If Facebook has data, somehow, sometime, it will leak out. That's how it feels, anyway, as the social platform now admits inadvertently sharing email and telephone data for some 6 million users, including users who did not consent to having their data collected and stored by Facebook at all.
Predictably, Facebook tries to walk a fine line between being seriously concerned by the problem and dismissing it as trivial. In an "important message" posted in Security Notes last Friday, Facebook put its worried face on:
- At Facebook, we take people's privacy seriously, and we strive
to protect people's information to the very best of our ability. We
implement many safeguards, hire the brightest engineers and train them
to ensure we have only high-quality code behind the scenes of your
Facebook experiences... Even with a strong team, no company can ensure
100% prevention of bugs, and in rare cases we don't discover a problem
until it has already affected a person's account.
Meanwhile, it speculated: "The 'practical impact' [of the leak] had been small because information was most likely to have been shared with people who already knew the affected individuals.
"Most likely," indeed. In other words, whatever choices you made as a Facebook user about sharing personal data -- those glorious "privacy settings" -- Facebook has gone ahead and shared it with other people; but it's probably OK, because it's "most likely" not being exploited for "malicious ends." And it's been fixed.
So what happened this time? Well, this time around, the problem wasn't exposing user data to third-party apps or ripping data of non-Facebook users from phone directories synched with Facebook. It was just a little bug in the "Download Your Information" tool, meaning that anyone using it to download an archive of his account "may have" received email addresses and phone numbers that hadn't deliberately been shared with him.
What's worse, the contact details Facebook has been (oops!) handing out include details harvested from offsite sources. If you chose to import contacts from other accounts to your Facebook profile (email, Skype, and so on), Facebook has been storing that information and using it to help identify potential friends.
Fixing the DYI bug certainly doesn't mean that Facebook isn't continuing to store this offsite information or planning to use it for other purposes. But hey, says Facebook, you all agreed to this:
- Facebook doesn't give out the email addresses of the contacts
you import, but we may store them and use them to suggest friends for
you in the future. If you don't sign up for Facebook, we won't save the
contacts you've imported.
My question is whether the FTC will show its teeth by finding Facebook in breach of the terms of its 2011 privacy settlement. More likely, the "accidental" nature of the leak, and that "consent" tucked away in Facebook's Help Center, will mean no repercussions -- even though Facebook may have been leaking contact details of people who never joined Facebook and never agreed to anything.
, Senior Editor, Internet Evolution