Personal data: if you won't provide it, Facebook knows someone who will

Big companies make two kinds of announcements. There are RAH RAH RAH HOORAY FOR US announcements designed to get as much attention as possible, and there are the announcements that firms sneak out on a Friday evening when all the European journalists are drunk and the US ones are heading home.

Facebook's blog post about a major security breach falls into the latter category, because Facebook really doesn't want you to think about shadow profiles.

As Violet Blue writes on ZDNet: "The personal information leaked by the bug is information that had not been given to Facebook by the users - it is data Facebook has been compiling on its users behind closed doors, without their consent."

It turns out that if Facebook can't get information about you from you, it'll grab it from your friends instead.

What are shadow profiles?

We've known about shadow profiles for some time: in 2011, Europe vs Facebook filed a complaint against Facebook Ireland with the Irish data protection watchdog (PDF) on the grounds that Facebook was collecting "as much information of users and non-users as possible."

Facebook strenuously denied the allegations at the time, so the leak of shadow profiles must be rather embarrassing.

Here's how it works. Let's say you only put a very basic amount of information on your profile and keep details such as your main email address or your mobile phone number away from Facebook.

If any of your friends have that information and they sync their address books with Facebook, Facebook gets that contact info. If a friend from X university or Y employer searches for you, Facebook knows it's pretty likely that you went to X university or worked at Y employer.

If you aren't on Facebook but somebody's put your details into Facebook's friend finder, those details are now on Facebook.

Facebook isn't the only firm who stores address book details, but others such as Twitter delete the data after 18 months. Facebook doesn't, and it appears to store much more information - and that's none of your business, because other people provided it.

According to Facebook, giving you any control over that information would be a freedom of speech violation.

I'm not sure that's legal, because here in the EU we have pretty solid data protection legislation: it's based on "data minimisation", which is the principle that organisations shouldn't hold more data about you than is strictly necessary. "You should not hold personal data on the off-chance that it might be useful in the future," the Information Commissioner's Office says. Facebook, it seems, is doing exactly that.

I'm not one for conspiracy theories, but this one's a beauty: when you consider that over and above the things you consciously share Facebook can also record your GPS location, the websites you visit and any information your social network contacts have about you, it looks like the sort of thing the security services would just love.

By an interesting coincidence, Facebook's former security chief, a former FBI man who left Facebook in 2010, now works at the NSA.

If you're looking for me, I'm the one in the tinfoil hat.