Friday night six million Facebook users, including myself, received an email from Facebook apologizing that a bug “allowed someone you already know outside of Facebook to see your email address or telephone number.” The email listed the address and telephone numbers that were erroneously “shared,” which took me aback because they were not phone numbers or email addresses that I recall ever submitting to Facebook (e.g., my work number and work email).
Now, according to ZDNet, it seems that this privacy leak bug was in fact the result of Facebook merging users’ “shadow profiles” with their actual accounts:
According to the admissions in its blog, posted late Friday afternoon, Facebook appears to be obtaining users’ offsite email address and phone numbers and attempting to match them to other accounts. It appears that the invisible collected information is then being stored in each user’s ‘shadow profile’ that is somehow attached to accounts.
Facebook was accidentally combining user’s shadow profiles with their Facebook profiles and spitting the merged information out in one big clump to people they ‘had some connection to’ who downloaded an archive of their account with Facebook’s Download Your Information (DYI) tool.
I wrote about Facebook’s alleged shadow profiles back in October 2011 when Ireland’s Data Protection Commissioner was investigating an alleged practice by Facebook of creating “shadow” accounts for non Facebook account holders whose personal info Facebook sourced from the internet and from other users who were encouraged to submit their friend’s phone numbers, addresses and emails.
At the time, Facebook categorically denied the allegations. Now it seems, as per Facebook’s own admissions, that not only were these allegations true, but that Facebook has been doing this in the United States as well.
This could have major implications for privacy jurisprudence (not to mention the privacy class action complaints that I can practically hear being typed up at this very moment). I will update as I know more.