Facebook 'dossier' find raises contact list privacy questions
Given the lack of privacy, people need to separate their personal contact lists from their business address book, one analyst noted
By Antone Gonsalves
June 25, 2013 — CSO — A Facebook bug that accidentally shared information on people's contact lists with others on the social network highlights the precariousness of privacy in the digital world.
About 6 million Facebook users had their email addresses or telephone numbers shared with others without permission. The information was made available through Facebook's Download Your Information tool, which provides an archive of a person's Facebook account.
The bug, reported by the security site Packet Storm, started when people uploaded their contact list from another application into Facebook. A person using the DYI tool would get back the list in a file called "addressbook.html," along with other account information.
Rather than contain only the information in the retriever's original contact list, the address book file also contained additional information on the same people who appeared on other lists. Packet Storm notified Facebook of the problem last week.
Once notified, Facebook said it immediately disabled the DYI tool, fixed the problem and had the application back up the next day. The site also paid Packet Storm a $500 bug bounty.
The reason contact information became commingled stemmed from Facebook aggregating the information in its database. The site then looks for common contacts among users, so it can suggest people they may want to become friends with.
Facebook apologized, and assured users that there was no evidence the bug had been exploited maliciously. The site also said it had not received any complaints by users. Packet Storm said the bug had been live since last year.
The mistaken data sharing demonstrates the risk of providing personal information to others. Facebook treats contact lists as the property of the people who upload it to the site. Whether people on the lists would want their information shared is left up to the owner of the list to decide.
"Whenever you hand information to another person you lose control of that information," said Andrew Walls, an analyst with Gartner. "You can fiddle with contracts and blood oaths, but once it is out of your hands you have no control over security or privacy."
Facebook is bound to the limits people place on the use of their contact lists, even if people on the lists may have more stringent controls on the sharing of their personal data on the site. Therefore, people from the start should only provide contact information they accept as public.
"My feeling is that once I pass my contact information to a third party, i.e. a friend, I no longer control that data because the friend, or business contact, or charity, now has access and I can't be sure it won't be passed on," Charles Kolodgy, an analyst with IDC, said. "There is no assumption of privacy."
Given the lack of privacy, people need to separate their personal contact lists from their business address book. "I do not think that my employer's email contact book is mine to share," said Anton Chuvakin, a Gartner research director of risk management.
To avoid problems, many companies have policies for handling business contact lists, Chuvakin said.
In 2011, the Federal Trade Commission (FTC) announced a broad settlement with Facebook over its handling of user data. The agreement involved Facebook agreeing to honor people's privacy wishes, and to subject itself to regular audits for the next 20 years.
"Facebook is under a consent order with the FTC that requires the company to develop a comprehensive privacy program," said David Jacobs, a consumer protection fellow for the Electronic Privacy Information Center. "It will be interesting to see if this bug causes the FTC to take a closer look at the effectiveness of that program."
In the meantime, people have to assume when contact information is handed out, it will be shared.
"The value of contact information is based on sharing that data with others," Walls said. "This means the data will be held by multiple people using a wide variety of tools and platforms. Something will break somewhere."
Read more about data privacy in CSOonline's Data Privacy section.