As if admitting a data breach exposing personal information for 6 million of its members wasn't bad enough, now Facebook is facing growing ire over its data gathering practices.
Last Friday, the social network announced it fixed a bug that affected about six million people that allowed some of its members to see additional information about their contacts when using Facebook's "Download Your Information" tool. The tool allows a person to download an archive copy of their Facebook account.
[ Also on InfoWorld: Is Microsoft peeking into your Skype messages? | Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
"We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing," Facebook said in a blog post.
"Although the practical impact of this bug is likely to be minimal, since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again," Facebook wrote.
However, as it turns out the bug is the least of Facebook's worries generated by the incident. That's because during the course of an investigation of the flaw by a security company, it was discovered that Facebook keeps "shadow dossiers" on its members. Those dossiers contain information about people not volunteered by them but scraped from third-party sources.
Worse yet, such dossiers aren't only kept for Facebook members, but also for people who are only associated with members.
"It was clear that Facebook attacked the disclosure flaw properly, but concerns still remain about the fact that dossiers are being built on everyone possible," the security company Packet Storm wrote in a blog post.
"The fact that I have no control over additional email addresses and phone numbers added to their data store on me is frightening," it added.
Facebook sees no cause for alarm, though. "The distinction to be made here is that you can control the information you provide, but not necessarily information about you," Facebook spokesman Frederick Wolens explained in an email.
[Also see: The best social networks for private people]
"For example," he continued, "it would be a sad world if politicians could simply remove any information they found unflattering from Facebook."
"We do allow you to control the information you provided about your contacts," he said. "However, we do not allow you to delete information provided by your friends."
"Would you ask Gmail if you can delete your email address from other people's contact books?" he asked rhetorically.