A recently-found bug at Facebook caused extra data to be included in the archive created by the “Download Your Information” tool. The tool generates a file containing lists of your friends, photos, messages, wall posts, and so on; thanks to the bug, the “friends” section included more data than it was supposed to. What’s really interesting is where Facebook is getting the data in question:
[Users of the archive tool] may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
So the data that was included wasn’t from those users’ profiles. As Jamie Zawinski explains, the data comes from Facebook’s “Find Friends” tool:
They dodge by saying, “Describing what caused the bug can get pretty technical”, but it’s pretty simple.
- Alice (that’s you) does not share their private email address or phone number with Facebook.
- Alice has two friends, Bob and Carol.
- Bob knows Alice’s secret phone number. Carol does not.
- Bob uses the “Find Friends” tool and uploads his phone’s address book to Facebook.
- Facebook now adds Alice’s private information to their dossier, since Bob disclosed it.
- Carol uses the “Download Your Information” tool. Carol now has Alice’s secret phone number.
This is a bit different from last year’s Path debacle. In that case, the Path app was uploading users’ address books to Path’s server without permission. Now, users are voluntarily sending their address-book data to Facebook. The problem is that Facebook is not only keeping user data after the tool is done with it, but Facebook is also associating that data with the users on its system. It’s bad enough trying to make sure that the data you give Facebook is secure. Now it seems that Facebook is also keeping “shadow profiles” that you can’t even see, let alone control.