Find a friend, become a ‘spy’Comment on this story
Washington - When you join a social network, it usually asks if you’d like help finding friends who also use the service. It sounds like a nice offer – much easier than manually searching the site. So you click “yes”, put check marks next to the people you want to follow, and go merrily on your way.
Congratulations: you’ve just donated all of your friends’ and colleagues’ e-mail addresses and phone numbers to that social network’s internal database.
If you’re lucky, its employees will treat your friends’ contact information with more respect than you just did. But they might not.
They might use it to blast everyone from your boss to your mother-in-law with text messages at 6am.
Or they might do something more subtle: cross-check your contacts list against their internal database, adding phone numbers and e-mails that your friends had chosen, for whatever reason, not to associate with their account.
They might even collect the e-mails and phone numbers of people who aren’t members at all. And if you’re really unlucky – or rather, if your friends are really unlucky – they’ll accidentally reveal those secret phone numbers and e-mail addresses to everyone else in your friends’ networks. That’s what Facebook was doing for the past year, until the security research site Packet Storm pointed out the gaffe and the bug was fixed.
Facebook apologised for the mistake, which made some 6 million users’ private contact information available to their friends and others through the site’s Download Your Information feature. The leak was clearly unintentional and quite rare for Facebook.
Everyone knows that the personal data he or she stores on the servers of companies like Google, Facebook, and Amazon is never 100 percent secure. But you’re probably somewhat less inured to the idea that your friends and associates are storing personal information about you there as well. On social networks, that information is part of what’s called your “shadow profile”. It’s data about you that’s stored on servers but not revealed to anyone other than the people who uploaded it – not even you.
Here’s where it gets a little Kafkaesque: even if you knew that your phone number and secondary e-mail addresses were being added to your Facebook shadow profile without your consent, you couldn’t do anything about it. Technically, once you gave your phone number or e-mail address to your friends and they added it to their address book, it became their personal information, not yours – and when they granted Facebook access to that address book, it became Facebook’s information, too. Facebook won’t delete it even if you ask, because it’s not yours to delete.
Believe it or not, though, this isn’t some malicious scheme that Facebook dreamt up to steal your data. From Facebook’s perspective, it’s actually a service. It makes it easier for friends to find one another, and it helps Facebook avoid sending you useless e-mails and notifications.
If Facebook didn’t attach the secondary e-mail to your “shadow profile”, friends who looked you up at that address would think you weren’t already on Facebook, and they might invite you to join.
The existence of shadow profiles was among the alleged privacy violations raised in an investigation of Facebook by the Irish government in 2011. But the Irish authorities cleared Facebook on that count, because they found that the company wasn’t using the hidden data for any nefarious purposes. It was just using it in the way it said it would, that is, to help people find their friends on the site.
Not everyone finds that logic compelling. Packet Storm’s researchers noted that the information could be targeted by hackers or government spies. Sarah Downey, analyst at the online privacy company Abine, took issue with Facebook’s claim that its users know what they’re doing when they grant access to their contacts via the Find Friends feature. “I’d assume I’m using it to find friends, not to help them build up a database on my friends,” she told me.
It’s worth keeping in mind that Facebook is likely more careful with the information it gleans than smaller apps and social networks, which have less robust security measures.
And it’s not Facebook but LinkedIn that may have the most advanced system of all for figuring out who its users might know.
LinkedIn takes pride in this algorithm, the engine behind its People You May Know page.
LinkedIn product lead Brad Mauney told me he couldn’t go into the “secret sauce” behind its software, because it’s “stuff that our competitors would love to get their hands on”.
But he said the site does take care not to use people’s information for any purposes other than those specified when they provide it. “It’s all very on the up-and-up,” Mauney said, adding that upholding users’ trust is vital to LinkedIn’s business. That’s true, though it leaves open the question of whether LinkedIn’s concept of what’s on the up-and-up is the same as yours.
For most people, shadow profiles probably rank somewhere below private messages, embarrassing photos and credit card numbers on the list of sensitive information that internet companies have about them. Still, even Facebook told me it’s not a bad idea for people to think twice before they turn over their address books to any social network or app, Facebook included. – Slate / The Washington Post News Service