Facebook bug brings shadow profiles to light; could affect non-users as well

After Facebook's announcement on Friday that private information of over 6 million users were accidentally shared, it has now been found that the company was not completely honest with its report...

Facebook was earlier reported saying that the service was faced with a bug that inadvertently exposed the private details of over six million users. This was the first time that news about the social network’s shadow profiles surfaced, which is basically detailed databases that the company has on each user, when information from these profiles accidentally merged with user accounts during data history record requests.

Now, Packet Storm, the security researchers who discovered Facebook’s shadow profiles vulnerability, have compared the numbers between what they had found and what Facebook has told its users in emails, to reveal a mismatch, according to ZDNet.

According to the firm, Facebook has told users that the exposure is much lesser than what researchers have found. In addition, the firm has also revealed that the social networking site is keeping a track on contact information of non-users, a fact that was ascertained when the company was forced to reveal that offsite records were also leaked when the bug was discovered.  

Facebook bug brings shadow profiles to light; could affect non-users as well

Facebook is on the defensive after bug revealed the presence of detailed user dossiers



From 2012 onwards, Facebook users who may have used the Download Your Information (DYI) tool to get a copy of their data history record also got an address book full of contacts that other users never directly provided to the social network.


In an attempt to address the widespread user anger, the company sat down with ZDNet on Sunday and explained that when a Facebook user uploaded an address book, the social network saved a copy of all the contacts in the user’s database.


Facebook users have voiced their anger at the social networking site for collecting and storing their offsite phone numbers and email addresses, which are being secretly matched to them and now accidentally shared by the social network.


On Friday, the company released an email to placate users while talking about the security and privacy flaw. It is now been seen that the company was not completely honest with everyone, though. The real story was revealed by security researcher Michael Fury and his colleagues at Packet Storm Security.


The security company was able to compare the prior test data which was used to ascertain the leak with the reports that Facebook released to its users via email, as well as the press. The comparison revealed that there is a lot more detail in the DYI reports than earlier believed.


Facebook declined to comment when ZDNet tried to ascertain the claims of Packet Storm Security’s report, going on the defensive by saying that everything that needed to be revealed was on its blog post.


In the post, the social network has said that it collects and links the offsite-sourced data with user profiles to create shadow profiles. This is done to help create better friend suggestions for the Facebook user.


After last week’s incident, the security company now believes that Facebook is collecting all the data it can get to create disturbingly detailed dossiers about everyone, including people who are not on the social network.


When Packet Storm sat down with Facebook, it was disquieting to find that the social network declined to answer quite a few important questions that the security company had to say. ZDNet also found that Facebook, at one point in the conversation, told Packet Storm that it was sticking to its First Amendment rights in context to this data collection policy.


What is scary is that the policy Facebook is talking about basically says that the data collected by the social network is not directly from the user, but from the user’s friends. Thus, the user has no right on the data collected, despite pertaining to him. The policy also states that the user’s friends will have more control over the data than the user himself.


Facebook began providing the DYI history feature back in October 2010 to more than 500 million Facebook users in a move that was spread over several months. A month after the feature was rolled out, the US Federal Trade Commission (FTC) pulled the social network up for changes it had made in 2009 with regards to user privacy.


Facebook would now need to ask users for their consent before sharing their data in anyway that was different from what users had initially agreed to. Nothing was spoken about the data that could be collected about the user from a friend’s profile, which could be stored and then shadow-profiled on the pretext of giving better friend suggestions.


In 2011, Max Schrems of Vienna, Austria sent a formal request to Facebook citing European law while asking for his data. A CD was sent, which had 1,222 files on it. The detail of the data stored about him was staggering, including items that he had deleted, likes, unlikes as well as a variety of information on his friends' activities, including their whereabouts at any given time.  



In today’s world, almost everyone you know is on Facebook. As of June 2013, the company has 1.11 billion registered users, with 665 million active daily. In 2012, the revenue for the social network was $5.09 billion. When asked about the exact number of users who have made use of the Download Your Information tool in 2012, Facebook told ZDNet that the numbers are not being made available publicly. 


This may be the first time that Facebook has publicly admitted the existence of  users' shadow profile that contain not just their own data, such as posts or information you deleted but are retained by Facebook, but also the data that Facebook is collecting from other users. Be that as it may, the real number of users who may have got the social network’s shadow profile data on other users might never see the light of day.

Find our entire collection of stories, in-depth analysis, live updates, videos & more on Chandrayaan 2 Moon Mission on our dedicated #Chandrayaan2TheMoon domain.


also see