With Friends Like These

How your friends, family, and co-workers are secretly helping social networks gather intelligence on you.

When you join a social network, it usually asks if you’d like help finding friends who also use the service. It sounds like a nice offer—much easier than manually searching the site. So you click “yes,” put check marks next to the people you want to follow, and go merrily on your way.

Congratulations: You’ve just donated all of your friends’ and colleagues’ email addresses and phone numbers to that social network’s internal database. If you’re lucky, its employees will treat your friends’ contact information with more respect than you just did.

But they might not. They might use it to blast everyone from your boss to your mother-in-law with text messages at 6 a.m., like the fledgling social network Path did to at least one user in April. Or they might do something more subtle: cross-check your contacts list against their internal database, adding phone numbers and emails that your friends had chosen, for whatever reason, not to associate with their account. They might even collect the emails and phone numbers of people who aren’t members at all. And if you’re really unlucky—or rather, if your friends are really unlucky—they’ll accidentally reveal those secret phone numbers and email addresses to everyone else in your friends’ networks. That’s what Facebook was doing for the past year, until the security research site Packet Storm pointed out the gaffe last week, and Facebook scrambled to fix the bug.

Facebook apologized for the mistake, which made some 6 million users’ private contact information available to their friends and others through the site’s Download Your Information feature. The leak was clearly unintentional and quite rare for Facebook, which is among the best in the business at data security.

Everyone knows that the personal data he or she stores on the servers of companies like Google, Facebook, and Amazon is never 100 percent secure. But you’re probably somewhat less inured to the idea that your friends and associates are storing personal information about you there as well. On social networks, that information is part of what’s called your “shadow profile.” It’s data about you that’s stored on Facebook’s servers but not revealed to anyone other than the people who uploaded it—not even you.

Here’s where it gets a little Kafkaesque: Even if you knew that your phone number and secondary email addresses were being added to your Facebook shadow profile without your consent, you couldn’t do anything about it. Technically, once you gave your phone number or email address to your friends and they added it to their address book, it became their personal information, not yours—and when they granted Facebook access to that address book, it became Facebook’s information, too. Facebook won’t delete it even if you ask, because it’s not yours to delete. As Packet Storm put it, “Facebook feels that your friends should have more control over your data than you.”

Believe it or not, though, this isn’t some malicious scheme that Facebook dreamed up to steal your data. From Facebook’s perspective, it’s actually a service. It makes it easier for friends to find one another, and it helps Facebook avoid sending you useless emails and notifications. If Facebook didn’t attach that secondary email to your “shadow profile,” then friends who looked you up at that address would think you weren’t already on Facebook, and they might invite you to join.

The existence of shadow profiles was among the alleged privacy violations raised in an investigation of Facebook by the Irish government in 2011. But the Irish authorities cleared Facebook on that count, because they found that the company wasn’t using the hidden data for any nefarious purposes. It wasn’t using those extra addresses and phone numbers to target anyone with ads, it wasn’t selling them to third-party marketers, and it wasn’t disclosing them to anyone else on the site (until the data leak, anyway). It was just using them in the way it said it would use them when they were uploaded in the first place—i.e., to help people find their friends on the site.

Not everyone finds that logic compelling. Packet Storm’s researchers noted that the information could be targeted by hackers or government spies. Sarah Downey, analyst at the online privacy company Abine, took issue with Facebook’s claim that its users know what they’re doing when they grant access to their contacts via the Find Friends feature. “I’d assume I’m using it to find friends, not to help them build up a database on my friends,” she told me.

It’s worth keeping in mind that Facebook is likely more careful with the information it gleans from people’s address books than some smaller apps and social networks, which have less robust security measures and operate under less scrutiny than Zuckerberg and company. Path, for one, was far more aggressive in targeting the people on its users’ contact lists with invitations to join the service, though it dialed back its practices following a backlash. And it’s not Facebook but LinkedIn that may have the most advanced system of all for figuring out who its users might know or might want to connect with.

LinkedIn takes pride in this algorithm, the engine behind its People You May Know page, or “PYMK,” as LinkedIn employees call it. Some have speculated that the company draws on data from the Gmail plug-in Rapportive, which LinkedIn bought in 2012, to fuel its machine-learning algorithms. LinkedIn product lead Brad Mauney told me he couldn’t go into the “secret sauce” behind its software, because it’s “stuff that our competitors would love to get their hands on.”* But he said the site does take care not to use people’s information for any purposes other than those specified when they provide it. “It’s all very on the up-and-up,” Mauney said, adding that upholding users’ trust is vital to LinkedIn’s business. That’s true, though it leaves open the question of whether LinkedIn’s concept of what’s on the up-and-up is the same as yours.

For most people, shadow profiles probably rank somewhere below embarrassing photos, private messages, and credit-card numbers on the list of sensitive information that Internet companies have about them. Still, even Facebook told me it’s not a bad idea for people to think twice before they turn over their address books to any social network or app, Facebook included. Find Friends is a nice service, but if you’re handing out people’s sensitive information to for-profit companies left and right, you might eventually find yourself with a few less friends in real life.

Correction, June 27, 2013: This article originally misspelled the surname of LinkedIn product lead Brad Mauney. (Return to the corrected sentence.)