Forget No Such Agency; the real threat to your personal liberties is Facebook. That at least is the theme emerging from the news that Facebook has -- stop me if you've heard this one -- violated its users' privacy. Shocking, no?
More specifically, Facebook spilled the email addresses and phone numbers of some 6 million members due to a bug in the code that allows it to suggest friends.
[ For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]
The Facebook blog post 'fessing up to the breach (posted as usual at the very end of the day on Friday, moments before the commencement of happy hour) is confusing. That's just how Facebook rolls. But the gist of it is this:
Download your info -- at your own risk
If you uploaded your contacts list to Facebook, there is roughly a 1 in 150 chance that Facebook may have shared some of your friends' contact info with other friends' profiles. But this would only be visible if your contacts had used Facebook's Download Your Information (DYI) Tool to look at all their FB data.
Let's say Bob and Sally are Facebook friends, and Bob decides to upload his contacts to Facebook. One of those contacts contains Sally's work email. Facebook uses that info to generate friend suggestions; that is, if someone is in your address book but not on your Facebook friend list, Facebook wants to rectify that oversight with one of its vaguely creepy suggestions.
Sally's Facebook friend Jamal also uploads his contacts to Facebook. Jamal's contact list contains Sally's work email address, but it also contains her private email and phone number. Facebook sees the common email address and combines all the info into Sally's contact record. When Bob downloads all of his information, Sally's private email and phone number show up alongside the address he uploaded -- so now Bob has information Sally never gave him. That's the security flaw Facebook just fixed.
An anonymous white-hat hacker discovered this bug and alerted cloud security firm Packet Storm, which then contacted Facebook about it. It also accused Facebook of maintaining "shadow dossiers" on its users, which seems a bit much.
Is this a privacy breach? Yes. Facebook shouldn't have shared Sally's private info with Bob. But the bigger breach was Bob and Jamal sharing Sally's info with Facebook. While you could come up with scenarios where such a breach could prove harmful to Sally (for example, Bob will use this info to stalk or harrass Sallly), the breach is mostly benign. The bigger question is what Facebook plans to do with contact data for people who aren't on Facebook. So far, we don't know that they do anything with it.
(Also, I'd like to see a show of hands: How many of you out there in Cringeland have used Facebook's DYI tool? Anyone? Anyone at all?)