Facebook's "shadow profiles" are not unique, and that's a huge problem

Facebook's practice of building shadow profiles, collecting enormous amounts of personal data about people who don't have, or who never had, Facebook accounts, with neither their knowledge nor their consent, is hugely problematic. It's not just the ethical and privacy concerns, with an enormous corporation building a detailed profile which can be used to target you for all manner of subtle (or less-than-subtle) influencing; there's also a security concern here, because the sort of information that accumulates in these shadow profiles can be used to facilitate harassment, intimidation, or assault, spear phishing attacks, identity theft, doxxing, Swatting, and more. Lives may literally depend on the ability of the profilers to keep their shadow profile databases secure.

Enter Exactis, a marketing firm that you've probably never heard of, but who you're going to learn a lot more about in the coming weeks. From WIRED:

Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn't clear—and the leak doesn't seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.

"It seems like this is a database with pretty much every US citizen in it," says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he's searched for in the database, he's found. And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen," he says.

Thanks to the avarice and incompetence of Exactis, a huge swath of the U.S. population is about to learn just how problematic it is to have a gigantic trove of personal information data, including yours, freely available online to literally whoever wanted access. Much like Equifax's security failure, which leaked the SSNs and credit card information of 145 million-plus Americans, along with tens of millions of Brits, the true impact of Exactis' security failures will likely take years to truly manifest, but the cost to society of failing to regulate the practice of data profiling people without their knowledge and informed consent is already significant, and growing with each passing day.

The inevitable sequence of public outcry, Congressional hearings, and class action lawsuits should be getting underway shortly. We can hope that no violence or deaths follow as a result of this breach... but given recent history, I'm not holding out much hope of avoiding that grisly outcome.

Seriously, there needs to be a law against this shadow profiling shit.