Zebra 3 Report by Joe Anybody
Monday, 27 November 2017
Face Book and its secret shadow tracking / profiling
Mood:  don't ask
Now Playing: How does FaceBook know all my contacts
Topic: Privacy & Security

 

 

FACEBOOK KNOW ALL MY CONTACTS 

 

 

 


 

 

 

In real life, in the natural course of conversation, it is not uncommon to talk about a person you may know. You meet someone and say, “I’m from Sarasota,” and they say, “Oh, I have a grandparent in Sarasota,” and they tell you where they live and their name, and you may or may not recognize them. 

You might assume Facebook’s friend recommendations would work the same way: You tell the social network who you are, and it tells you who you might know in the online world. But Facebook’s machinery operates on a scale far beyond normal human interactions. And the results of its People You May Know algorithm are anything but obvious. In the months I’ve been writing about PYMK, as Facebook calls it, I’ve heard more than a hundred bewildering anecdotes: 

  • A man who years ago donated sperm to a couple, secretly, so they could have a child—only to have Facebook recommend the child as a person he should know. He still knows the couple but is not friends with them on Facebook. 

  • A social worker whose client called her by her nickname on their second visit, because she’d shown up in his People You May Know, despite their not having exchanged contact information. 

  • A woman whose father left her family when she was six years old—and saw his then-mistress suggested to her as a Facebook friend 40 years later.  

  • An attorney who wrote: “I deleted Facebook after it recommended as PYMK a man who was defense counsel on one of my cases. We had only communicated through my work email, which is not connected to my Facebook, which convinced me Facebook was scanning my work email.” 

Connections like these seem inexplicable if you assume Facebook only knows what you’ve told it about yourself. They’re less mysterious if you know about the other file Facebook keeps on you—one that you can’t see or control. 

 

 

Behind the Facebook profile you’ve built for yourself is another one, a shadow profile, built from the inboxes and smartphones of other Facebook users. Contact information you’ve never given the network gets associated with your account, making it easier for Facebook to more completely map your social connections. 

Behind the Facebook profile you’ve built for yourself is another one, a shadow profile, built from the inboxes and smartphones of other Facebook users. 

Shadow contact information has been a known feature of Facebook for a few years now. But most users remain unaware of its reach and power. Because shadow-profile connections happen inside Facebook’s algorithmic black box, people can’t see how deep the data-mining of their lives truly is, until an uncanny recommendation pops up. 

 

 

Facebook isn’t scanning the work email of the attorney above. But it likely has her work email address on file, even if she never gave it to Facebook herself. If anyone who has the lawyer’s address in their contacts has chosen to share it with Facebook, the company can link her to anyone else who has it, such as the defense counsel in one of her cases. 

Facebook will not confirm how it makes specific People You May Know connections, and a Facebook spokesperson suggested that there could be other plausible explanations for most of those examples—“mutual friendships,” or people being “in the same city/network.” The spokesperson did say that of the stories on the list, the lawyer was the likeliest case for a shadow-profile connection. 

Handing over address books is one of the first steps Facebook asks people to take when they initially sign up, so that they can “Find Friends.” The “Find Friends” option on desktop is very basic: 

You enter your email address and then your email password, and Facebook will tell you everyone you know on Facebook. Meanwhile, Facebook holds on to all the contacts you handed over. 

The “Find Friends” page in the Facebook smartphone app is more inviting, presenting a picture of a spray of flowers and inviting the user to “See who’s on Facebook by continuously uploading your contacts.” 

Down in the fine print, below the “Get Started” button, the page states that “Info about your contacts...will be sent to Facebook to help you and others find friends faster.” This is vague, and the purpose remains vague even after you click on “Learn More”: 

When you choose to find friends on Facebook, we’ll use and securely store information about your contacts, including things like names and any nicknames; contact photo; phone numbers and other contact or related information you may have added like relation or profession; as well as data on your phone about those contacts. This helps Facebook make recommendation for you and others, and helps us provide a better service. 

Take a look at all the possible information associated with a contact on your phone. Then consider the accumulated data your phone is carrying about various people, whether lifelong friends or passing acquaintances. 

 

Facebook warns users to be judicious about using all this data. “You may have business or personal contacts in your phone,” the Learn More screen admonishes the reader. “Please only send friend requests to people you know personally who would welcome the invite.” 

Having issued this warning, and having acknowledged that people in your address book may not necessarily want to be connected to you, Facebook will then do exactly what it warned you not to do. If you agree to share your contacts, every piece of contact data you possess will go to Facebook, and the network will then use it to try to search for connections between everyone you know, no matter how slightly—and you won’t see it happen. 

 

Facebook doesn’t like, and doesn’t use, the term “shadow profiles.” It doesn’t like the term because it sounds like Facebook creates hidden profiles for people who haven’t joined the network, which Facebook says it doesn’t do. The existence of shadow contact information came to light in 2013 after Facebook admitted it had discovered and fixed “a bug.” The bug was that when a user downloaded their Facebook file, it included not just their friends’ visible contact information, but also their friends’ shadow contact information. 

The problem with the bug, for Facebook, was not that all the information was lumped together—it was that it had mistakenly shown users the lump existed. The extent of the connections Facebook builds around its users is supposed to be visible only to the company itself. 

 

 

Facebook does what it can to underplay how much data it gathers through contacts, and how widely it casts its net. “People You May Know suggestions may be based on contact information we receive from people and their friends,” Facebook spokesperson Matt Steinfeld wrote in an email. “Sometimes this means that a friend or someone you know might upload contact information—like an email address or phone number—that we associate with you. This and other signals from you help us to make sure that the people we suggest are those you likely already know and want to become friends with on Facebook.” 

Users of Instagram and WhatsApp, which are owned by Facebook, can also upload contacts to those apps, but Steinfeld said that Facebook does not currently use that data for Facebook friend suggestions. “Today, we use contacts uploaded to Facebook and Messenger to inform PYMK suggestions,” he wrote. 

 

 

Contact the Special Projects Desk 

This post was produced by the Special Projects Desk of Gizmodo Media. Reach our team by phone, text, Signal, or WhatsApp at [http://sms:+19179996143/](917) 999-6143, email us at tips@gizmodomedia.com, or contact us securely using SecureDrop. 

Through the course of reporting this story, I discovered that many of my own friends had uploaded their contacts. While encouraging me to do the same, Facebook’s smartphone app told me that 272 of my friends have already done so. That’s a quarter of all my friends. 

 

 

But big as it is, that’s not even the relevant number. When Steinfeld wrote “a friend or someone you might know,” he meant anyone—any person who might at some point have labeled your phone number or email or address in their own contacts. A one-night stand from 2008, a person you got a couch from on Craiglist in 2010, a landlord from 2013: If they ever put you in their phone, or you put them in yours, Facebook could log the connection if either party were to upload their contacts. 

That accumulation of contact data from hundreds of people means that Facebook probably knows every address you’ve ever lived at, every email address you’ve ever used, every landline and cell phone number you’ve ever been associated with, all of your nicknames, any social network profiles associated with you, all your former instant message accounts, and anything else someone might have added about you to their phone book. 

As far as Facebook is concerned, none of that even counts as your own information. It belongs to the users who’ve uploaded it, and they’re the only ones with any control over it. 

All the people who know you and who choose to share their contacts with Facebook are making it easier for Facebook to make connections you may not want it to make. 

It’s what the sociologist danah boyd calls “networked privacy”: All the people who know you and who choose to share their contacts with Facebook are making it easier for Facebook to make connections you may not want it to make—say if you’re in a profession like law, medicine, social work, or even journalism, where you might not want to be connected to people you encounter at work, because of what it could reveal about them or you, or because you may not have had a friendly encounter with them. 

 

 

Imagine the challenge for people trying to maintain two different identities, such as sex workers or undercover investigators. Not only do you have to keep those identities apart like a security professional, you have to make sure that no one else links them either. If just one person you know has contact information for both identities and gives Facebook access to it, your worlds collide. Bruce Wayne and Clark Kent would be screwed. 

 

Shadow profile data powers Facebook’s effort to connect as many people as possible, in as many ways as possible. The company’s ability to perceive the threads connecting its billion-plus users around the globe led it to announce last year that it’s not six degrees that separate one person from another—it’s just three and a half. 

With its vast, hidden black book, Facebook can go beyond simply matching you directly with someone else who has your contact information. The network can do contact chaining—if two different people both have an email address or phone number for you in their contact information, that indicates that they could possibly know each other, too. It doesn’t even have to be an address or phone number that you personally told Facebook about. 

This is how a psychiatrist’s patients were recommended to one another and may be why a man had his secret biological daughter recommended to him. (He and she would have her parents’ contact information in common.) And it may explain why a non-Facebook user had his ex-wife recommended to his girlfriend. Facebook doesn’t keep profiles for non-users, but it does use their contact information to connect people. 

 

 

“Mobile phone numbers are even better than social security numbers for identifying people,” said security technologist Bruce Schneier by email. “People give them out all the time, and they’re strongly linked to identity.” 

“Mobile phone numbers are even better than social security numbers for identifying people.” 

Facebook won’t tell you how many people who aren’t your friends have handed over your contact information. The contents of your shadow profiles are not yours to see. 

As Violet Blue wrote in Cnet at the time of the shadow-profile bug, “What the revelation means is that Facebook has much more information on us than we know, it may not be accurate, and despite everyone’s best efforts to keep Facebook from knowing our phone numbers or work email address, the social network is getting our not-for-sharing numbers and email addresses anyway by stealing them (albeit through ‘legitimate’ means) from our friends.” 

What if you don’t like Facebook having this data about you? All you need to do is find every person who’s ever gotten your contact information and uploaded it to Facebook, and then ask them one by one to go to Facebook’s contact management page and delete it. 

 

 

Just don’t miss anyone. “Once a contact is deleted, we remove it from our system—but of course it is possible that the same contact has been uploaded by someone else,” Steinfeld wrote in an email. 

The shadow profiles, like the People You May Know system they feed into, can’t be turned off or opted out of. The one thing you can do to impede Facebook’s contacts-based connections is, through its Privacy Settings menu, keep people from finding your profile by searching your phone number or email address. (Yes, Facebook functions as a reverse phone-number look-up service; under the default settings, anyone can put your phone number into the search bar and pull up your account.) 

Let’s say you’ve shared your phone number [or email address] with a lot of people and don’t want strangers using it to search for you on Facebook,” Steinfeld wrote. “You can limit who can look you up on Facebook by that phone number [or email address] to ‘friends.’ This is also a signal that People You May Know uses. So if a stranger uploads his address book including that phone number [or email address, it] won’t be used to suggest you to that stranger in People You May Know.” 

These privacy settings are an undocumented way to control to whom you get recommended in People You May Know. 

But you can only block People You May Know from using information you’ve actively provided to Facebook, not what’s in your shadow profile. So to protect your privacy, you need to provide Facebook with even more information about you.  

 

 

I asked if Facebook would consider sharing shadow profile information with its users, much like it accidentally shared it with their friends four years ago. Facebook says it can’t because it would be a privacy violation of those who gave the information. 

When you choose to upload your contacts to Facebook, we consider your privacy along with the privacy of the friends, family, and others who gave you their phone number or email address,” said Facebook spokesperson Matt Steinfeld by email. “We acknowledge that people might want to see the contact information that’s been uploaded about them to Facebook, but we also have a responsibility to the people choosing to upload this information. This is a balance and we’ll continue listening to people’s feedback.” 

Steinfeld also said that while Facebook doesn’t currently “offer a way for people to manage the contact information others have uploaded that might be related to them, this is something I’ve shared with the team.” 

As usual, I asked to speak with the People You May Know team directly, but was turned down. 

 

 

 


Posted by Joe Anybody at 10:24 AM PST
Sunday, 14 September 2014
PRISM and FISA - Yahoo wants to tell us what they are doing
Mood:  celebratory
Now Playing: Yahoo faced $250,000 per day fines for PRISM dissidence
Topic: Privacy & Security

The requests are part of the US Foreign Intelligence Surveillance Act (FISA) and overseen by the secret Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review (FISC-R 

Yahoo sheds light on PRISM data requests

 

Full Article here: 

http://www.v3.co.uk/v3-uk/news/2365903/yahoo-faced-usd250-000-per-day-fines-for-prism-dissidence 

The secret courts overseeing the National Security Agency (NSA) threatened Yahoo with daily $250,000 fines if it failed to comply with their orders.

Yahoo general counsel Ron Bell revealed the court's threats in a blog post, following a court victory allowing the firm to publish 1,500 pages of secret papers chronicling its bid to fight the NSA's data requests.

"In 2007, the US Government amended a key law to demand user information from online services. We refused to comply with what we viewed as unconstitutional and overbroad surveillance and challenged the US government's authority. Our challenge, and a later appeal in the case, did not succeed," read the post.

"At one point, the US government threatened the imposition of $250,000 in fines per day if we refused to comply."

Yahoo was one of many firms involved in the infamous PRISM mass surveillance campaign. The campaign saw the NSA siphon data from the companies using National Security Letters.

The requests are part of the US Foreign Intelligence Surveillance Act (FISA) and overseen by the secret Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review (FISC-R).

The nature of the requests mean the companies involved are not allowed to disclose receiving the orders or what information was handed over without risking arrest.

Yahoo CEO Marissa Mayer claimed she would face "treason" charges if she declined to comply with the requests in June 2013.

Bell listed the court ruling as a key victory in Yahoo's ongoing bid to be more transparent about its part in PRISM and pledged to publish the documents on the company's Tumblr blog in the very near future. He added that Yahoo will continue to work to release further documents relating to PRISM.

"Our fight continues. We are still pushing for the FISC to release materials from the 2007-2008 case in the lower court. The FISC indicated previously that it was waiting on the FISC-R ruling in relation to the 2008 appeal before moving forward," he said.

"Now that the FISC-R matter is resolved, we will work hard to make the materials from the FISC case public, as well."

Yahoo has also made several technical upgrades to its services security in a bid to protect its users from surveillance campaigns since news of PRISM broke. Most recently Yahoo began encrypting all information that moves between its data centres.


Posted by Joe Anybody at 10:19 AM PDT
US security agencies probed up to 249 Dropbox accounts
Mood:  smelly
Now Playing: Dropbox asked to hand over the keys to user account details Dropbox has revealed that it received up to 249 requests for informa
Topic: Privacy & Security
Dropbox asked to hand over the keys to user account details

Full Article here:

http://www.v3.co.uk/v3-uk/news/2366398/us-security-agencies-probed-up-to-249-dropbox-accounts 

Dropbox has revealed that it received up to 249 requests for information on customer accounts from US national security authorities in its latest transparency report.

The report details all the requests made by US authorities between January and June 2014. Under US law Dropbox could not reveal the exact number of information requests made by national security agencies, only a vague range.

However, the report does also reveals that Dropbox had received 268 information requests from US law enforcement agencies, rather than national security agencies. This compromised 120 search warrants, 109 subpoenas, 37 requests relating to non-US accounts and two court orders.

In a blog post, Dropbox's Bart Volkmer explained that this number was a fraction of Dropbox's 300 million accounts, but the company takes each one seriously and challenges some requests. "We also push back in cases where agencies are seeking too much information or haven't followed the proper procedures," he said.

While the report detailed how many information and content requests Dropbox responded to, Volkmer explained that many US authorities try to prevent Dropbox from informing its users of such law enforcement probes, even when they have no legal right to gag the company.

"These types of clauses were attached to 80 percent of subpoenas we received in this reporting period," revealed Volkmer. "Our policy is to notify users about requests for their information, so we push back in cases where an agency requests a gag order without the legal right."

Volkmer went on to explain how Dropbox is pushing for greater openness, better laws, and improved protection for its users' information.

The company hopes the USA Freedom Act of 2014 bill, currently in Congress, will succeed in reigning in the bulk data collection being carried out by US authorities, and allow companies to be more transparent about government data requests.

While the report detailed that the majority of requests were aimed at finding the identity and details of targeted account holders, it also highlighted that 14 search warrants and 16 subpoenas were made into accounts that did not exist.

This slightly comical situation raises the more serious question as to how effective such information-probing can be for US law enforcements, and if it is worth encroaching upon the privacy of people using online services.

Over the past year there has been a furore over information-probing and snooping by government authorities, notably the NSA and its infamous PRISM mass-surveillance campaign.


Posted by Joe Anybody at 10:12 AM PDT

Newer | Latest | Older

« June 2019 »
S M T W T F S
1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30
You are not logged in. Log in
Ben Waiting for it ? Well Look Here!
Robert Lindsay Blog
ZEBRA 3 RAG
Old Blogs Go to Joe's Home Web Site
joe-anybody.com
Underground
Media Underground
Joe's 911 Truth Report
911 TRUTH REPORT

OUTSIDE THE BOX
Alex Ansary