So it sounds like when people give Facebook access to copy their contact lists / address books from an email account or phone, Facebook tries to match those email addresses and phone numbers to other Facebook accounts. Sometimes, those email addresses and phone numbers aren't already part of the Facebook account they're matched with, but Facebook is pretty confident of the match. So Facebook stores those addresses and numbers as part of the matched account's "shadow profile".
The problem they're reporting here seems to be that when one used the tool to download one's account, the addresses and phone numbers from friends' "shadow profiles" were included.
It makes you wonder what other invisible data is attached to a Facebook profile...
I work at Mailgun and this may explain why when our customers use Facebook as a customer acquisition tool they inevitably end up with a large amount of bad email addresses, leading to a poor email sending reputation or worse.
While I'm not familiar with the information Facebook shares through Facebook Connect, this seems to be a big short coming. You may not be getting the customer's real, current email addresses.
We have to tell people that Facebook is not a reliable way to obtain valid email addresses. The only way to properly do this is to have customers submit their email addresses directly to your own signup form and then validate them with a confirmation link sent to that address (double opt-in).
The issue is that when you use Facebook connect and get the user's email it returns the email originally used to sign up for facebook. Since people signed up years ago, many no longer have that as an active address, which leads to the poor email quality.
Wow - I expect most Facebook users have invalid e-mail addresses if that's the case. Originally, you could only sign up with a college or university e-mail address, and pretty much all of those addresses are now dead because people graduated or left.
The blog says the fix was made in the DYI tool. That means they would continue to maintain "shadow profiles", but would stop letting others know that FB has a shadow profile on you. Al these blog posts and notification emails are just a PR propaganda to make gullible users believe that FB cares about their privacy.
The extended data download did not include shadow profile data from just your friends. It included shadow profile data from anyone that matched any of your contacts. If email@example.com was one of your contacts, you would have retrieved all of his data.
This could have been used as a very targeted malicious data mining tool. It probably was.
This blog post does not identify exactly where the leaked data is.
I have an DYI export of my account from 3/26/13 and am trying to determine where the data is. Can anyone help?
DYI's have the following directory structure:
The html folder contains many files including "friends.html," where each friend is listed as a div. I believe normal data, i.e. friends who did not upload address book have the structure:
<div class="friendvcard"><span class="profile fn">[Friend's Full Name]</span></div>
Whereas users who have had their data inadvertently leaked due to Friends who uploaded address books containing their contact data (confusing but I think that's right) have the following structure which contains leaked data:
I have three of these entries with email addresses, but am not seeing any phone numbers. Can anyone else corroborate this structure, add how the phone numbers were stored, and verify an example case where a known friend uploaded their contact data matching the leak?
No--it seems that if you downloaded your info, you would also download email addresses and phone numbers of your friends that other people had in their address books, without your friends ever knowing Facebook had that information.
This is exactly what happened. I never entered my phone number into anything Facebook, and today I received an email that referenced an old phone number of mine being inadvertently released. My strong suspicion is that Facebook crawled a friend's phone contact list, and linked my phone number to my name/Facebook profile.
LinkedIn did something equally as shady with their iOS app. I kept the email addresses of people I met on a trip to Europe on my phone, but never communicated with them. After installing the LinkedIn app on my phone, the "People You May Know" section for my account on the website starts recommending these same people that I met in Europe. I had no idea how this happened until the Path controversy started.
I never consented to anyone stealing my information -- whether it's on my phone or someone else's. What if my social security number or credit card number was stored in my or someone else's contacts? No company has the right to steal this information without consent.
I realize Apple eventually locked down access to Contacts but as far as I'm concerned, that was too little, too late. This never should have been "public" for any app to access, and I really don't think this was just an oversight from the company responsible for the fastest-growing ecosystem ever seen. This was not a misstep...they had to realize that this data could and would get out.
Even worse are the companies that stole from phones while knowing full well that what they were doing was wrong, and that they probably had a small window in which to scrape as much data as possible. Scum.
I have heard this sentiment echoed by others - several industry insiders included - before.
If this is indeed true that the sales and marketing honchos are exclusively running large tracts of key operations, aren't the resulting missteps going to be deleterious to Mark's record as the chief?
This sentiment was echoed by Dalton Caldwell about Facebook's "M&A" team, last year:
I am not sure if this bubbled up to you, Mark, but after this all happened I
directly communicated my feedback regarding just how unhappy I was with this
situation to one of your executives. The executive apologized and said he would
take my feedback under consideration.
Mark, I know for a fact that my experience was not an isolated incident. Several
other startup founders & Facebook employees have told me that what I experienced
was part of a systematic M&A “formula”. Your team doesn’t seem to understand
that being “good negotiators” vs implying that you will destroy someone’s
business built on your “open platform” are not the same thing. I know all
about intimidation-based negotiation tactics: I experienced them for years
while dealing with the music industry. Bad-faith negotiations are inexcusable,
and I didn’t want to believe your company would stoop this low. My mistake.
Does Mark maintain control of all of the operations or has he got petty feudal lords running various units and operations?
Same here, I had three e-mails listed: my personal email I used for Facebook, my @facebook.com email, and a work e-mail that I don't appear to have listed in my profile or settings anywhere and don't recall even giving to Facebook.
Perhaps the "merged" contact information that got leaked included e-mails for you that your acquaintance had that you perhaps never told Facebook about?
EDIT: that would seem to be supported by this line:
"This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool."
So... People who already had my email/phone in another service were able to get it as part of downloading all their facebook data. Consequently, my email/phone was not disclosed (by Facebook) to anybody who didn't already have it. I don't really see an issue here.
I think you misunderstand; If friend A had information about you in their address book (stuff you didn't have on Facebook) and uploaded their contacts to Facebook, and friends B and C downloaded their Facebook data, it would contain the fields gathered from friend A's address book.