Blackberry and Smartphone

Friends Becoming Informants How your friends are spilling your secrets to Facebook

Big companies make two kinds of announcements. There are RAH RAH RAH HOORAY FOR US announcements designed to get as much attention as possible, and there are the announcements that firms sneak out on a Friday evening when all the European journalists are drunk and the US ones are heading home.


Facebooks blog post about a major security breach falls into the latter category, because Facebook really doesnt want you to think about shadow profiles.

As Violet Blue writes on ZDNet: "The personal information leaked by the bug is information that had not been given to Facebook by the users - it is data Facebook has been compiling on its users behind closed doors, without their consent."

It turns out that if Facebook cant get information about you from you, itll grab it from your friends instead.

What are shadow profiles?

 

Weve known about shadow profiles for some time: in 2011, Europe vs Facebook filed a complaint against Facebook Ireland with the Irish data protection watchdog (PDF) on the grounds that Facebook was collecting "as much information of users and non-users as possible."

Facebook strenuously denied the allegations at the time, so the leak of shadow profiles must be rather embarrassing.

Heres how it works. Lets say you only put a very basic amount of information on your profile and keep details such as your main email address or your mobile phone number away from Facebook.

If any of your friends have that information and they sync their address books with Facebook, Facebook gets that contact info. If a friend from X university or Y employer searches for you, Facebook knows its pretty likely that you went to X university or worked at Y employer.

If you arent on Facebook but somebodys put your details into Facebooks friend finder, those details are now on Facebook.

Facebook isnt the only firm who stores address book details, but others such as Twitter delete the data after 18 months. Facebook doesnt, and it appears to store much more information - and thats none of your business, because other people provided it.

According to Facebook, giving you any control over that information would be a freedom of speech violation.

Im not sure thats legal, because here in the EU we have pretty solid data protection legislation: its based on "data minimisation", which is the principle that organisations shouldnt hold more data about you than is strictly necessary. "You should not hold personal data on the off-chance that it might be useful in the future," the Information Commissioners Office says. Facebook, it seems, is doing exactly that.

Im not one for conspiracy theories, but this ones a beauty: when you consider that over and above the things you consciously share Facebook can also record your GPS location, the websites you visit and any information your social network contacts have about you, it looks like the sort of thing the security services would just love.

By an interesting coincidence, Facebooks former security chief, a former FBI man who left Facebook in 2010, now works at the NSA.