Joining a social network allows the gov't access to your friends, family, and co-workers

When you join a social network, it usually asks if you’d like help finding friends who also use the service. It sounds like a nice offer—much easier than manually searching the site. So you click “yes,” put check marks next to the people you want to follow, and go merrily on your way.

Congratulations: You’ve just donated all of your friends’ and colleagues’ email addresses and phone numbers to that social network’s internal database. If you’re lucky, its employees will treat your friends’ contact information with more respect than you just did.

But they might not. They might use it to blast everyone from your boss to your mother-in-law with text messages at 6 a.m., like the fledgling social network Path did to at least one user in April. Or they might do something more subtle: cross-check your contacts list against their internal database, adding phone numbers and emails that your friends had chosen, for whatever reason, not to associate with their account. They might even collect the emails and phone numbers of people who aren’t members at all. And if you’re really unlucky—or rather, if your friends are really unlucky—they’ll accidentally reveal those secret phone numbers and email addresses to everyone else in your friends’ networks. That’s what Facebook was doing for the past year, until the security research site Packet Storm pointed out the gaffe last week, and Facebook scrambled to fix the bug.

Facebook apologized for the mistake, which made some 6 million users’ private contact information available to their friends and others through the site’s Download Your Information feature. The leak was clearly unintentional and quite rare for Facebook, which is among the best in the business at data security.

Everyone knows that the personal data he or she stores on the servers of companies like Google, Facebook, and Amazon is never 100 percent secure. But you’re probably somewhat less inured to the idea that your friends and associates are storing personal information about you there as well. On social networks, that information is part of what’s called your “shadow profile.” It’s data about you that’s stored on Facebook’s servers but not revealed to anyone other than the people who uploaded it—not even you.

Here’s where it gets a little Kafkaesque: Even if you knew that your phone number and secondary email addresses were being added to your Facebook shadow profile without your consent, you couldn’t do anything about it. Technically, once you gave your phone number or email address to your friends and they added it to their address book, it became their personal information, not yours—and when they granted Facebook access to that address book, it became Facebook’s information, too. Facebook won’t delete it even if you ask, because it’s not yours to delete. As Packet Storm put it, “Facebook feels that your friends should have more control over your data than you.”

Believe it or not, though, this isn’t some malicious scheme that Facebook dreamed up to steal your data. From Facebook’s perspective, it’s actually a service. It makes it easier for friends to find one another, and it helps Facebook avoid sending you useless emails and notifications. If Facebook didn’t attach that secondary email to your “shadow profile,” then friends who looked you up at that address would think you weren’t already on Facebook, and they might invite you to join.

The existence of shadow profiles was among the alleged privacy violations raised in an investigation of Facebook by the Irish government in 2011. But the Irish authorities cleared Facebook on that count, because they found that the company wasn’t using the hidden data for any nefarious purposes. It wasn’t using those extra addresses and phone numbers to target anyone with ads, it wasn’t selling them to third-party marketers, and it wasn’t disclosing them to anyone else on the site (until the data leak, anyway). It was just using them in the way it said it would use them when they were uploaded in the first place—i.e., to help people find their friends on the site.

Not everyone finds that logic compelling. Packet Storm’s researchers noted that the information could be targeted by hackers or government spies. Sarah Downey, analyst at the online privacy company Abine, took issue with Facebook’s claim that its users know what they’re doing when they grant access to their contacts via the Find Friends feature. “I’d assume I’m using it to find friends, not to help them build up a database on my friends,” she told me. http://www.slate.com/articles/technology/technology/2013/06/facebook_data_breach_how_social_networks_use_find_friends_to_mine_your_contacts.html