A single, highly understanding individual may commend Facebook for bravely owning up to the recent mistake of unwittingly sharing users’ phone numbers and email addresses without permission. But the Web has bred a wild mob of infuriated Facebook users demanding to know which of their contacts have been given access to their personal information over the course of the last year.
That’s right – according to Reuters, what Facebook was apologizing for last Friday was a security bug that has been active since 2012, when it first experienced a “technical glitch” stemming from its user information repository sourced from 1.1 billion Facebook users all over the world. The bug unintentionally merged hidden user details with their public profiles and offered it up to anyone who would like to download an archive of their account via the Download Your Information (DYI) tool. And now the privacy scare has brought back discussion over Facebook’s use of Shadow Profiles.
Facebook and its creation of Shadow Profiles isn’t completely a new notion, and this time they have a legitimate excuse: The apology post stated that whatever additional information they collate, they use “to make friend recommendations and reduce the number of invitations [Facebook sends].”
A year is already a long period on its own, even longer considering how fast-paced the Internet is – a bug left unaddressed for that long is indeed damaging to Facebook’s steadfastly growing population of 1.11 billion monthly active users as of March 2013, especially to those who are extra careful when it comes to sharing personal details online. And that’s not the only thing that’s delayed – apparently Facebook has known about the bug for a week and got rid of it within a day, but has delayed the release of the announcement because of company procedures mandating the social media site to notify regulators and the 6 million affected users prior to publicity.
Of course the Web is teeming with disappointed and disgruntled Facebook users and have taken to sites like Hacker News as well as Facebook’s own Security page to voice their complaints, the latter sporting over a thousand comments and more than a thousand shares as of this writing, most of them lambasting the social network. One Facebook user’s comment even claims a more serious matter:
I’m very concerned about the information Facebook has said was [accessible] to the public. Facebook said it was my phone number and email address, but what they showed me was credit card numbers! That is much more serious and I have no way to [contact] Facebook to see if the whole CC #’s were shown or only the last 4 #’s of each card. Can anyone at Facebook let me know? It is very important for me.
In relation to this issue, ZDNet has received a response from Facebook Policy Communications, one that suggests “collection, storage and shadow profiling of contact data is the sole fault of users who failed to read (or remember) the Facebook policies they agreed to when they were getting started on Facebook,” and that this page vaguely describing the company’s data collection procedures for users’ contacts is enough of a heads up. What the page doesn’t explicitly mention is that the same data gathering could be employed on users themselves, not just their friends. According to a Facebook spokesperson, data about a user is retrieved through that user’s friends who voluntarily provide information. The representative also said that it would take “precise and coincidental timing” for a person to maliciously obtain a target user’s data (both public and hidden) through the DYI tool.
Based on the continued angst expressed on the comment section of Facebook’s post, no information has been released regarding who exactly had access to the shadow data of users with compromised accounts.