The problem they're reporting here seems to be that when one used the tool to download one's account, the addresses and phone numbers from friends' "shadow profiles" were included.
It makes you wonder what other invisible data is attached to a Facebook profile...
While I'm not familiar with the information Facebook shares through Facebook Connect, this seems to be a big short coming. You may not be getting the customer's real, current email addresses.
We have to tell people that Facebook is not a reliable way to obtain valid email addresses. The only way to properly do this is to have customers submit their email addresses directly to your own signup form and then validate them with a confirmation link sent to that address (double opt-in).
Here's an interesting post I came across on the subject: http://www.whatcounts.com/2012/06/what-is-the-deliverability...
They keep this information on you even if you are not a Facebook user.
The extended data download did not include shadow profile data from just your friends. It included shadow profile data from anyone that matched any of your contacts. If firstname.lastname@example.org was one of your contacts, you would have retrieved all of his data.
This could have been used as a very targeted malicious data mining tool. It probably was.
I have an DYI export of my account from 3/26/13 and am trying to determine where the data is. Can anyone help?
DYI's have the following directory structure:
The html folder contains many files including "friends.html," where each friend is listed as a div. I believe normal data, i.e. friends who did not upload address book have the structure:
<div class="friendvcard"><span class="profile fn">[Friend's Full Name]</span></div>
Whereas users who have had their data inadvertently leaked due to Friends who uploaded address books containing their contact data (confusing but I think that's right) have the following structure which contains leaked data:
<div class="friend vcard"><span class="profile fn">[Friend's Full Name]</span><span class="email"> (<a href="mailto:[Friend's email address]">[Friend's email address]</a>)</span></div>
I have three of these entries with email addresses, but am not seeing any phone numbers. Can anyone else corroborate this structure, add how the phone numbers were stored, and verify an example case where a known friend uploaded their contact data matching the leak?
edited for clarity
The weird part of it is that email address they say to have been exposed is not even part of my facebook profile.
Perhaps the "merged" contact information that got leaked included e-mails for you that your acquaintance had that you perhaps never told Facebook about?
EDIT: that would seem to be supported by this line:
"This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool."
Basically, it means that facebook has more (much more?) information about me, than they show to me in the profile. Not that I am surprised by that.
John add Bob in his friends.
Alice add Bob in her friends, and while crawling her contacts infos (say, on her smartphone), facebook finds a phone number for Bob that Bob himself didn't give.
Facebook remember the phone number on Bob's "shadow" account.
John download his infos, and for his friend Bob he can see the phone number. Bob never gave it to Facebook, never gave it to John. Facebook never told Bob they had it.
LinkedIn did something equally as shady with their iOS app. I kept the email addresses of people I met on a trip to Europe on my phone, but never communicated with them. After installing the LinkedIn app on my phone, the "People You May Know" section for my account on the website starts recommending these same people that I met in Europe. I had no idea how this happened until the Path controversy started.
I never consented to anyone stealing my information -- whether it's on my phone or someone else's. What if my social security number or credit card number was stored in my or someone else's contacts? No company has the right to steal this information without consent.
I realize Apple eventually locked down access to Contacts but as far as I'm concerned, that was too little, too late. This never should have been "public" for any app to access, and I really don't think this was just an oversight from the company responsible for the fastest-growing ecosystem ever seen. This was not a misstep...they had to realize that this data could and would get out.
Even worse are the companies that stole from phones while knowing full well that what they were doing was wrong, and that they probably had a small window in which to scrape as much data as possible. Scum.
If this is indeed true that the sales and marketing honchos are exclusively running large tracts of key operations, aren't the resulting missteps going to be deleterious to Mark's record as the chief?
This sentiment was echoed by Dalton Caldwell about Facebook's "M&A" team, last year:
I am not sure if this bubbled up to you, Mark, but after this all happened I
directly communicated my feedback regarding just how unhappy I was with this
situation to one of your executives. The executive apologized and said he would
take my feedback under consideration.
Mark, I know for a fact that my experience was not an isolated incident. Several
other startup founders & Facebook employees have told me that what I experienced
was part of a systematic M&A “formula”. Your team doesn’t seem to understand
that being “good negotiators” vs implying that you will destroy someone’s
business built on your “open platform” are not the same thing. I know all
about intimidation-based negotiation tactics: I experienced them for years
while dealing with the music industry. Bad-faith negotiations are inexcusable,
and I didn’t want to believe your company would stoop this low. My mistake.