Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How has Facebook figured out my family doctor as a friend suggestion?
76 points by throwaway_374 on Apr 16, 2017 | hide | past | web | favorite | 61 comments
I never use Facebook on my phone so you can hopefully rule out contact list networks - not that I ever had their personal mobile on my list - and location tracking because I haven't attended my doctor's surgery in years. We have zero friends in common. Other than my doctor actively looking me up on Facebook - highly unlikely - how on earth is this possible? I'm willing to accept friends of friends suggestions but this is beyond spooky.

We've gone through this many times, its nothing nefarious.

1) doctor uploads his contacts (phone number/email addresses) to facebook and sets his contact info

2) you upload your contacts and set your contact info

if there's one match between them, facebook believes (correctly) that there is some sort of existing relationship between you. The fact that its professional and not personal and you want facebook to just be personal doesn't change it.

In other cases facebook can see you are friends with many of them same people and hence figures you might know each other.

I think we could reasonably disagree about whether or not it's nefarious. Siphoning everyone's contacts is iffy to start with.

The thing is: users explicitly allow facebook to do that when they agree to ToS, just as they allow it to store their personal photos, statuses, and messages.

It's not exactly without consent

My old manager wanted me to install WhatsApp. WhatsApp wanted to access my phone's address book so that it could upload all of my contact info to their [Facebook's] servers. I denied it, and it refused to work. I didn't want to share my contacts - I just wanted to communicate with a specific set of people. The only workaround I could find is back up and delete all my contacts before letting WhatsApp rummage through my address book.

I wouldn't say this practice is very "consensual".

You wanted to use the app. The app makes the rules. Either use it or don't. I don't see how they had a gun to your head.

Sure, as Congressman Sensenbrenner said, “Well, you know... nobody’s got to use the Internet”


Everyone in the contact list didn't provide consent. Facebook better understands the privacy implications here more than individual users so I don't see anything wrong with placing most of the blame on Facebook.

It pretty much was the entirety of the Facebook app's life. And it only somewhat changed when Google introduced permissions where the user actually has to opt-in (post app install).

Going to a doctor implies consent to have your contact data shared with Facebook?

There doesn't have to be a match. Simply the fact that either person either uploads their contacts (either via linking to their email or installing Facebook on their phone) is enough to assume the link.

After all, if you have someone in your contact list (phone or email), you've probably been in touch at least once.

Nefarious? Debatable. But also totally predictable.

So they Kevin Bacon it? (https://en.m.wikipedia.org/wiki/Six_Degrees_of_Kevin_Bacon) Has anyone generated enough fictitious people to determine the number of degrees they'll go to? I would imagine at 4 hops the list gets huge and well outside your personal circle but it'd be interesting to see some studies.

I strongly believe so. There are people who I know of in passing in real life (we exist in same extended social circle, but who I have never really spoken with), but as we have lots of mutual friends they come up as suggested matches for me on facebook.

Thanks for your reply but I have no idea why this is the top voted reply as it does not consider my factors . As noted by others:

1) The doctor/practice does not have my latest mobile phone number as I have not been to them in years. Having said that, it may be an old number on which I used to use Facebook. This friend suggestion is only in the past few months, which suggests that they are mining friend circles in historic usage data - everyone you know, and ever knew. All that being said, this would require my doctor to have my personal mobile number on her personal mobile phone on which she would have used Facebook at some point in time, which is absolutely impossible in a professional setting.

2) I have not installed Facebook on my current phone.

I'm still not convinced by any argument here, beyond the doctor actively looking me up on Facebook personally outside work.

1) the doctor might have only uploaded their contacts to facebook recently

2) my argument has nothing to do with your phone, just what info you have given facebook (email/phone number). If someone else uploads their contacts that includes one of those pieces of information, facebook makes a connection.

No,your doctor actually is not allowed to upload your contact information as a patient to Facebook. It is against regulations. Patient information is private, including contact information. If he or she has done so it IS nefarious.

Extract from wikipedia about protected health information below: note that names and email addresses are PHI and must be treated with special care....

Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care:[1]

Names All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 Dates (other than year) directly related to an individual

Phone numbers

Fax numbers

Email addresses

that's actually a reasonable argument but would imply that a doctor cannot use any cloud connected phone (i.e. android or ios). Heck, even using gmail from the web might be a problem.

not a lawyer, so dont know the implications.

The suggestion is that as you go to your nearest doctor's office (or one of the nearest) you're likely to have social friends in common.

I think the original asker said he had never uploaded his contacts. Presumably though Facebook could just follow the reverse relation from the doctor without needing to confirm that it goes both ways.

Thanks for reading my post and noting this. I'm not sure the reverse relation applies either as it would require the doctor to have my personal contact on her mobile which is absolutely not the case as this is a shared practice and I haven't been to her in years.

the asker doesn't have to upload his contacts, he just has to tell facebook his number or email address. the doctor might have uploaded his contacts which include one of those pieces of information.

Factors that contribute to friend suggestions on FB:

1. Facebook tracking pixels on websites (if you visit a website with the pixel, you can be targeted in many different ways).

2. Email. If you have sent or received an email to the doctor, and either of you has associated that email to FB, you can be tracked.

3. Searching on FB, you say its unlikely for him to look you up on FB, yet theres always a chance that being a family doctor, he might have at some point seen one of your family member's FB and stumbled upon a picture or post in which you were tagged.

4. Whatsapp Contacts. As you know, Whatsapp and FB are part of the same company, hence have access to linked information. If you share certain Whatsapp contacts, a connection can be inferred.

Also it might be relevant that FB buys third party data:


It wouldn't surprise me if a credit card payment for a doctor visit might lead to such an association or suggestion.

Ugh. Hadn't thought of that. That means, probably, they are also filling in their social graph for people that have never touched Facebook at all.

Right the "shadow graph."

I've also noticed other trends to where using a credit card at a store has resulted in receiving postal junk mail from the store I have just used the credit card at. I suspect credit card companies give give stores access to your credit card billing address when you use your credit card there.

Protecting against these creeping incursions is certainly a feather in the cap of crypto currencies.

I'm glad you covered the bi-directional aspects of the association. A number of years ago FB had a vulnerability I discovered whereby it was possible to register an account with an e-mail you don't own. Obviously it wouldn't be possible to then verify the account if the owner of the e-mail targeted failed to click on the verify link. To get around this, upon first authenticating with the account after registration it was possible to change the e-mail address to one you own then send a very request. After verification, it was then possible to change it back to the original e-mail at which point it was verified.

In testing with a few people who never even had FB accounts and who I clearly did not import any contacts, etc., was that they fairly immediately received friend suggestions and even requests from people they knew. This was also despite the fact they'd never used the computer or even IP address used in the registration of the account. At the time it helped me prove a point that not participating in social media could be a security problem & to always take social media verification seriously. Obviously FB has since fixed that vector.

This was easy to do as late as 2010. I haven't tried it recently but it was a common attack for quite a while:


At the time a number of us were arguing with FB that it was a vulnerability. How times have changed.

Using the wifi at the doctor's office would be another methods of linking. (I know this doesn't apply to the poster, but just giving another method.)

About 2: Email. I don't understand. If I send an email from my gmail address to his hotmail address, and both of us use the addresses for Facebook registration, how does that link us? And you say "either", so only one of us uses it for Facebook. I don't get it.

About 3: Maybe he has many links to other people on FB, people in his social circles, one or two or even three steps away. If you have enough of these people, the link is made. And they just show these people, and at some point you see it and all the others go unnoticed, but this one pops out.

>> email

I agree that it's likely not "either" but both email addresses matching but I'm convinced that some friend recommendations come from gmail. There's no other way.

I question point 2. Are you suggesting that Facebook reads my email? Have I given them my email password? If not, how? (I ask, because I don't use Facebook).

Sure, if we have each other's email addresses in our contact lists on Facebook, I can see how the connection was made.

In this scenario you don't know if the doctor uploaded their contacts list to FB. You further don't know if they are using a lousy e-mail app that sends usage information to FB, perhaps as part of an advertising integration.

I had a surgical procedure done at the beginning of the year. I hadn't explicitly shared this information at any point online or visited any websites related to the surgery. A few days after visiting the hospital for some tests, Google AdSense was showing me ads for surgeons at that specific hospital.

I'm not sure who I was most disappointed in. The hospital for purchasing the ad, Google for tracking my hospital visits, or myself for trading privacy for the convenience of services like Google Now.

And, to top it all off, those ads were utterly ineffective, since you'd already had the procedure done!

Amazon and eBay have this same problem, wherein they show you things similar to things you've already bought.

> Amazon and eBay have this same problem, wherein they show you things similar to things you've already bought.

Which is especially silly when it's something you'd only buy once. "Oh, you bought a table saw? Why not fifteen more?!"

The problem with all of these mobile apps is you just need ONE of your contacts to upload your information, and then you're fucked. That's why I've given up trying to hide my details because they already have it. The idea that all 100% of my contacts respect my privacy is ridiculous unfortunately.

Definition: Your "Facebook ____" is the lowest ____ of any of your "friends" that has a Facebook account.

Where ___ is any applicable attribute such as intelligence, privacy, etc.

Corollary 1: You will be surprised at who is included in the set of "friends" that have a Facebook account.

Corollary 2: You will be surprised at how low the lowest ____ is for your "friends."

I had something similar happen with an odd friend. I discovered that I shared my address book with the messenger app. With gmail auto-adding contacts, you might have been linked that way.

Besides every other suggestion here, couldn't it be that your doctor actually is a friend of a friend?

Not possible as zero mutual friends, unless second degrees are considered which based on all other suggestions is not the case and would naively scale factorially (?).


1) you have instagram or whatsapp and use them frequently

2) you use an app that has Facebook login, that has location access or just has the SDK lying in app but not being used.

3) I don't know about what access react native/js frameworks have in terms of device resources, but that "may be" an another source of info leak.

4) your contacts/friends uploaded a photo on one of these services where you were there in the photo

5) if any of these apps have microphone access (when you record videos) it's "possible" to do many surreptitious things.

All of the above, done by 1 or many of your friends/contacts on Facebook/instagram/WhatsApp, FB identified you and correlated it somehow.

Facebook suggests a person I keep seeing on my commute that also works in the same building as me (not same company). I always think the 0 mutual friend recommendations are a bit weird/interesting

To be fair, users who appear to travel in the same circles (even just an IP address can reveal such correlation) seems like a fairly good choice for making that kind of suggestion.

I think Facebook also connects people who appear at the same wireless access points, so you could have received the suggestion once your phone connected to the Internet at the doctor's office.

Surprised this reply is this far down here.

The correct answer is that if you have the FB app installed, it tracks your location. If you are in any place with another person with the FB app also installed multiple times, it assumes you two know each other.

It is why therapists and other medical professionals should not have FB (or any social network app, for that matter) installed on their phone (or, alternatively, on while in the work place).

The most unusual friend suggestion I have received is a profile for the actor Steve Martin. It had two mutual friends, and appeared 20 minutes after a friend asked me "Have you ever listened to Steve Martin? The actor? He's also a bluegrass musician" and played a couple of songs on Spotify.

Any ideas on how that came about? It's hard to believe it's anything other than some app listening to audio.

Do you log into spotify through facebook?

Spotify was running on my friend's desktop. I have no FB apps installed other than Instagram. I do not believe I had Spotify installed on my phone at the time, though in the past, I have, and logged in through Facebook.

Something is indeed spooky with Facebook and their other products. I am friend with a guy on Facebook and a person with the same name ended up as a suggestion on Instagram - ok maybe not so spooky. But(!) this guy looked like my friend except like ten years older. So I guess the combination of same name + looked like my friend (Facebook Face recognition) made Instagram suggest this dude to me.

I have a similar, but even less connected case than a doctor: a contractor that worked on my basement. No friends or clients in common that I know of. I've never been to his office. Don't even know what town he lives in. I did use FB on mobile for a short while, but probably didn't allow location info (call me paranoid). I most definitely did not upload any contact list.

How can it be?

How many other people in their recommendations list do you either not know at all, or only know of them, but have never met? Whatever algorithms they use to produce these recommendations (your social graph, IP addresses in common, etc) will of course wind up surfacing a broad range of people, including some back you actually know.

A Twitter acquaintance had a phone call from a website owner where he'd just browsed their site, no relationship in any other way.

We think they did a whois on his IP address which was at his company address, which we all know is doable, but seeing companies proactively do this is crazy.

Either you have searched you doctor, or your doctor has searched you.

I believe this is the correct answer, it happened to me as well. I got friend suggestion for my daughter speech therapist, and all our communication and appointments were done only in paper form. But I searched her name on FB out of curiosity. :-)

OP: Can you exclude the possibility that the doctor just searched your name on FB? Why wouldnt he do that...?

> all our communication and appointments were done only in paper form

Just because your communication happened on paper doesn't mean that they haven't stored your email address or phone number in some service digitally, and that somehow that info has been shared (e.g. a phone with a facebook app that uploads all contacts)

A girl I talked to on Tinder a few years ago popped up on my People You May Know list. I befriended her and met up with her recently.

I brought it up to her, we wondered how it happened, and she admitted that she'd searched for my profile a week before.

I'd say this aspect of the system is a good feature. If you're searching for someone, it's nice to give them an opportunity to "independently" reach out to you.

Facebook tracks your location and the locations of others. If it sees that you are around some people often, it might suggest you to be friends.

the facebook/messenger app upload all contacts. if he has your phone number, and your facebook account is registered with the same number, you will see a friend suggestion. i don't use any of facebook's app on my phone and a few time's i see a freind suggetion of people i just met in a week or less.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact