In a classic Friday-afternoon news dump, Facebook quietly admitted last week that it had publicly disclosed the private data of six million members — by accident.
"We recently received a report," the company said in a statement posted at 4:50 p.m. Eastern time, "regarding a bug that may have allowed some of a person's contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them."
That doesn't sound so bad when you first read it.
But what really happened was that millions of individuals who'd sought to review everything they'd posted on Facebook ended up receiving some things they hadn't posted — specifically, other people's email addresses and telephone numbers, information that may have been private.
"If a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool," the statement said, "they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection."
The mistake confirmed that Facebook is using "shadow data." That is, to build up the fullest possible profile of each member, Facebook is using not only information provided by that member, but also information about that member provided by other members.
It also lends some credence to the long-standing, but unconfirmed, suspicion that Facebook is creating "shadow profiles" of people who are not members — using data provided by people who are.
Put it into a song
Confusing? Perhaps a fictional example will make it clearer.
Let's say Facebook member John Jacob Jingleheimer Schmidt wants to see everything he's ever posted. He goes to his "Account Settings" page on Facebook, clicks the link "Download a copy of your Facebook data" and authorizes the process.
After an hour or so, John gets an email that the process has completed, and then reviews his data.
He notices that alongside the contact info he uploaded for one of his workplace colleagues, Jenny Tutone, there's a phone number that he doesn't recognize: (917) 867-5309.
John calls the number, and Jenny picks up. She explains that (917) 867-5309 is her private, unlisted mobile number, one she gives only to family members, and that she has never given it to Facebook.
So how did Facebook get that number for Jenny? Jenny's brother, Tommy Tutone, admits that he has that number listed under Jenny's name on his iPhone, but that he's never given it to Facebook.
Looks like Tommy didn't read the terms and conditions of the Facebook app for his iPhone. They clearly state that Facebook will upload his iPhone's contact list to Facebook's servers.
Facebook says that it uses such information "to match that data with the contact information of other people on Facebook in order to generate friend recommendations."
Using the contacts list from Tommy's phone, and noting that Tommy and Jenny had listed each other as siblings, Facebook correctly surmised that (917) 867-5309 was a phone number for Jenny — and added it to its pile of data about her.
So when John downloaded the Facebook information about himself, he learned Jenny's secret phone number.
For a good time, call....
What's so bad about that? Well, Jenny didn't want (917) 867-5309 to be known by anyone except her family. She didn't consent to Facebook learning of it, much less disclosing it.
But now the number is in Facebook's databanks. Jenny can ask Facebook to have it removed, but it'll be uploaded again the next time Tommy accesses the Facebook app on his iPhone.
In fact, thanks to its smartphone apps, Facebook has one of the largest repositories of North American mobile phone numbers, which don't normally appear in phone books (driving telephone direct-marketers crazy).
A security glitch in Facebook uncovered last fall allowed anyone to do a "reverse lookup" and trace back random mobile phone numbers to the Facebook members who used them. The glitch was quickly fixed.
It would be simple for Facebook, if it wanted to, to create a regular name-to-number matching service for mobile numbers. There's no indication that Facebook plans to do so, but the valuable mobile-number databank the company is sitting on would be pretty tempting to sell off in hard times.
Profiles in the shadows
There's also no indication that Facebook is creating "shadow profiles" of non-members. But last year, the social-influence-ranking site Klout admitted it had done so using data from Facebook pages, leading to speculation about whether Facebook was doing the same thing.
Here's how shadow profiles would work: Jenny and Tommy Tutone are Facebook members, but their gruff old father, Lou Tutone, is not.
Yet Jenny and Tommy have Lou in their smartphone contact lists. They identify Lou by name, and as their father, in family photos they post to Facebook. They mention Lou in their status updates and Facebook messages.
Because Lou doesn't have a Facebook page of his own, Facebook can't officially confirm that Lou is Jenny and Tommy's father. But it knows he exists, what he looks like and what his phone number and email address are. And it can target ads to Jenny and Tommy's pages based on that information.
There's no point in targeting ads to Lou directly, since he doesn't have a Facebook page. But if Facebook ever decides to sell specific data about its members (right now, it's making so much money from ads that it doesn't need to), it might be tempted to create profiles for non-members as well.
So what can Jenny — or you — do about all this? Not a whole lot, unfortunately.
Doing so would clear Facebook's servers of the contacts-list information uploaded from every mobile device upon which Jenny has installed the Facebook app. (Users of Apple devices will need to also uncheck "Sync" under the "Friends" setting in the app.)
While that procedure will clear Jenny's own uploaded data, it won't erase (917) 867-5309 until Tommy, and every other member of Jenny's family who has that number on a smartphone, does the same thing.
If Jenny has a small family — say three to 10 people — this should work. But if members of Jenny's entire extended family, including dozens of second cousins, have (917) 867-5309 in their contacts lists, there's little chance she's going to convince all of them to adjust their Facebook app settings.
Because current Facebook members would still be uploading Jenny's secret number, it will be out there for good, even if Jenny takes the drastic step of deleting her Facebook account.
Instead, Jenny should just move on. She should get a new secret number, share it with less than half a dozen people and insist that none of them enter it into their smartphones' contact lists.
Jenny might come off as rude, but in an age in which dozens of organizations, from the NSA to Facebook to Google, are trying to collect as much information about her as possible, you might also argue that she's being smart.