I’d like to talk about something other than data gathering issues, but we keep hearing about new problems. Here we go with the latest.
The Apparent Facts
Facebook creates “shadow profiles” about its users. The shadow profiles contain information that users voluntarily give Facebook and information gathered by Facebook from others on Facebook. (In some cases it also contains personal information about individuals that are not Facebook users.) For example, you have a non-public email address. One of your friends has that email address in their contacts. Facebook correlates that information. That’s the starting point for the recently revealed problem.
We recently received a report to our White Hat program regarding a bug that may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them.
Describing what caused the bug can get pretty technical, but we want to explain how it happened. When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.
Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
Recommended summaries of the facts, along with useful insight, here:
Absolute data security is not a realistic expectation. This is a reality I address in my practice on a regular basis. For example, yesterday I had to deal with this in a services agreement:
… establish industry standard electronic safeguards to prevent the compromise or unauthorized disclosure of Confidential Information.
That’s a promise nobody can make. The Department of Defense can’t entirely prevent security breaches. A reasonable expectation is an agreement to implement a standard of care – such as:
… will adopt industry standard security measures….
The nature of the data in this case requires the highest standard of care. I have to assume that Facebook understands this, given the importance of user privacy concerns. Whether the bug in this case would have been found earlier if Facebook had better security practices is something I won’t speculate about. I should note, however, that a Facebook White Hat (someone outside of Facebook) brought the bug to Facebook’s attention.
While the bug in this case was the direct cause of the data breach, the scale of the harm caused is the result of Facebook’s data practices. The personal information connections that Facebook makes in its shadow profiles creates the situation where access to one data point leads to access to other data points. That’s a data practice destined to end badly, as in this case.
In addition, Facebook has a data ownership philosophy that can’t help but add to personal information security problems. In the above-cited article, Packet Storm describes this Facebook position on data ownership:
… they think of contacts imported by a user as the user’s data and they are allowed to do with it what they want. To clarify, it’s not your data, it’s your friends.
That means my personal information that is in your contacts is your information. (packet storm uses the term “Personally Identifiable Information” which is forbidden here at Big Data and the Law.) I don’t see how you can adopt appropriate security practices for personal information when don’t accurately define the owner of that information.
I wouldn’t presume to do a better job describing the possible consequences of this data breach than Packet Storm does in the above cited article. I’m also sure you can imagine any number of problems that can arise from unauthorized sharing of personal contact information, so you don’t need me to do that for you.
However, there is another angle here that we will discuss in a future post this week.
This Facebook thing is a good example of data security and data practices issues coming together to create one big problem. We need to think about that, but also we need to have a view of each issue separately. In this case, Facebook builds dossiers of personal information aggregated from all of the information in Facebook’s possession. Facebook says it does so in the effort to make better friend recommendations. Is that all Facebook uses that aggregated information for? I doubt it.