It’s no surprise that Facebook treats your personal data as a commodity. But when that data ends up on the open market, you may be surprised at the price it brings: in this case, less than half a thousandth of a penny.
Bulgarian blogger Bogomil Shopov wrote Tuesday that he had purchased a spreadsheet containing 1.1 million Facebook user IDs and email addresses for $5, according to Mashable. The data was allegedly scraped by third-party applications and offered for sale on a website called Gigbucks by a user named “mertem.”
“I just bought more than 1 million … Facebook data entries. OMG!” wrote Mr. Shopov at his blog on Tuesday, October 23rd. Fortunately, the Bulgarian blogger and digital rights activist has no intentions of spamming the list or hacking into accounts – he did it only to prove a point. That point, of course, was to highlight how easy it is to gather personal information from the social networking site.
Shopov said he bought the data from a user who went by “Mertem” on Gigbucks, a digital odd-jobs board where users offer to perform tasks in exchange for $5 to $50.
“The information in this list has been collected through our Facebook apps and consists only of active Facebook users, mostly from the US, Canada, UK and Europe,” Mertem apparently wrote in the sales description. “There are users from other countries as well but they are almost exclusively English-speaking as well.”
So, Mr. Shopov controlled that the emails did correspond to the Facebook user IDs, most of them private. He had even identified people he knew in the list. As it became known, the next day, he was contacted by Facebook’s Platform Policy Team.
The letter says: “Hi Bogomil, We’d like to set up a call with you to discuss a recent blog post of yours. Could you please provide a time and a phone number that works with your schedule? Thanks, Platform Policy Team, Facebook.”
According to Shopov, Facebook wanted to reclaim the data and investigate the leak and sale, but their discussion was somewhat cloak and dagger. He summarized the exchange in a subsequent blog post — the exact thing Facebook asked him not to do.
“Now we would like you to send us this file, delete it, tell us if you have given a copy of it to someone, give us the website from which you bought it including all transactions with it and the payment system and remove a couple of things from your blog. Oh and by the way, you are not allowed to disclose any part of this conversation; it is a secret that we are even having this conversation.”
Mr. Shopov confirmed these events to Mashable, and elaborated on his dealings with Facebook Inc. “I had a call with them last night [about] why I am writing those things on my blog,” Shopov tells Mashable in an email.
“They didn’t mean to leave this impression on me, and we agreed on how to transfer the data to them. I gave them the data today via their secure system. I promised to delete the data, and I did.”
“[The seller] said the data came from a Facebook app, and I can believe that, because we checked a couple of profiles and there was no e-mail address present. This info cannot be scraped from the Facebook website,” Shopov explains.
After getting wind of the transaction, Facebook Inc. said it would investigate how the data entries were obtained, reports Forbes Magazine. “We have dedicated security engineers and teams that look into and take aggressive action on reports like those raised here,” a Facebook statement to the magazine read.
In 2010 Shopov helped to found Bulgaria’s privacy – and digital civil liberties – focused Pirate Part. According to his words, he hopes that the incident will call attention to Facebook’s insecurity, especially when users sign up to share data with third-party apps.
“Anyone can grab your data,” says Shopov. “Users click ‘I agree’ or ‘I accept,” and their information goes off to the application developer, who can do whatever they want with it.”
Update: Facebook now says it believes the information was taken from its site by scraping users’ public data rather than collecting it through an application, reports Forbes Magazine. It’s worth noting that Shopov says a few of the emails he checked from the list were not displayed publicly, casting doubt on the scraping theory. But it may be that those users did display their email addresses at some previous time.
“Facebook is vigilant about protecting our users from those who would try to expose any form of user information,” a company spokesperson writes. “In this case, it appears someone has attempted to scrape information from our site. We have dedicated security engineers and teams that look into and take aggressive action on reports just like these. We continue to investigate this specific individual.”