
Facebook privacy fuckup reveals who has your number in their phone - AlexMuir
http://www.alexmuir.com/2011/10/facebook-reveals-who-has-your-number-in-their-phone/
======
AlexMuir
These little privacy leaks are not important on their own. A little data leaks
here, a little there.

What is concerning is that we can guarantee private investigators and
professional identity fraudsters are well on top of all these little
loopholes. And combined, I'd say Facebook is probably _pissing_ data out.

Some sweet law enforcement potential here - slap in a request to Facebook on a
drug-dealing suspect, find a list of everyone with his number in their phone.
Repeat until !exists($drugNetwork).

~~~
aristus
If you are truly concerned about harm to users, did you try reporting this to
facebook.com/security or facebook.com/whitehat? FWIW, I've alerted some
people.

Your post is unclear on one point. Did you see this screen BEFORE confirming
via SMS that you were in possession of the mobile number you entered? If it
was after confirmation, that's a very different thing.

~~~
AlexMuir
For context of readers, I note you are a FB engineer. Thanks for looking at
this.

1\. I'm not concerned about harm to users from this issue, I don't pretend to
be. That should be Facebook's role.

2\. This isn't a bug or a vulnerability, it's something you've actually coded
- a feature. It doesn't 'accidentally' match up the number I've just entered
with other people's phonebooks, you've programmed it to do that. Fine, that's
a commercial choice made by Facebook (value of engaging new users vs concerns
over publicising people's phonebooks) - but reporting it through those links
would be nothing more than a complaint letter.

~~~
aristus
/whitehat is not a "complaint letter". It goes directly to the security team
oncall, whose job is to keep users safe even if it means killing things
written by other engineers at Facebook that had unintended consequences.

(edit: removed snark)

~~~
ma2rten
Well, what I am wondering is: is this actually an unintended consequence or a
conscious choice that has been made?

~~~
orijing
A company doesn't have a single conscience. It may have been a conscious
choice by an engineer, or it may have been an unintended consequence of some
other code change. Either way, I highly doubt it involved the check-off from a
director-level employee.

If every decision had to get approval from the management team, then progress
would grind to a halt, and Facebook would end up like Microsoft.

~~~
tripzilch
> A company doesn't have a single conscience.

And because of that we should hold it with _less_ responsibility than a single
person? Even though it holds an order of magnitude more power than a single
person?

Yeah, how about, no.

And about your other remark, that is nonsense. It is very possible to keep
those checks to a reasonable level of responsibility and many corporations do
so, with proper software engineering principles, without "turning into
Microsoft".

When dealing with people's private information, one _should_ err on the side
of caution, not on the side of $$$, and it is obvious which route facebook
took.

In fact, they are _already_ in violation of several EU privacy laws, just
because their privacy-pissing database has grown out of hand, they collect
more data than they have the internal corporate infrastructure for to deal
with this amount of private data of EU citizens in a legal manner in Europe.
They went _way_ overboard, maybe not in the US, but they are also incorporated
in the EU and cannot oblige by our privacy laws because they collected too
much data.

As far as I'm concerned, Facebook is on the verge of criminal negligence as EU
laws for citizen privacy are concerned. So personally, yeah, I think nothing
wrong with headlines of "Facebook privacy fuckup", as long as they're behaving
like that, singular conscience or not.

That's why we have such laws, to keep corporations responsible.

~~~
orijing
No, I was simply offering a potential explanation for why things happen.

Also, I see no need to respond to your hyperboles. I mean, "criminal
negligence"? C'mon.

------
ttl698
Wow, I just duplicated this perfectly.

Signed up with a fake name and throwaway email. Was asked to enter mobile
number for verification.[1] Entered mobile number and verified.

The top few 'People You May Know' suggestions were all people who I know have
that number on their iPhones, all of whom use the Facebook for iPhone
application. (It obviously happens if they use any platform's app to sync
contacts, not just iOS)

Don't have the time to check now, but I would imagine Facebook uses this exact
same method for suggestions if you use your primary email to sign up. People
who have you in their email contacts - and have imported them to Facebook -
are probably suggested to you too. That way you'll know who keeps you in their
email address book too.

[1] Note: to trigger the SMS verification stage, you have to enter a semi-
obviously fake name.

~~~
mules
"People who have you in their email contacts - and have imported them to
Facebook - are probably suggested to you too."

I noticed this behavior when I signed up to test this first using an old email
address. It had known friends as suggestions as well as people who had already
requested to be my friend, including my actual profile. I don't explicitly
remember important my email contacts but it is a possibility.

Looks like it treats both contact books the same, even if a user didn't add
the individual contacts at the time of import, it keeps a record of them to
potential make suggestions at some future point in time.

------
coulditbe
I think I've found another troublesome method that Facebook is using to
suggest new friends.

A few years ago, I created a Google profile with a vanity URL [1] and a
Facebook account with the same Gmail address. I never linked those two
accounts, used third-party apps or imported contacts into Facebook. I recently
created a Google+ profile and publicly circled some users when I suddenly
noticed that those circled users started showing up in my Facebook account as
"suggested friends". Those users don't follow me on Google+, aren't linked to
any of my Facebook friends and they don't know my Gmail address.

I can't think of any other method used by Facebook to recommend those friends,
except by crawling my Google+ circles. It's as easy as extracting my Google+
username from my Gmail address and scanning my circles at
profiles.google.com/username.

I can't reproduce this with different accounts as vanity URLs aren't available
for new Google accounts.

Could anyone with confirm this with their own Google profiles?

Do you think Facebook should be authorized to "scrap" contacts from other
social networks, to extend build their own social graph about their users,
without possible opt-out and no disclosure?

[1] [http://www.labnol.org/internet/vanity-url-for-google-
profile...](http://www.labnol.org/internet/vanity-url-for-google-
profiles/8202/)

~~~
lars
Could it be that you are in their Gmail contact list? I don't have a public
Google profile, and never gave Facebook my Gmail password, yet I get
suggestions for people I have emailed once years ago. The only explanation I
can think of is that I'm in their email contact list, or that they've searched
for my name on Facebook at some point.

~~~
coulditbe
I know that Facebook uses the contact lists of your friends to suggests users
to you [1], but I'm 99% sure Peter Norvig doesn't have my email address in his
contact list, and that none of my Facebook friends are linked to him.

------
hermannj314
1\. Some people don't realize what information Facebook is collecting, and
some of those people would object if they did know. 2\. Some people don't
realize the way Facebook is using the information they collect, and some of
those people would object if they did know.

Should it disturb us that those statements are true for millions of people? Or
do we not care?

It will be interesting if we get to where Facebook is required to send a
pamphlet to your house explaining how they use the information they collect
about you, who they sell it to, etc. Log on to freesocialnetworkreport.com to
see what information the Big 3 social networks have stored about you! See your
social network score, etc.

On a different note, I do hope they harvest all the numbers for pizza places I
have stored on my phone and find a way to help me get cheaper pizza.

~~~
tripzilch
> It will be interesting if we get to where Facebook is required to send a
> pamphlet to your house explaining how they use the information they collect
> about you, who they sell it to, etc.

Actually, they are, in the EU.

Well not literally with a pamphlet, of course, they are required to send you a
CD with this data on request.

Except that they're (illegally) refusing to provide most of that data under
the guise of "intellectual property" (whose? not theirs, under any legal
definition of IP I'm aware of) and "trade secrets" (which I'm sure won't hold
up).

They just provide the profile and your comments and messages and whatnot kinds
of data that are all already visible in some sense or other, on Facebook.

They do not provide the _invisible_ data, the things they collect behind the
scenes, such as what data they collect from your phonebook, what data is
available about you being tagged in photos, things like that, all the data you
_know_ Facebook is collecting (due to deduction from friend suggestions, or
just because it's there), but never really get to see because it's either a)
buried behind some algorithms (friend suggestions) or b) just stored and not
really used for anything.

These two kinds of data are EXACTLY what this EU Privacy law is intended for.
The right for EU citizens to _know_ what data about them is being stored
_especially_ when it is not immediately obvious that this data is being
collected, stored or used in some manner.

These two kinds of data are also EXACTLY what Facebook is withholding from EU
citizens legal requests because of "trade secrets". It won't hold up. I really
hope it won't.

Their reasoning for why something is a "trade secret" is the same reason why a
law exists that requires them to provide that data: because the data is not
used in the open and otherwise EU citizens would not be able to know this data
is being collected and stored about them.

Remember, the privacy laws protect the fact already that certain data is just
_stored_ , not even whether it is used or not.

I bet there's many kinds of data FB is simply _storing_ about its users that
it doesn't really use yet, data they _should_ have provided on formal request
but declined to do so because of "trade secrets".

------
samgro
It is terrible that your friends' privacy was violated, and I apologize for
this comment being off topic, but I feel compelled to address the specific
personal circumstances that Alex has uncovered.

Alex: as a gay man who came out as an adult, I urge you to reach out to your
closeted friend. Let him know that Facebook violated his privacy and you
accidentally and unexpectedly came across his secret. Reassure him that you
care about him as a friend and that his sexuality makes no difference to you.

Unless he is in physical or serious financial risk from coming out, his life
will be unimaginably better if he comes out. If he's going to lose his job or
be disowned by his parents, at least having one friend to share his secret
with may make a world of difference.

If he has a girlfriend or wife, for her sake, you need to reach out to him.
It's an incredibly awkward situation, but think about what an enormous
positive difference you can make in one or two people's lives.

~~~
kb101
Your sentiment is clearly well-meant, but that course of action just as well
could result in a disaster as it could a happy outcome.

From a data aggregation perspective, it is (unpleasantly) fascinating to me
that a programming choice in an ostensibly opt-in social networking database
has resulted in a public bulletin-board discussion of what could be perhaps
_the_ most private part of a person's life.

Examples like this are the perfect answer to the dangerous nonsense propounded
by the "anonymity needs to go away" crowd. Not everyone's life is or should be
an open book.

------
lysol
I was able to duplicate, but took a little bit different process. Sign up, add
your mobile, confirm it, then log out and back in.

The result was definitely people who had done what the author said but it was
also interspersed with friends of friends, muddying the waters a bit.

~~~
AlexMuir
I'm glad you've managed to recreate. As mine was a new, friendless account my
list was purely people with me in their phonebook.

~~~
stevensanderson
I also reproduced something like this.

On "Step 1: Add Friends", it showed people who I actually know (presumably who
have my phone number, since that's the only info I gave that actually relates
to me)

On "Step 3: Profile Information", it offered many more people, most of whom I
don't actually know (presumably friends of the people from step 1)

Note that to trigger the mobile-number-confirmation request, you may need to
enter dubious-looking profile information. In my case, I entered a name like
"Blaah Blahh", with a throwaway email address from www.mailinator.com. If your
fake name is too realistic, it won't necessarily trigger the security check.

I _do_ have the same mobile number on my primary account, so it's possible
they found me that way. But either way, it's notable that in step 1 they
managed to show just the people who I would expect actually do keep track of
my phone number.

~~~
AlexMuir
Jackpot - the name is the trigger, possibly combined with an own-domain email
address.

~~~
mkopinsky
I created an account with a fake name and mailinator email (after several
tries where it rejected mailinator domains, it finally worked with
bobmail.info). It asked me for my cell phone number to confirm, and when I
entered the code it had quite a large number of "John Doe is someone you may
know". These people are not all people who I'd expect to have my phone number
saved in their phones. My phone number is linked to my primary account, but I
don't think it is visible.

~~~
mkopinsky
Two addenda:

1) Apparently my cell phone number used to be registered to my primary
account. When I created the fake account, it removed my number from my primary
account and assigned it to the fake account. So what happened there was they
suggested friends from the account that used to have the same phone number
assigned to it. The creepy thing here is that it also suggested people that I
had recently defriended.

2) I did the same thing, using my Google voice number which had not previously
been registered to any FB account, and was suggested three friends who
apparently have me saved in their address books.

------
pokoleo
I was able to trigger it, despite the fact that they didn't ask for my phone
number.

\- Signup. (ignore that you need to confirm your email)

\- Go to your account settings>mobile

\- Go to mobile.

\- Add a mobile phone.

\- Enter your password

\- Click "Add your phone number here."

\- Verify your phone number via text.

\- Click the facebook logo.

You should be able to see recommendations based on your phone number.

------
FaceKicker
I just tried this out of curiosity, but it never asked for my phone number
(not only was it not required, I didn't even have the option to provide it at
any point during the sign up process). Facebook had no friend recommendations
for me at all.

I then tried adding my phone number to my profile (a phone number that I also
have on my actual Facebook account). Went back to the home page and looked
around a little more, still no friend recommendations. It's actually a solid
possibility that nobody who has uploaded their phone contacts to Facebook has
me as a contact (I didn't even know that was possible, actually).

~~~
AlexMuir
[http://www.facebook.com/gettingstarted.php?step=friend_reque...](http://www.facebook.com/gettingstarted.php?step=friend_requests)

That's the URL that I'm still being directed to - I haven't actually clicked
'Next' yet.

~~~
FaceKicker
On the account I just created, that URL just redirects to the home page (where
it wants me to import contacts from email, etc.).

~~~
AlexMuir
Not sure what to suggest - I just hope someone else is able to replicate it or
I'll look like an arse. I was on a UK IP, without erasing cookies between
logging out of my old FB and creating a new one.

~~~
LetBinding
This is interesting.

I signed up with a new email address. Put in my phone number. I _do not_ have
this phone number on my primary account. Now on my dummy account, I get a long
list of friend suggestions, most of them from my primary account, and some
unknown.

My dummy account and primary account are not linked in any way. All cookies
cleared. So how did my dummy account suggest so many friends from my primary
account? It didn't before I entered my phone number in my dummy account. Some
of the friend suggestions live in other countries, and I doubt they would have
my US phone number.

------
rickdale
I deleted my facebook account in March 2010. In November, six months later,
the only evidence of my account was that my facebook information was loaded
onto my friends telephone. He had my profile photo, plus some random tidbits
of information automatically grabbed from facebook by his phone.

~~~
zmitri
I deleted my facebook account ~6 years ago, but before I completely deleted it
I changed my name to "DLC Text".

About a year ago I started getting emails from facebook recruiters, and guess
what my name was resolving to in their system? Yep, that's right -- "DLC
Text".

For 6 years they have kept my information even though it was deleted.

~~~
count
Silly semantic question - when you 'delete' your facebook account, do they use
the word 'delete' or just 'disable' or 'shut off' or something similar?

A friend of mine ragequit facebook a little less than a year ago, came back,
and it allowed him to reactivate his profile. I don't think it ever said
'delete' though.

~~~
zmitri
I first "disabled" it, and then I continuously pestered them with emails until
they told me they had deleted my login and my account.

------
JonnieCache
I can confirm that the "security check" thing is related to having a fake
name, or perhaps an empty profile. Both of those apply to my primary account
and I'm prompted to enter a phone number every time I log in.

It doesn't seem to be required, I've always just dismissed those "security"
prompts by clicking the FB logo in the top left, which forwards me to the
homepage just fine.

The chances of facebook getting my mobile number are about the same as my
chances of flying to the moon by willpower alone.

~~~
feral
Couldn't they just get your mobile number, from one of your friends iPhones?
Even if you had a fake name on your profile, I would assume its still fairly
straightforward to identify you purely from the network structure.

I've no idea if they are doing this, but I wouldn't put the possibility in
moon/willpower territory.

~~~
lawnchair_larry
Man, that is annoying. "Don't like it, don't use it" they say. I don't use
facebook. I blacklist any requests to their domain ("Like" button etc). As you
have pointed out, but I did not previously realize, they surely have my name
and number in all of my friends' social graph, because they snarfed it from
their iPhones or other mobile device.

------
joshmlewis
You know I've been wondering about Facebook saying they have 500 million +
users but I wonder if they count the deactivated. Which is a fancy word for
suspend.

I went to delete my account the other day just because there is so much crap
and it's time wasting and I go searching for delete but couldn't find a link!
I then came across the deactivate which I had heard about before and went with
that but they still keep all my data and it's ready for me just by logging in
again.

To delete I had to Google and find an actual link in a forum on how to fully
delete my account. And after I found the link you are taken to this page that
asks you to confirm and then you have to wait two weeks (I guess to let people
go back after Facebook withdrawal.) I guess what I'm getting at is: Facebook
makes it easy to deactivate with a false sense to their users that it's sort
of being 'deleted.' Yet they are keeping everything, even messages, from your
account. I wonder if they still count these accounts in their user count?

~~~
alexgartrell
Our user metrics are in terms of monthly and daily active users. More than 800
million people logged in last month with more than 500 million logging in on a
single day.

~~~
joshmlewis
That's right, I remember reading that somewhere. Thanks for clearing that up!

------
jqueryin
They appear to have resolved this issue in a timely fashion. I can no longer
find a request for phone number during the sign up process or once logged in
to find friends.

~~~
Silhouette
> They appear to have resolved this issue in a timely fashion.

Not for the guy who was outed, they didn't.

------
ashu
[Note: I work at Facebook, and have worked on some of the friend suggestion
tools.]

There seems to be some confusion about how friend suggestions work, and we
definitely want to people to understand how their information is used and
their options to control it.

Generally, the contact importing tools and resulting friend suggestions have
been used by millions of people to make hundreds of millions of friend
connections. We're proud of this (since it is clear that real connections are
made) but also understand that people should have control. That's why we
include a notice in the contact sync (on phones) and upload (on the web) flows
that makes it clear that contacts you import may be used generate friend
suggestions for you and others. If you're concerned about being suggested as a
friend to others based on the contacts in your address book, you can either
not upload it, or if you have already uploaded it, you can remove your
uploaded contacts
(<http://www.facebook.com/contact_importer/remove_uploads.php>). You can also
block any individual people. These steps prevent what the Alex (or rather, his
friends) experienced — people being suggested as friends based on having a
phone number in their address book.

Also, some of you have noticed that we don't always require a phone
verification for an account. This is a security feature designed to prevent
spam and fake accounts that is only triggered when certain conditions aren't
met.

------
scott_s
I am not surprised by this. If I share my phone's contact list with Facebook,
I expect that it will become a part of the social graph, just as who I am
friends with on Facebook is.

~~~
rshm
Do you think, facebook should tell you about this forehand in simple words ?

~~~
scott_s
I've been thinking about your question for a day, and I'm really not sure. To
me, this sort of thing is obvious. It's just how I think about Facebook. But
some people are continually surprised at what Facebook knows about them, or
what it can find out. And I don't know how to be more explicit with them.

In other words, I think that this sort of thing is implicit in using Facebook.
But for some people, they're not. So do you remind them about this every time
they do anything new? I don't know.

------
Hitchhiker
I am wondering if someone is prescient enough to write a " Facebook is dead "
essay.

After a group perfects Gentry's work[1].. someone will gear up a homomorphic
scheme combined with a generative personal cloud[2].

The " personal " in PC was most important when C stood for computer. Next, it
will be most important when C stands for cloud.

[1] - <http://crypto.stanford.edu/craig/>

[2] - <http://futureoftheinternet.org>

------
Kell
How do the guy know Facebook used specifically the phone number he gave them ?

It's pretty much possible. And Facebook is Evil. But I don't understand how he
did to be certain of that ?

~~~
AlexMuir
They had no other information - there is no doubt. I 100% guarantee that's how
it was done.

~~~
unreal37
They have your IP address.

------
AlexBlom
Seems down. Can somebody paste here?

------
pmorici
I'm confused as to how this is possible. Are people syncing their phone books
from cellphones to Facebook?

~~~
JonnieCache
Yep. A lot of android builds have it baked in, and I assume the facebook apps
for android/ios have this functionality.

~~~
jarofgreen
The official FB app for Android asked me if I wanted to sync my friends list
with my phone address book and I said No. I would like to think this means
they didn't scan my phone's address book, but I wouldn't be surprised if they
did.

------
kb101
Phone numbers and addresses are fast becoming like email addresses. In the
same way that you can assume putting your email address into any website form
that requests it will eventually result in spam, putting your phone number
into any phone or your address into the database of any service provider will
eventually result in a "leak".

We are to the point that to maintain any semblance of privacy, you need at
least two email accounts (one you don't mind getting spammed), two phone
numbers (one you don't care about facebook and others tracking) and two
addresses (a mailing address/box service and your actual physical address).

------
sidwyn
I can't get the screen he's seeing, all I did was to verify an email and I'm
in!

~~~
AlexMuir
I'd be interested in anyone else's results. You might find the list by adding
your number manually and then FB will only have this datapoint to find 'People
you may know'.

~~~
sidwyn
Ok I've added my number. Where do I go to see suggested friends?

------
orionlogic
Your address book become the most valuable asset in this social web era.

------
muyuu
Google also asks me repeatedly for my phone "so I can recover my account" and
for security reasons.

I'd rather lose my google accounts altogether than link any of my main phones
to my gmail account.

~~~
sandee
That is only for sending the SMS of secret passcode for account security,
right ?

(Yes if they scrap someone's else phone and your phone number happens to be
there then ya there is some issue. Is there any precedent of google scraping
phones through any means ?)

------
runn1ng
Um..... I don't get it.

How can Facebook have access to numbers on anyone's phone?

~~~
tghw
Mobile apps.

~~~
runn1ng
The phone apps can have access to phonebook? OK, I didn't know that.

It seems that I am heavily downvoted, so... sorry for my comment.

~~~
potatolicious
It's one of the troubling things about iOS (not an Android dev, so don't know
from that end).

An iOS app needs explicit user permission to know your location, or to send
you push notifications. It _doesn't_ need to ask if it wants into your phone
book and calendars.

 _Any_ app on the iOS App Store can read your phone book and calendars and do
_anything_ they want to this information. This is a mind-bogglingly gaping
security hole.

------
obtino
Okay, it appears that this server is down. I have a cached copy here:
<http://bit.ly/rgygsW>

------
paolomaffei
Has anyone tried creating a new account with a phone number they already have
on their main FB account to see if this works always?

~~~
forensic
I tried it, FB gave me no recommendations, but maybe no one has me in their
address book.

------
roxtar
Site appears to be down: <http://www.isup.me/www.alexmuir.com>

------
iamleppert
They also have another "feature" that works the exact same way when you sign-
up with an e-mail address that someone had in their address book and used the
"Import contacts from feature". You can try this with a fresh account. I'll be
writing a blog post about it, as well, soon.

------
simondlr
Is it so bad? You can still choose to not have your number on Facebook? Or am
I missing something.

~~~
Kell
The problem is the lie. They asked the number for security reasons. I'm fine
with that, i can give it to them for security reasons. BUT only for security
reasons. Not for any other reason. So if they ask it for one reason and use it
for another. That's bad.

~~~
AlexMuir
And not just that - I can hide my own mobile number, that's fine. But the
issue is with this cold-start page effectively showing a list of people who
have my number.

~~~
derrida
Can you do anything to rule out it was the pre-existing cookies? It could be
that Facebook doesn't mind people creating new profiles, as long as they know
about it.

------
patrickwiseman
I still was able to replicate, albeit with some effort. Used a bobmail.info
address, "Jake Doe", and had to have them actually call to deliver the pin.

Results were not that unexpected save one, but it seems like a friend of a
friend.

------
spullara
This also works with email addresses when your email address is in someone
elses address book that has been imported.

------
kunalb
I'm not particularly sure about this, but why would revealing the people who
have stored YOUR phone number to YOU be such a big deal?

I'm assuming phone number verification checks that you own the number via SMS;
so it just acts as a reverse-stalker (I'd be worried about people I _don't_
know having my phone number saved).

~~~
gregschlom
Because, as the article says, it can reveal Facebook accounts that you didn't
knew your friends had, such has this friend of the OP who has a "straight" and
a "gay" FB account.

~~~
kunalb
I'm not sure that's such a huge sin -- technically I think FB says that you
cannot have more than 1 account/actual person; I'd imagine when this `feature`
was baked in the engineers didn't imagine that anyone would maintain an
account that 1) they would keep hidden from friends _and_ 2) add their phone
numbers to.

At the very least, the friend could have blocked the set of people he didn't
want to know about his preferences from the "gay" account: otherwise what
stopped a simple search by name from showing both accounts?

~~~
gregschlom
You got two assumptions wrong here:

1\. People may very well have an account with a fake name, so that it doesn't
show up in search. In France, for example, a large number of FB users are
stripping out the vowels from their last name to make their FB account less
findable.

2\. According to the article, it's not the "gay friend" that put his phone
number on his hidden account. He merely has OP's number in his phone address
book (wich is normal since they are friends in real life), and the FB app is
pulling this information.

~~~
kunalb
Hmm. 1) Fake name, yes -- I wasn't aware of that practice; not that common in
India, at least in my friend circle.

2) That was what I meant -- syncing actual details with your anonymous
persona.

~~~
zem
i'm indian and i have several friends with fake names.

------
Animus7
Not so much of a "fuckup" as it is a "feature".

Not to say that I agree with this practice (I don't), but someone deliberately
implemented this, and there's a good business case for it.

The privacy implications are unfortunate, but what else are we to expect from
Facebook these days?

~~~
Kell
Hum. Respect the law ?

I don't know in the US. But here in Europe that's pretty much against the law
in most countries.

~~~
Bud
Point of order:

If you don't even know what the law is, you might try finding out, before
sniping about how someone supposedly is not "respecting" it.

If you did, you might then find, for instance, that the best course of action
is to complain about the law (or lack of laws), and do something about that.

~~~
Kell
Wow ? Why so much anger ?

Anyway, I think you're wrong. I do know the law in France and Europe. And
since I live in France, I have a contract with Facebook Ireland. Not Facebook
US. So it's the Irish law that is the appropriate law. I don't know the
details of Irish law in that matter. So your Argumentum ad nauseam saying I
should know the law could have been correct... (if not excessive and
irrespective) but since Ireland is part of the European Union... I do not need
to go seek the exact Irish law. Directive 95/46/CE is there to unify the
European law on that subject.

See by yourself :

[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML)

"SECTION I PRINCIPLES RELATING TO DATA QUALITY Article 6 1\. Member States
shall provide that personal data must be: (a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further
processed in a way incompatible with those purposes. Further processing of
data for historical, statistical or scientific purposes shall not be
considered as incompatible provided that Member States provide appropriate
safeguards; (c) adequate, relevant and not excessive in relation to the
purposes for which they are collected and/or further processed; (d) accurate
and, where necessary, kept up to date; every reasonable step must be taken to
ensure that data which are inaccurate or incomplete, having regard to the
purposes for which they were collected or for which they are further
processed, are erased or rectified; (e) kept in a form which permits
identification of data subjects for no longer than is necessary for the
purposes for which the data were collected or for which they are further
processed. Member States shall lay down appropriate safeguards for personal
data stored for longer periods for historical, statistical or scientific use."

Do you think what Facebook Ireland is doing, yes because Facebook Ireland
offers the EXACT same service than Facebook US, respects the law in Ireland ?

Then you should know that it's the everyone's right to ponder about the due
respect of law without having to file a formal complaint and start a trial.
Otherwise, journalists would have to sue half the world. By the way suing
costs money that I don't have. So if the only ones that can complain about
some problems in a company policy, are the ones that have the money to sue the
company... we're in a sad society. I think that's the moment when an American
starts complaining about socialism in Europe.

------
fl3tch
I suppose it's worth noting that your gay friend had to add your phone number
to his secret account, which is a privacy snafu on his part. After all, if he
was trying to hide his sexual orientation from you, why would he enter your
contact details into that account?

We also have to take some responsibility for our security and privacy.

~~~
tjoff
He didn't... Most likely his phone did it for him.

------
mtkd
Headline is a little sensational. I'm not big fan of FB but this is just an
artefact of the recommendation algos they're using.

Any contributor to HN shouldn't be surprised that a web app is using every
possible bit of personal information it has to influence recommendation.

Someone mentioned a similar issue with Twitter recently (they signed up a with
a new email but using a machine they had used previously and it recommended
based on an existing cookie or something).

If you submit personal information - the recipient is likely to use it in many
ways that make you uncomfortable - either immediately or at some point in the
future.

Just because you feel secure with the current management team you donate
personal data to doesn't mean your relationship with the next one will be so
cosy. Nobody deletes data any more.

I guess at some point in the future identity online will be a lot more formal
(Google+) and we'll be able to explicitly set the context (circle) we expose
to services.

~~~
andrewcooke
you seem to confuse being able to explain why something happens with whether
or not it is a security breach. that this is an artefact of the recommendation
algorithms does not change the importance of the information leaked.

and the argument "you should not be surprised companies fuck you over" simply
gives away moral ground without a fight.

i really can't understand posts like yours. is the chance to appear world-
weary and knowledgeable really worth selling your soul for?

