Monday, July 8, 2013

'Shadow Profile' Leaked Millions of FB Data

At this time, I think many are already aware the Facebook leaked the private information of its six million users last month. Even if you did not provide your personal information to the social network, chances are your profile still ended up in that leak thanks in part to your friends.

Personal information may have been inadvertently leaked out due to something called a "Facebook Shadow Profile." This is the common term that came out awhile ago when several people and users reported to the media and online forum sites how a bug exposed personal information without their permission.

According to Packet Storm Security, a security research company, Facebook had been compiling information on many of its users and, in some cases, people who have no Facebook account at all. This is where 'shadow profiles' come in.

Facebook's shadow profiles include information culled from Facebook users' phones when they use the 'Find Friends' feature. When a user first installs Facebook on their smartphone, they get a prompt asking if they would like Facebook to scan the phone using the 'Find Friends' tool, which will look through all the phone numbers and emails in their phone, and match them to the profiles of existing Facebook users. It's a handy way to find people who you know on Facebook, but it's also a way for Facebook to gain access to personally identifying information.

Facebook then takes the information it collects and puts it into a shadow profile. If you opt not to provide the information yourself on the social network, that's okay: your information is just kept in Facebook's data center. This information is used to help other friends make contact matches, and also to help power the 'People You May Know' feature on Facebook, which also uses information on how you know people you’re Friends with on your Facebook page.

The bug at the heart of this controversy has been accidentally combining users shadow profiles with their real profiles, so when someone used Facebook’s 'Download Your Information' tool, it would include information that some Facebook users had not provided to the social network.

According to Mashable, collecting this information is most likely a legal practice in the United States, as phone number collection of contacts is outlined in the Terms and Conditions a user signs when he signs up for the service. In places like Europe, where the privacy laws are stricter, Facebook’s shadow profiles have been found to violate the Data Protection Act of Ireland, where Facebook’s European headquarters are, seven different cases.

As for whose information is kept in shadow profiles, remains unclear. Facebook has argued in the past that they do not keep the personal information of non-members, however users were still reporting that information of non-users were being included two days after the news of the leak was made public.

No comments:

Post a Comment