A Facebook bug that accidentally shared information on people's contact lists with others on the social network highlights the precariousness of privacy in the digital world.
About 6 million Facebook users had their email addresses or telephone numbers shared with others without permission. The information was made available through Facebook's Download Your Information tool, which provides an archive of a person's Facebook account.
The bug, reported by the security site Packet Storm, started when people uploaded their contact list from another application into Facebook. A person using the DYI tool would get back the list in a file called "addressbook.html," along with other account information.
Rather than contain only the information in the retriever's original contact list, the address book file also contained additional information on the same people who appeared on other lists. Packet Storm notified Facebook of the problem last week.
Once notified, Facebook said it immediately disabled the DYI tool, fixed the problem and had the application back up the next day. The site also paid Packet Storm a $500 bug bounty.
The reason contact information became commingled stemmed from Facebook aggregating the information in its database. The site then looks for common contacts among users, so it can suggest people they may want to become friends with.
Facebook apologized, and assured users that there was no evidence the bug had been exploited maliciously. The site also said it had not received any complaints by users. Packet Storm said the bug had been live since last year.
The mistaken data sharing demonstrates the risk of providing personal information to others. Facebook treats contact lists as the property of the people who upload it to the site. Whether people on the lists would want their information shared is left up to the owner of the list to decide.
"Whenever you hand information to another person you lose control of that information," said Andrew Walls, an analyst with Gartner. "You can fiddle with contracts and blood oaths, but once it is out of your hands you have no control over security or privacy."
Facebook is bound to the limits people place on the use of their contact lists, even if people on the lists may have more stringent controls on the sharing of their personal data on the site. Therefore, people from the start should only provide contact information they accept as public.
"My feeling is that once I pass my contact information to a third party, i.e. a friend, I no longer control that data because the friend, or business contact, or charity, now has access and I can't be sure it won't be passed on," Charles Kolodgy, an analyst with IDC, said. "There is no assumption of privacy."
Sign up for Computerworld eNewsletters.