When the gods dance...

Wednesday, June 26, 2013

Facebook Flubs Security Again

Written by Kim Davis
6/24/2013 42 comments

If Facebook has data, somehow, sometime, it will leak out. That's how it feels, anyway, as the social platform now admits inadvertently sharing email and telephone data for some 6 million users, including users who did not consent to having their data collected and stored by Facebook at all.

Predictably, Facebook tries to walk a fine line between being seriously concerned by the problem and dismissing it as trivial. In an "important message" posted in Security Notes last Friday, Facebook put its worried face on:
    At Facebook, we take people's privacy seriously, and we strive to protect people's information to the very best of our ability. We implement many safeguards, hire the brightest engineers and train them to ensure we have only high-quality code behind the scenes of your Facebook experiences... Even with a strong team, no company can ensure 100% prevention of bugs, and in rare cases we don't discover a problem until it has already affected a person's account.
Or the accounts of 6 million persons.

Meanwhile, it speculated: "The 'practical impact' [of the leak] had been small because information was most likely to have been shared with people who already knew the affected individuals.

"Most likely," indeed. In other words, whatever choices you made as a Facebook user about sharing personal data -- those glorious "privacy settings" -- Facebook has gone ahead and shared it with other people; but it's probably OK, because it's "most likely" not being exploited for "malicious ends." And it's been fixed.

So what happened this time? Well, this time around, the problem wasn't exposing user data to third-party apps or ripping data of non-Facebook users from phone directories synched with Facebook. It was just a little bug in the "Download Your Information" tool, meaning that anyone using it to download an archive of his account "may have" received email addresses and phone numbers that hadn't deliberately been shared with him.
What's worse, the contact details Facebook has been (oops!) handing out include details harvested from offsite sources. If you chose to import contacts from other accounts to your Facebook profile (email, Skype, and so on), Facebook has been storing that information and using it to help identify potential friends.
Fixing the DYI bug certainly doesn't mean that Facebook isn't continuing to store this offsite information or planning to use it for other purposes. But hey, says Facebook, you all agreed to this:
    Facebook doesn't give out the email addresses of the contacts you import, but we may store them and use them to suggest friends for you in the future. If you don't sign up for Facebook, we won't save the contacts you've imported.
Except it just gave out 6 million of them, including imported contacts who might not even be Facebook members.

My question is whether the FTC will show its teeth by finding Facebook in breach of the terms of its 2011 privacy settlement. More likely, the "accidental" nature of the leak, and that "consent" tucked away in Facebook's Help Center, will mean no repercussions -- even though Facebook may have been leaking contact details of people who never joined Facebook and never agreed to anything.

Related posts:
— Kim Davis Follow me on TwitterVisit my LinkedIn pageFriend me on Facebook, Senior Editor, Internet Evolution

No comments:

Post a Comment