
  • Carol uses the "Download Your Information" tool. Carol now has Alice's secret phone number.

However, Facebook's PR flacks are being circumspect about the source of the data in these "shadow profiles". They used the "upload your address book" scenario as an example, so we know that's happening. But it also seems extremely likely to me that they also populate these shadow profiles with data sourced from other "partners", e.g., advertisers, merchants, or sites that use Facebook logins as their authorization mechanism.

It's also not clear whether Alice and Carol had to actually be friends for Carol to get Alice's data, as they say "their contacts or people with whom they have some connection". That last bit could mean "friends of friends". It could mean they both play Zynga games. Who knows.

I would be surprised if this information was not also available to the creators of any apps you use. Once you've authorized an app, they get basically everything on you and your friends.

They also don't say what other information is in these "shadow profiles". This bug disclosed email addresses and phone numbers, but presumably they have collected a lot more than that, e.g., home addresses. Because why would they not? Bob "gave" it to them.

The fact that these shadow profiles are being compiled at all is horrible. That it takes a monumental privacy fuck-up for people to become aware of it at all is a problem.

Previously, previously, previously, previously, previously.

Tags: , , , , ,

8 Responses:

  1. nooj says:

    They surely also source data from any private messaging like "hey i lost your number" "XXX-XXX-XXXX"; and any event location/contact info.

  2. Bieter Peerman says:

    "Shadow Profiles?!" HAH! More like "Actual Profiles". Is there anyone left who doesn't know that Facebook exists to build a dossier of every person, and the profile webpage is just a distraction they give you so you think you somehow own it? This is why Google says that Google+ is completely successful despite being a ghost town. The "social community" on these sites is utterly irrelevant.

  3. James says:

    Some time around 2007 there were two separate placeholder profiles for me, both of which Facebook would email me about roughly twice a month urging me to claim, and telling me which of my associates had already friended them. That was so offensive and amateur hour-feeling I resolved to never join, a decision which has provided a very frequent smug sense of superiority ever since. Someday I hope to append PGP signatures to all my emails.

  4. Otto says:

    Hmm.. I've got an old copy of the Facebook download-your-information lying around somewhere. Time to open it up and see what's in there.

  5. Kurtis says:

    The fact that these shadow profiles are being compiled at all is horrible. That it takes a monumental privacy fuck-up for people to become aware of it at all is a problem.

    People were already aware of it, but Facebook denied it:

    3.11.1 Complaint 2 – Shadow Profiles
    the complainant stated that Facebook is gathering information in relation to users and non-users of Facebook through a number of functions including the synchronisation of mobile phones
    [...]
    Facebook clarified that it does not hold “Shadow Profiles” of non-users.
    (Irish Data Protection Commissioner - Report of Audit - 21 December 2011)