Facebook fixed a "shadow profile" leak, but don't quite say what leaked
June 23, 2013 2:33 PM   Subscribe

Going back to at least 2011, it was believed that Facebook kept "shadow profiles" of users and non-users, accumulating information when users synchronize mobile phones, import personal data from e-mail providers, import personal information from instant messaging services, send invitations to friends or make search queries for other people on Facebook. In early 2012, four members of the U.S. House of Representatives Energy and Commerce Committee's Subcommittee on Oversight and Investigations demanded answers from Facebook (PDF) and were told that non-users didn't have "shadow profiles", but the contents of the reply were not made public. Just this past Friday, Facebook released an "Important Message" on a data leak they closed, in which information from members' "shadow profiles" could be obtained.

Hacker News users dug in to find out what was was meant but not written.

From Packet Storm Security: "To sum things up, an information leak in Facebook has highlighted the dangers of hoarding user data. Facebook reacted to the incident in a responsible manner in order to fix the leak. What is not fixed, is their policy."
posted by filthy light thief (25 comments total) 16 users marked this as a favorite
 
Kind of related...I just signed up with linkedin. I've never signed up with them before, never given them any data, didn't allow them to scrape any account data in twitter or FB or gmail. Yet when they recommended people to me, it was all people I knew. So obviously my address was in all those other contact lists, with that profile waiting there for me. I'm sure all the social networks do it, they'd be fools not to.

That being said, I don't think it's right in the least, and I'd like them to stop, please.
posted by nevercalm at 2:49 PM on June 23, 2013 [16 favorites]


If I understand correctly, the Hacker News user "discostrings" is saying that Facebook doesn't have shadow profiles for people who never joined the service. What they do have is shadowy, normally inaccessible parts of already existing user profiles that contain information the users didn't themselves type in. Like for example, say your friend synchronizes the address list on his phone with Facebook, and that address list includes your private eMail address, one that you give to friends but didn't put on your Facebook page. Facebook downloads the Email address and decides that it's probably you, so it's then added to the Shadow Profile part of your account.

And apparently, if you downloaded your account, you also got all the information from your friends Shadow Profiles. Not sure why.
posted by Kevin Street at 2:51 PM on June 23, 2013


Eh, just do a FOIA request to the NSA asking what they got from Facebook related to you. Obama is good about these sorts of things. He'll get back to you in a month or less (or it's free!).
posted by cjorgensen at 3:06 PM on June 23, 2013 [3 favorites]


We need a FOIA-like method for requesting a copy of all personal data stored by corporations. If we could see all of this data laid out plainly it might be enough to motivate real change.
posted by feloniousmonk at 3:10 PM on June 23, 2013 [12 favorites]


We need a FOIA-like method for requesting a copy of all personal data stored by corporations. If we could see all of this data laid out plainly it might be enough to motivate real change.

A law like this actually exists in the EU, but facebook has not been complying fully.
posted by BungaDunga at 3:13 PM on June 23, 2013 [4 favorites]


nevercalm, the "non-users don't have 'shadow profiles' " link mentions Klout and other "people finding" sites, but that's probably because that's the friggin' point of those sites, which doesn't make them great services.


We need a FOIA-like method for requesting a copy of all personal data stored by corporations.

In 2011, Facebook said that releasing your personal data reveals our trade secrets. I'm not sure if they've been legally smacked down on that yet, but the Austrian group Europe versus Facebook had a good retort, that the law protects logic, not (personal, gleaned) data.
posted by filthy light thief at 3:15 PM on June 23, 2013


"In 2011, Facebook said that releasing your personal data reveals our trade secrets."

Isn't that the same reasoning that governments often use to classify innocuous information? "If you knew what we had on you, you'd know what we're capable of finding, and that's secret."
posted by Kevin Street at 3:32 PM on June 23, 2013 [4 favorites]


So, I'm pretty sure that almost every website keeps some sort of backend metadata on its users...

Unfortunately for Facebook, "shadow profile" makes for a catchy-sounding headline.
posted by schmod at 3:57 PM on June 23, 2013


> So, I'm pretty sure that almost every website keeps some sort of backend metadata on its users...

Almost by definition - but this is about backend metadata on non-users.

"Shadow profile" is what a programmer would call this - and I can tell you this for sure. My commercial application attaches preferences to audio files that you have on your system, and I do this by creating what I called a "shadow files system" that shadows the real files and that stores the metainformation.
posted by lupus_yonderboy at 4:08 PM on June 23, 2013 [1 favorite]


just do a FOIA request to the NSA

Just after which you will be charged with espionage. Why do you want to know? Are you a terrorist?? (half joking here)
posted by usagizero at 4:49 PM on June 23, 2013 [1 favorite]


An obsession with keeping secrets just leads to more and more secrets, ad infinitum. Apart from consideration of what Facebook and other corporations have actually done so far, the secrets-crazed, classification-happy example of the US government (and other governments) should be reason enough to legally curb companies from going down the same road.
posted by Kevin Street at 4:55 PM on June 23, 2013


I'm trying to picture a circumstance with the House ECC summoning Jessamyn, Cortex, and Mathowie, and the best I can come up with is...

"Who is Mutant, why is he paged frequently on matters of finance? And please disclose anything he is deathly allergic, if you have been made aware of such."
posted by Bathtub Bobsled at 6:22 PM on June 23, 2013


I keep imagining a system where we rent our information to companies. Want to keep my name on file? Sure, that'll be $5/year. Want to keep my address on file? Another $15/year. I'll even throw in three email addresses at no charge (but if you want addresses verified and guaranteed as real, that'll be an additional one-time $250 charge). Want to sell my information to someone else? Sure, just a company-friendly one-time $500 information transfer charge. Oops, sorry, three other companies want my information too, so the charge just went up!
posted by jiawen at 6:45 PM on June 23, 2013 [13 favorites]


I don't get it - something which doesn't exist got leaked - what's the problem? Isn't this the same as something which does exist not leaking?
posted by Teakettle at 7:51 PM on June 23, 2013


> something which doesn't exist got leaked - what's the problem?

The fascinating article has all the details.

* Facebook tracks people who don't have Facebook accounts - including their personal information and perhaps things that they don't want to have known (like embarrassing Facebook pages they might have visited) - but then
* Facebook leaked this information.

Imagine that a private detective takes photos of you in your house, perhaps sitting in your underwear on the toilet, and then leaves these photos somewhere where people pick them up. Got it now?
posted by lupus_yonderboy at 8:10 PM on June 23, 2013 [4 favorites]


I keep imagining a system where we rent our information to companies.

I kind of feel this way with store cards. I won't give my store card unless I know I'm getting something in return i.e. a discount. I'm surprised at the number of places that balk when you either decline to give them your card or decline to sign up for it. I realize they track you via other means (your credit card, being a handy unique identifier.) But yeah, it's the same kind of thing - it's my data, why do you get to profit from it?

Sadly, I doubt that will change (At least not here in the US). What will the poor corporate personhoods do if they had to pay for something they got for free? Something that without, they wouldn't exist? Beyond that, it's provided such a convenient loophole around the 4th amendment, no one in government is going to give that up.

Sometimes, now kind of disgusts me.
posted by [insert clever name here] at 12:23 AM on June 24, 2013 [1 favorite]


jiawen: "I keep imagining a system where we rent our information to companies. Want to keep my name on file? Sure, that'll be $5/year. Want to keep my address on file? Another $15/year. I'll even throw in three email addresses at no charge (but if you want addresses verified and guaranteed as real, that'll be an additional one-time $250 charge). Want to sell my information to someone else? Sure, just a company-friendly one-time $500 information transfer charge. Oops, sorry, three other companies want my information too, so the charge just went up!"

Forget THAT! I'll just auction off my data on idBay.
posted by Samizdata at 1:30 AM on June 24, 2013 [1 favorite]


,em>I won't give my store card unless I know I'm getting something in return i.e. a discount.

Back in 2002, some consumer advocacy group(s) found that grocery store loyalty cards didn't always offer a discount, instead adjusting prices so that "loyal" customers were paying the same price offered at competing stores. And recently* Albertsons eliminated most uses for its loyalty card, offering all shoppers the same price.

* I swear that the local New Mexico store stopped using loyalty cards a while back, but it might have been a local test market.
posted by filthy light thief at 7:04 AM on June 24, 2013


...rent our information...

How do you 'rent' bits?
posted by lodurr at 7:23 AM on June 24, 2013 [2 favorites]


Who gives the store cards their real information?

Mine has a completely fictitious identity complete. If they actually want to sell things to Esmeralda Goldthwaite, quantity surveyor, she is always at home on Thursdays at 1066 Guillaume Court.

The shadow profile thing is far more insidious than the store cards - if I don't choose to have a Facebook profile then constructing one and selling it to advertisers is far less respectful of my autonomy than a card for which I chose to register.

How will the shadow profile thing fare against the EU's (currently) far more individual-friendly privacy rules?
posted by winna at 8:56 AM on June 24, 2013


Who gives the store cards their real information?

Giant Eagle requires you to provide your driver's license to get a card.
posted by dirigibleman at 8:59 AM on June 24, 2013


Mine has a completely fictitious identity...

For a number of years I used a store discount card that was originally acquired by a 40-something Indian woman, who then proceeded to give away her keytags, one of which found its way to me. I don't know why she did it. I started using it because at that time that particular chain wouldn't let you have one without a canceled check & other rigmarole that I didn't feel like going through; i mostly kept using that one out of a sense of perversity.
posted by lodurr at 9:09 AM on June 24, 2013


lodurr: "How do you 'rent' bits?"

Well, just so. I have no idea how this could work; companies would be required to delete information off their servers? That'd work about as well as what we have now, which is to say, very poorly. It's interesting to think about, though.
posted by jiawen at 11:06 AM on June 24, 2013




I'm trying to picture a circumstance with the House ECC summoning Jessamyn, Cortex, and Mathowie, and the best I can come up with is...
"Who is Mutant, why is he paged frequently on matters of finance? And please disclose anything he is deathly allergic, if you have been made aware of such."
Please forward us everything you hold on the individual known as scarabic, including last known loca... HOLY SHIT IT'S THE FUCKING WOZ.
posted by fullerine at 3:01 PM on June 24, 2013


« Older Metamorphosis   |   The Cosmology of Serialized Television Newer »


This thread has been archived and is closed to new comments