Facebook acknowledged on Friday that a flaw in a feature that lets users download their own profile information exposed personal information on approximately six million users, including phone numbers and e-mail addresses that were not shared with the site, but is staying mum on the future of wide ranging information harvesting practices revealed by the bug.
In a blog post, the social networking giant said the security hole was disclosed by an independent security researcher and forced the company to disable the Download Your Information (DYI) feature until it could be fixed. Despite the large number of people affected, Facebook said individual pieces of private data like an e-mail address or telephone number were only exposed to one or two other Facebook users.
However, Facebook has not said whether it will cease using non-public data from users’ contacts to fill out dossiers on other Facebook users, a practice that has been roundly criticized in recent days.
At the heart of the problem is a feature that allows Facebook users to upload their personal contacts to Facebook. The social networking giant promotes this as a way to easily find- and friend any contacts who are already on the network, and to extend invitations to those who aren’t to join. Given the network’s massive user base of more than one billion souls, Facebook obviously encounters the same contacts being uploaded by different users over and over.
Rather than maintain separate instances of each (i.e. Lisa’s version of Paul’s contact information, Joe’s version of Paul’s contact information, etc.), Facebook collates the information behind the scenes: building a complete dossier for individuals linked by e-mail address(es), names, telephone numbers, and so on. The bug allowed that complete dossier information to spill into copies of an individual’s “extended dataset” – a download-able copy of all your Facebook account data. Thus, a user who uploaded a contact list containing Paul’s work e-mail and telephone would, after using the DYI feature, see that data enriched by Paul’s personal mobile phone number, personal e-mail address, home phone number and so on. Beyond that, they would obtain enriched contact data on individuals who were not even Facebook users, Packet Storm said.
In testing, the security firm Packet Storm found that “uploading one public email address for an individual could reap a dozen additional pieces of contact information. It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users.”
The flaw posed obvious security and privacy problems, and Facebook moved quickly to fix it and to reward the researcher who discovered and disclosed it. The larger question, however, is about the company’s back-end data harvesting on both users and non-users.
Asked by Packet Storm whether Facebook would consider discarding data for non-Facebook users – either immediately, or after a period of time. The company responded that it considers contact data to be another form of user data that Facebook is free to analyze or repurpose, in keeping with its end-user agreement and privacy polities. The company said it was “upset and embarrassed” by the incident and would “work hard to make sure nothing like this happens again,” but refused to delve into the “dossiers” issue in any detail.
Asked by The Security Ledger to elaborate on the issues raised by Packet Storm and others, Facebook said it had no comment beyond the blog post issued Friday.
The revelation that Facebook is compiling detailed online dossiers of both members and non members is likely to fuel more questions about online privacy and the role that giant social networks play in domestic and international surveillance. Facebook was one of a handful Internet companies that were named as participants in the US National Security Agency’s (NSAs) PRISM monitoring program. Reports about that program, which stem from a leak of classified documents by former Booz Allen Hamilton employee Edward Snowden, were hotly contested by Facebook CEO Mark Zuckerberg, who maintained that the company had never received, much less responded to, blanket requests for user data.
