Facebook in more hot water, now over ‘shadow dossiers’

As if admitting a data breach exposing personal information for 6 million of its members wasn’t bad enough, now Facebook is facing growing ire over its data gathering practices.

Last Friday, the social network announced it fixed a bug that affected about six million people that allowed some of its members to see additional information about their contacts when using Facebook’s “Download Your Information” tool. The tool allows a person to download an archive copy of their Facebook account.

“We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” Facebook said in a blog post.

“Although the practical impact of this bug is likely to be minimal, since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again,” Facebook wrote.

However, as it turns out the bug is the least of Facebook’s worries generated by the incident. That’s because during the course of an investigation of the flaw by a security company, it was discovered that Facebook keeps “shadow dossiers” on its members. Those dossiers contain information about people not volunteered by them but scraped from third-party sources.

Worse yet, such dossiers aren’t only kept for Facebook members, but also for people who are only associated with members.

“It was clear that Facebook attacked the disclosure flaw properly, but concerns still remain about the fact that dossiers are being built on everyone possible,” the security company Packet Storm wrote in a blog post.

“The fact that I have no control over additional email addresses and phone numbers added to their data store on me is frightening,” it added.

Facebook sees no cause for alarm, though. “The distinction to be made here is that you can control the information you provide, but not necessarily information about you,” Facebook spokesman Frederick Wolens explained in an email.

[Also see: The best social networks for private people]

“For example,” he continued, “it would be a sad world if politicians could simply remove any information they found unflattering from Facebook.”

“We do allow you to control the information you provided about your contacts,” he said. “However, we do not allow you to delete information provided by your friends.”

“Would you ask Gmail if you can delete your email address from other people’s contact books?” he asked rhetorically.

Not everyone agrees with Facebook’s analysis of the situation. “The system essentially latches onto Facebook users, invites them to import their contacts, and then appropriates these contacts for a separate, hidden purpose, creating these shadow profiles of both members and non-members,” said Sarah A. Downey, a privacy analyst and attorney with Abine.

“And we know any data stored by private companies must be given to law enforcement, like the NSA, when those agencies request it,” she said in an email. “The end result could be that Facebook turns over extensive contact information to law enforcement on people who haven’t even signed up.”

Downey cautioned anyone signing up for any online services to avoid using features like “find friends” or “upload your contacts” because by using them, they’re adding their contacts to those companies’ databases.

“Your intentions may be good — to connect with your friends or easily find people to follow — but you’re spreading data collection to uninvolved, unaware people,” she said.

Many services like Facebook keep their members in the dark about the data they hold on them. “When users don’t know that particular pieces of data about them are part of Facebook’s dossiers, how can they exert a responsible level of control to ensure their own privacy?” asked Adi Kamdar, an activist with the Electronic Frontier Foundation.

The lesson to be learned from this latest Facebook gaffe is a harsh one, said David Britton, vice president of industry solutions at 41st Parameter.

“The message to consumers is that they need to know that any data they may upload online may at some point be available to individuals that they never intended to have access to it,” Britton said.

“Even more importantly — even if they don’t upload it themselves — someone else may have,” he added.