Facebook offers its users the ability to upload your email contact list, presumably so you can discover which of your friends are on Facebook (that you haven’t already befriended). Once you’ve done this, you also have the ability to download those contacts via an archiving tool called DYI (Download Your Information), that delivers this information via a simple HTML file. Unfortunately, an unintended “bug” in DYI exposed a rather distasteful (though expected) Facebook practice called data correlation. Here’s what happened:
Say you uploaded a contact “firstname.lastname@example.org” to Facebook, but that’s all the data you had on Mr. Smith: just his email address. Another Facebook user also knows Mr. Smith, but also happened to have his phone number and mailing address as well. Facebook’s data correlation practices stores all data on John Smith, regardless of who uploaded it, in a single record, creating a comprehensive data profile on Mr. Smith. See where this is going? Before they fixed this bug, when you went to download your contact info via DYI, not only would you get the email address you knew about, you’d also get any other contact information uploaded by other users, even if you didn’t know the other person who uploaded the contact info about John Smith!
According to Facebook, this data correlation is done to make “Friend” recommendations to you based upon everything it knows about an individual, across its entire store of information.
What this means for you:
It’s not clear whether Facebook intends to notify any of the six million individuals who are affected by this bug, and supposedly this has been fixed so that Facebook users only have access to the data they uploaded minus the data correlation ties Facebook makes in its internal database. According to Facebook, this security bug wasn’t exploited intentionally or maliciously, and it wasn’t possible for anyone using the tool to access information about users they didn’t already have some form of contact info on already.
This does highlight a larger privacy issue that probably won’t be resolved anytime soon, but has been ongoing for Facebook ever since it first appeared. Your friends have access to your PII (Personally Identifiable Information) and regardless of your own personal wishes, you have no ability to control whether or not they share that information, on Facebook or any other social networking site. As is always the case, if you are concerned with the visibility of your personal information on the internet, do regular searches on your name via Google to see what comes up in public, and work back towards the source to remove that information if necessary. Unfortunately, the Internet never forgets, and there is no “100% guaranteed erase” button, so its sometimes impossible to completely remove that data from public view.