Hacker News new | past | comments | ask | show | jobs | submit login
Facebook privacy fuckup reveals who has your number in their phone (alexmuir.com)
262 points by AlexMuir on Oct 23, 2011 | hide | past | web | favorite | 117 comments

These little privacy leaks are not important on their own. A little data leaks here, a little there.

What is concerning is that we can guarantee private investigators and professional identity fraudsters are well on top of all these little loopholes. And combined, I'd say Facebook is probably pissing data out.

Some sweet law enforcement potential here - slap in a request to Facebook on a drug-dealing suspect, find a list of everyone with his number in their phone. Repeat until !exists($drugNetwork).

http://www.rumint.org/gregconti/ has done a bunch of work on the ramifications of " A little data leaks here, a little there " .. you might enjoy.

If you are truly concerned about harm to users, did you try reporting this to facebook.com/security or facebook.com/whitehat? FWIW, I've alerted some people.

Your post is unclear on one point. Did you see this screen BEFORE confirming via SMS that you were in possession of the mobile number you entered? If it was after confirmation, that's a very different thing.

For context of readers, I note you are a FB engineer. Thanks for looking at this.

1. I'm not concerned about harm to users from this issue, I don't pretend to be. That should be Facebook's role.

2. This isn't a bug or a vulnerability, it's something you've actually coded - a feature. It doesn't 'accidentally' match up the number I've just entered with other people's phonebooks, you've programmed it to do that. Fine, that's a commercial choice made by Facebook (value of engaging new users vs concerns over publicising people's phonebooks) - but reporting it through those links would be nothing more than a complaint letter.

/whitehat is not a "complaint letter". It goes directly to the security team oncall, whose job is to keep users safe even if it means killing things written by other engineers at Facebook that had unintended consequences.

(edit: removed snark)

Well, what I am wondering is: is this actually an unintended consequence or a conscious choice that has been made?

A company doesn't have a single conscience. It may have been a conscious choice by an engineer, or it may have been an unintended consequence of some other code change. Either way, I highly doubt it involved the check-off from a director-level employee.

If every decision had to get approval from the management team, then progress would grind to a halt, and Facebook would end up like Microsoft.

> A company doesn't have a single conscience.

Insightful: while it's seemingly simple and obvious, everyone I know has fallen prey to the opposite belief, myself included.

> A company doesn't have a single conscience.

And because of that we should hold it with less responsibility than a single person? Even though it holds an order of magnitude more power than a single person?

Yeah, how about, no.

And about your other remark, that is nonsense. It is very possible to keep those checks to a reasonable level of responsibility and many corporations do so, with proper software engineering principles, without "turning into Microsoft".

When dealing with people's private information, one should err on the side of caution, not on the side of $$$, and it is obvious which route facebook took.

In fact, they are already in violation of several EU privacy laws, just because their privacy-pissing database has grown out of hand, they collect more data than they have the internal corporate infrastructure for to deal with this amount of private data of EU citizens in a legal manner in Europe. They went way overboard, maybe not in the US, but they are also incorporated in the EU and cannot oblige by our privacy laws because they collected too much data.

As far as I'm concerned, Facebook is on the verge of criminal negligence as EU laws for citizen privacy are concerned. So personally, yeah, I think nothing wrong with headlines of "Facebook privacy fuckup", as long as they're behaving like that, singular conscience or not.

That's why we have such laws, to keep corporations responsible.

No, I was simply offering a potential explanation for why things happen.

Also, I see no need to respond to your hyperboles. I mean, "criminal negligence"? C'mon.

or Apple?

That FB responded 2 hours after the post here on HN speaks for itself. I had logged some bug reports the regular way, and FB got back after one year. Yes, one year.

I'm sorry you had a bad experience. Were you reporting bugs (eg X doesn't work), or a security vulnerability? Where did you report?

> 2. This isn't a bug or a vulnerability, it's something you've actually coded - a feature. It doesn't 'accidentally' match up the number I've just entered with other people's phonebooks, you've programmed it to do that

You assume malicious intent. It might be. But it also might be a engineer who thinks "this would be a cool feature" without stopping to think about the ramifications of this.

Happens all the time; think of the Google engineer who decided that Buzz should auto-follow your most emailed contacts publicly or the NetFlix competition that outed a lesbian in small town America.

Not that I'm saying it's ok if that's the case; it's still a fuck up that needs to be fixed and in general companies need to be better about this - it happens to often.

Just saying I would have reported it to FB first and seen what they did. Responsible Disclosure, and all that.

Then "privacy fuckup" is a somewhat hyperbolic choice of phrase for this, isn't it? And it's misleading to mention private investigators and law enforcement when the friend list is only shown after the phone number has been verified.

The potential privacy compromise here is that people who might've not wanted the user to know that they had them in their synced-to-Facebook phonebook, or may have a secret profile connected to said phonebook, could be unwittingly exposed to the user. As your example of the friend with the hidden gay profile shows, that can have alarming results. I'd say that example's bad enough and worth addressing (even if the answer is just better messaging about how synced phonebooks can be used) and that the PI/law enforcement talk is just muddying the waters.

Exactly. It's timely to discuss where the line is drawn in sharing user data. Trickling here and there amounts to what can be summed up as gaping holes.

As time went by, it seems that Facebook left behind their mantra of exclusivity and private social circles. They are vigorously facilitating the opposite when you see 'features' like this.

You did not answer his second question: was this before or after you confirmed through SMS that the phone number is actually yours?

Facebook does not care about user privacy. They have gone on record saying this multiple times (and then quickly recanted it). They do not care about user privacy because it goes against everything that Facebook needs in order to grow.

For example, if you tag a photo with a friend's name, all of that friend's friends can see this photo, even if you restrict who can see your photos. You cannot change this, which means you have now lost control of your own privacy. I do not want strangers seeing my photos, but I can't prevent this unless I stop tagging photos, which is what I have done.

More importantly, I'm moving away from Facebook because they don't give a fuck about privacy.

I really hate how Facebook killed the competition because there's no place to go besides G+, and that seems to be targeting a different audience than Facebook. :(

Just because a company is big doesn't mean it has to sell out and stop caring about user privacy.

> More importantly, I'm moving away from Facebook because they don't give a fuck about privacy.

Yeah me too, I deleted my profile last week.

> Your post is unclear on one point. Did you see this screen BEFORE confirming via SMS that you were in possession of the mobile number you entered? If it was after confirmation, that's a very different thing.

Good point, but it's not a very different thing, it's a slightly different thing. SMS confirmation would not have stopped FB outing his gay friend to the author. The only different thing is that it would have stopped others abusing this. This is still something that can be abused and should be fixed.

Fair enough, I won't quibble. In the absence of a bug report, and having to do this in public, I'm trying to get what information I can. I'm also trying to respond to the author's claims about private investigators, etc.

Apologies for not answering your question - I misunderstood your meaning. This was after entering the SMS code - so it's certainly not an issue where you can enter a phone number you don't control.

You know, buddy, I think from FB we could all use a little more "thanks for pointing out this problem that we at FB should have prevented or refused to implement" and a little less of sarcastic "if you are truly concerned...jump through our hoops."

Preventing harm to users is your job, not ours.

Associates of mine have made SEVERAL complaints to FB about security concerns through your standard "hoops" (including /whitehat), and have received exactly ZILCH, NADA in response.

I get what you're saying and I'm sorry if I was snarky. On the subject of politeness, I myself don't enjoy reading posts titled "Facebook privacy fuckup" at 5am on a Sunday.

Please also remember that not every report actually pans out. I can't say we should have prevented this because I don't yet know if there is something to prevent. It now appears that the behavior the OP is calling a "fuckup" happened after he confirmed ownership of the phone number. This might change things a bit.

Preventing harm is our responsibility. But if you happen to find an open door, or what might look like an open door, it's more helpful to get all the facts first, report to the vendor, and disclose later if you think the reporting process is unsatisfactory.

For instance, if you have not heard a response from /whitehat, please email me and I will see what I can find out. Or disclose it. I can't stop you.

When it comes to the rules of disclosure, I'm well aware that where you stand depends on where you sit, but I personally think these kinds of firedrills aren't the right way to do it.

Thanks for your response, but frankly you are presenting a textbook example here of continuing to impolitely blame the messenger(s). If you don't enjoy reading posts entitled "Facebook privacy fuckup" at 5am on a Sunday, then perhaps FB should start to take privacy more seriously. I'm sure the fact that people are more than a little suspicious of FB in numerous ways and that many have made repeated privacy complaints is hardly news to you, at 5am or otherwise. FB privacy is your firedrill, not ours.

Wow, I just duplicated this perfectly.

Signed up with a fake name and throwaway email. Was asked to enter mobile number for verification.[1] Entered mobile number and verified.

The top few 'People You May Know' suggestions were all people who I know have that number on their iPhones, all of whom use the Facebook for iPhone application. (It obviously happens if they use any platform's app to sync contacts, not just iOS)

Don't have the time to check now, but I would imagine Facebook uses this exact same method for suggestions if you use your primary email to sign up. People who have you in their email contacts - and have imported them to Facebook - are probably suggested to you too. That way you'll know who keeps you in their email address book too.

[1] Note: to trigger the SMS verification stage, you have to enter a semi-obviously fake name.

"People who have you in their email contacts - and have imported them to Facebook - are probably suggested to you too."

I noticed this behavior when I signed up to test this first using an old email address. It had known friends as suggestions as well as people who had already requested to be my friend, including my actual profile. I don't explicitly remember important my email contacts but it is a possibility.

Looks like it treats both contact books the same, even if a user didn't add the individual contacts at the time of import, it keeps a record of them to potential make suggestions at some future point in time.

I think I've found another troublesome method that Facebook is using to suggest new friends.

A few years ago, I created a Google profile with a vanity URL [1] and a Facebook account with the same Gmail address. I never linked those two accounts, used third-party apps or imported contacts into Facebook. I recently created a Google+ profile and publicly circled some users when I suddenly noticed that those circled users started showing up in my Facebook account as "suggested friends". Those users don't follow me on Google+, aren't linked to any of my Facebook friends and they don't know my Gmail address.

I can't think of any other method used by Facebook to recommend those friends, except by crawling my Google+ circles. It's as easy as extracting my Google+ username from my Gmail address and scanning my circles at profiles.google.com/username.

I can't reproduce this with different accounts as vanity URLs aren't available for new Google accounts.

Could anyone with confirm this with their own Google profiles?

Do you think Facebook should be authorized to "scrap" contacts from other social networks, to extend build their own social graph about their users, without possible opt-out and no disclosure?

[1] http://www.labnol.org/internet/vanity-url-for-google-profile...

Could it be that you are in their Gmail contact list? I don't have a public Google profile, and never gave Facebook my Gmail password, yet I get suggestions for people I have emailed once years ago. The only explanation I can think of is that I'm in their email contact list, or that they've searched for my name on Facebook at some point.

I know that Facebook uses the contact lists of your friends to suggests users to you [1], but I'm 99% sure Peter Norvig doesn't have my email address in his contact list, and that none of my Facebook friends are linked to him.

1. Some people don't realize what information Facebook is collecting, and some of those people would object if they did know. 2. Some people don't realize the way Facebook is using the information they collect, and some of those people would object if they did know.

Should it disturb us that those statements are true for millions of people? Or do we not care?

It will be interesting if we get to where Facebook is required to send a pamphlet to your house explaining how they use the information they collect about you, who they sell it to, etc. Log on to freesocialnetworkreport.com to see what information the Big 3 social networks have stored about you! See your social network score, etc.

On a different note, I do hope they harvest all the numbers for pizza places I have stored on my phone and find a way to help me get cheaper pizza.

> It will be interesting if we get to where Facebook is required to send a pamphlet to your house explaining how they use the information they collect about you, who they sell it to, etc.

Actually, they are, in the EU.

Well not literally with a pamphlet, of course, they are required to send you a CD with this data on request.

Except that they're (illegally) refusing to provide most of that data under the guise of "intellectual property" (whose? not theirs, under any legal definition of IP I'm aware of) and "trade secrets" (which I'm sure won't hold up).

They just provide the profile and your comments and messages and whatnot kinds of data that are all already visible in some sense or other, on Facebook.

They do not provide the invisible data, the things they collect behind the scenes, such as what data they collect from your phonebook, what data is available about you being tagged in photos, things like that, all the data you know Facebook is collecting (due to deduction from friend suggestions, or just because it's there), but never really get to see because it's either a) buried behind some algorithms (friend suggestions) or b) just stored and not really used for anything.

These two kinds of data are EXACTLY what this EU Privacy law is intended for. The right for EU citizens to know what data about them is being stored especially when it is not immediately obvious that this data is being collected, stored or used in some manner.

These two kinds of data are also EXACTLY what Facebook is withholding from EU citizens legal requests because of "trade secrets". It won't hold up. I really hope it won't.

Their reasoning for why something is a "trade secret" is the same reason why a law exists that requires them to provide that data: because the data is not used in the open and otherwise EU citizens would not be able to know this data is being collected and stored about them.

Remember, the privacy laws protect the fact already that certain data is just stored, not even whether it is used or not.

I bet there's many kinds of data FB is simply storing about its users that it doesn't really use yet, data they should have provided on formal request but declined to do so because of "trade secrets".

It is terrible that your friends' privacy was violated, and I apologize for this comment being off topic, but I feel compelled to address the specific personal circumstances that Alex has uncovered.

Alex: as a gay man who came out as an adult, I urge you to reach out to your closeted friend. Let him know that Facebook violated his privacy and you accidentally and unexpectedly came across his secret. Reassure him that you care about him as a friend and that his sexuality makes no difference to you.

Unless he is in physical or serious financial risk from coming out, his life will be unimaginably better if he comes out. If he's going to lose his job or be disowned by his parents, at least having one friend to share his secret with may make a world of difference.

If he has a girlfriend or wife, for her sake, you need to reach out to him. It's an incredibly awkward situation, but think about what an enormous positive difference you can make in one or two people's lives.

Your sentiment is clearly well-meant, but that course of action just as well could result in a disaster as it could a happy outcome.

From a data aggregation perspective, it is (unpleasantly) fascinating to me that a programming choice in an ostensibly opt-in social networking database has resulted in a public bulletin-board discussion of what could be perhaps the most private part of a person's life.

Examples like this are the perfect answer to the dangerous nonsense propounded by the "anonymity needs to go away" crowd. Not everyone's life is or should be an open book.

I was able to duplicate, but took a little bit different process. Sign up, add your mobile, confirm it, then log out and back in.

The result was definitely people who had done what the author said but it was also interspersed with friends of friends, muddying the waters a bit.

I'm glad you've managed to recreate. As mine was a new, friendless account my list was purely people with me in their phonebook.

I also reproduced something like this.

On "Step 1: Add Friends", it showed people who I actually know (presumably who have my phone number, since that's the only info I gave that actually relates to me)

On "Step 3: Profile Information", it offered many more people, most of whom I don't actually know (presumably friends of the people from step 1)

Note that to trigger the mobile-number-confirmation request, you may need to enter dubious-looking profile information. In my case, I entered a name like "Blaah Blahh", with a throwaway email address from www.mailinator.com. If your fake name is too realistic, it won't necessarily trigger the security check.

I do have the same mobile number on my primary account, so it's possible they found me that way. But either way, it's notable that in step 1 they managed to show just the people who I would expect actually do keep track of my phone number.

Jackpot - the name is the trigger, possibly combined with an own-domain email address.

I created an account with a fake name and mailinator email (after several tries where it rejected mailinator domains, it finally worked with bobmail.info). It asked me for my cell phone number to confirm, and when I entered the code it had quite a large number of "John Doe is someone you may know". These people are not all people who I'd expect to have my phone number saved in their phones. My phone number is linked to my primary account, but I don't think it is visible.

Two addenda:

1) Apparently my cell phone number used to be registered to my primary account. When I created the fake account, it removed my number from my primary account and assigned it to the fake account. So what happened there was they suggested friends from the account that used to have the same phone number assigned to it. The creepy thing here is that it also suggested people that I had recently defriended.

2) I did the same thing, using my Google voice number which had not previously been registered to any FB account, and was suggested three friends who apparently have me saved in their address books.

At first, it didn't recommend anything, but after I made yet another account and added that as friend it recommended 50+ people I had no relationship to, AND one friend that I know of. There's nothing linking me to that person except the phone number I used, so it seems to work somewhat, however, I know for sure there are at least 50 people with my phone number on facebook, why didn't it recommend any of those other people?

I was able to trigger it, despite the fact that they didn't ask for my phone number.

- Signup. (ignore that you need to confirm your email)

- Go to your account settings>mobile

- Go to mobile.

- Add a mobile phone.

- Enter your password

- Click "Add your phone number here."

- Verify your phone number via text.

- Click the facebook logo.

You should be able to see recommendations based on your phone number.

I just tried this out of curiosity, but it never asked for my phone number (not only was it not required, I didn't even have the option to provide it at any point during the sign up process). Facebook had no friend recommendations for me at all.

I then tried adding my phone number to my profile (a phone number that I also have on my actual Facebook account). Went back to the home page and looked around a little more, still no friend recommendations. It's actually a solid possibility that nobody who has uploaded their phone contacts to Facebook has me as a contact (I didn't even know that was possible, actually).


That's the URL that I'm still being directed to - I haven't actually clicked 'Next' yet.

On the account I just created, that URL just redirects to the home page (where it wants me to import contacts from email, etc.).

Not sure what to suggest - I just hope someone else is able to replicate it or I'll look like an arse. I was on a UK IP, without erasing cookies between logging out of my old FB and creating a new one.

This is interesting.

I signed up with a new email address. Put in my phone number. I _do not_ have this phone number on my primary account. Now on my dummy account, I get a long list of friend suggestions, most of them from my primary account, and some unknown.

My dummy account and primary account are not linked in any way. All cookies cleared. So how did my dummy account suggest so many friends from my primary account? It didn't before I entered my phone number in my dummy account. Some of the friend suggestions live in other countries, and I doubt they would have my US phone number.


Try that page - it shows me most of the same people at the top, and then tails off into their friends.

I'm in the US. Regardless, I believe you, there could be any number of variables that the sign up process depends on

I deleted my facebook account in March 2010. In November, six months later, the only evidence of my account was that my facebook information was loaded onto my friends telephone. He had my profile photo, plus some random tidbits of information automatically grabbed from facebook by his phone.

I deleted my facebook account ~6 years ago, but before I completely deleted it I changed my name to "DLC Text".

About a year ago I started getting emails from facebook recruiters, and guess what my name was resolving to in their system? Yep, that's right -- "DLC Text".

For 6 years they have kept my information even though it was deleted.

Silly semantic question - when you 'delete' your facebook account, do they use the word 'delete' or just 'disable' or 'shut off' or something similar?

A friend of mine ragequit facebook a little less than a year ago, came back, and it allowed him to reactivate his profile. I don't think it ever said 'delete' though.

I first "disabled" it, and then I continuously pestered them with emails until they told me they had deleted my login and my account.

From what I understand, many websites now use "soft deletes", where they cut out the ability for users to see/modify data. It remains intact on their servers though.

I really don't agree with this, but I can't deny that there's value in this data. It's unscrupulous to hold onto it, though.

In my opinion, there should be some way to hard-delete information like this, even if the user has to go through some two-key-nuclear-launch confirmation process to prevent accidental deletes.

I can confirm that the "security check" thing is related to having a fake name, or perhaps an empty profile. Both of those apply to my primary account and I'm prompted to enter a phone number every time I log in.

It doesn't seem to be required, I've always just dismissed those "security" prompts by clicking the FB logo in the top left, which forwards me to the homepage just fine.

The chances of facebook getting my mobile number are about the same as my chances of flying to the moon by willpower alone.

Couldn't they just get your mobile number, from one of your friends iPhones? Even if you had a fake name on your profile, I would assume its still fairly straightforward to identify you purely from the network structure.

I've no idea if they are doing this, but I wouldn't put the possibility in moon/willpower territory.

Man, that is annoying. "Don't like it, don't use it" they say. I don't use facebook. I blacklist any requests to their domain ("Like" button etc). As you have pointed out, but I did not previously realize, they surely have my name and number in all of my friends' social graph, because they snarfed it from their iPhones or other mobile device.

You know I've been wondering about Facebook saying they have 500 million + users but I wonder if they count the deactivated. Which is a fancy word for suspend.

I went to delete my account the other day just because there is so much crap and it's time wasting and I go searching for delete but couldn't find a link! I then came across the deactivate which I had heard about before and went with that but they still keep all my data and it's ready for me just by logging in again.

To delete I had to Google and find an actual link in a forum on how to fully delete my account. And after I found the link you are taken to this page that asks you to confirm and then you have to wait two weeks (I guess to let people go back after Facebook withdrawal.) I guess what I'm getting at is: Facebook makes it easy to deactivate with a false sense to their users that it's sort of being 'deleted.' Yet they are keeping everything, even messages, from your account. I wonder if they still count these accounts in their user count?

Our user metrics are in terms of monthly and daily active users. More than 800 million people logged in last month with more than 500 million logging in on a single day.

That's right, I remember reading that somewhere. Thanks for clearing that up!

They appear to have resolved this issue in a timely fashion. I can no longer find a request for phone number during the sign up process or once logged in to find friends.

> They appear to have resolved this issue in a timely fashion.

Not for the guy who was outed, they didn't.

[Note: I work at Facebook, and have worked on some of the friend suggestion tools.]

There seems to be some confusion about how friend suggestions work, and we definitely want to people to understand how their information is used and their options to control it.

Generally, the contact importing tools and resulting friend suggestions have been used by millions of people to make hundreds of millions of friend connections. We're proud of this (since it is clear that real connections are made) but also understand that people should have control. That's why we include a notice in the contact sync (on phones) and upload (on the web) flows that makes it clear that contacts you import may be used generate friend suggestions for you and others. If you're concerned about being suggested as a friend to others based on the contacts in your address book, you can either not upload it, or if you have already uploaded it, you can remove your uploaded contacts (http://www.facebook.com/contact_importer/remove_uploads.php). You can also block any individual people. These steps prevent what the Alex (or rather, his friends) experienced — people being suggested as friends based on having a phone number in their address book.

Also, some of you have noticed that we don't always require a phone verification for an account. This is a security feature designed to prevent spam and fake accounts that is only triggered when certain conditions aren't met.

I am not surprised by this. If I share my phone's contact list with Facebook, I expect that it will become a part of the social graph, just as who I am friends with on Facebook is.

Do you think, facebook should tell you about this forehand in simple words ?

I've been thinking about your question for a day, and I'm really not sure. To me, this sort of thing is obvious. It's just how I think about Facebook. But some people are continually surprised at what Facebook knows about them, or what it can find out. And I don't know how to be more explicit with them.

In other words, I think that this sort of thing is implicit in using Facebook. But for some people, they're not. So do you remind them about this every time they do anything new? I don't know.

I am wondering if someone is prescient enough to write a " Facebook is dead " essay.

After a group perfects Gentry's work[1].. someone will gear up a homomorphic scheme combined with a generative personal cloud[2].

The " personal " in PC was most important when C stood for computer. Next, it will be most important when C stands for cloud.

[1] - http://crypto.stanford.edu/craig/

[2] - http://futureoftheinternet.org

How do the guy know Facebook used specifically the phone number he gave them ?

It's pretty much possible. And Facebook is Evil. But I don't understand how he did to be certain of that ?

They had no other information - there is no doubt. I 100% guarantee that's how it was done.

They have your IP address.

Seems down. Can somebody paste here?

I'm confused as to how this is possible. Are people syncing their phone books from cellphones to Facebook?

Yep. A lot of android builds have it baked in, and I assume the facebook apps for android/ios have this functionality.

The official FB app for Android asked me if I wanted to sync my friends list with my phone address book and I said No. I would like to think this means they didn't scan my phone's address book, but I wouldn't be surprised if they did.

Phone numbers and addresses are fast becoming like email addresses. In the same way that you can assume putting your email address into any website form that requests it will eventually result in spam, putting your phone number into any phone or your address into the database of any service provider will eventually result in a "leak".

We are to the point that to maintain any semblance of privacy, you need at least two email accounts (one you don't mind getting spammed), two phone numbers (one you don't care about facebook and others tracking) and two addresses (a mailing address/box service and your actual physical address).

I can't get the screen he's seeing, all I did was to verify an email and I'm in!

I'd be interested in anyone else's results. You might find the list by adding your number manually and then FB will only have this datapoint to find 'People you may know'.

Ok I've added my number. Where do I go to see suggested friends?

Facebook was quick to react and removed it (for now?)

Your address book become the most valuable asset in this social web era.

Google also asks me repeatedly for my phone "so I can recover my account" and for security reasons.

I'd rather lose my google accounts altogether than link any of my main phones to my gmail account.

That is only for sending the SMS of secret passcode for account security, right ?

(Yes if they scrap someone's else phone and your phone number happens to be there then ya there is some issue. Is there any precedent of google scraping phones through any means ?)

Um..... I don't get it.

How can Facebook have access to numbers on anyone's phone?

Mobile apps.

The phone apps can have access to phonebook? OK, I didn't know that.

It seems that I am heavily downvoted, so... sorry for my comment.

It's one of the troubling things about iOS (not an Android dev, so don't know from that end).

An iOS app needs explicit user permission to know your location, or to send you push notifications. It doesn't need to ask if it wants into your phone book and calendars.

Any app on the iOS App Store can read your phone book and calendars and do anything they want to this information. This is a mind-bogglingly gaping security hole.

It was a valid question with a straightforward and informative answer. I wouldn't worry about it, some people seem to be a bit trigger-happy with the downvotes :)

Okay, it appears that this server is down. I have a cached copy here: http://bit.ly/rgygsW

Has anyone tried creating a new account with a phone number they already have on their main FB account to see if this works always?

I tried it, FB gave me no recommendations, but maybe no one has me in their address book.

I actually thought this same number was on my active FB profile - I'm pretty sure I had to provide it to confirm my developer status.

Site appears to be down: http://www.isup.me/www.alexmuir.com

They also have another "feature" that works the exact same way when you sign-up with an e-mail address that someone had in their address book and used the "Import contacts from feature". You can try this with a fresh account. I'll be writing a blog post about it, as well, soon.

Is it so bad? You can still choose to not have your number on Facebook? Or am I missing something.

The problem is the lie. They asked the number for security reasons. I'm fine with that, i can give it to them for security reasons. BUT only for security reasons. Not for any other reason. So if they ask it for one reason and use it for another. That's bad.

And not just that - I can hide my own mobile number, that's fine. But the issue is with this cold-start page effectively showing a list of people who have my number.

Can you do anything to rule out it was the pre-existing cookies? It could be that Facebook doesn't mind people creating new profiles, as long as they know about it.

I still was able to replicate, albeit with some effort. Used a bobmail.info address, "Jake Doe", and had to have them actually call to deliver the pin.

Results were not that unexpected save one, but it seems like a friend of a friend.

This also works with email addresses when your email address is in someone elses address book that has been imported.

I'm not particularly sure about this, but why would revealing the people who have stored YOUR phone number to YOU be such a big deal?

I'm assuming phone number verification checks that you own the number via SMS; so it just acts as a reverse-stalker (I'd be worried about people I _don't_ know having my phone number saved).

Because, as the article says, it can reveal Facebook accounts that you didn't knew your friends had, such has this friend of the OP who has a "straight" and a "gay" FB account.

I'm not sure that's such a huge sin -- technically I think FB says that you cannot have more than 1 account/actual person; I'd imagine when this `feature` was baked in the engineers didn't imagine that anyone would maintain an account that 1) they would keep hidden from friends _and_ 2) add their phone numbers to.

At the very least, the friend could have blocked the set of people he didn't want to know about his preferences from the "gay" account: otherwise what stopped a simple search by name from showing both accounts?

You got two assumptions wrong here:

1. People may very well have an account with a fake name, so that it doesn't show up in search. In France, for example, a large number of FB users are stripping out the vowels from their last name to make their FB account less findable.

2. According to the article, it's not the "gay friend" that put his phone number on his hidden account. He merely has OP's number in his phone address book (wich is normal since they are friends in real life), and the FB app is pulling this information.

Hmm. 1) Fake name, yes -- I wasn't aware of that practice; not that common in India, at least in my friend circle.

2) That was what I meant -- syncing actual details with your anonymous persona.

i'm indian and i have several friends with fake names.

That simple search by name would not show his account with the gay persona - so they thought they were safe. His phone # was probably not listed publicly either.

You work at Facebook, don't you?

I am supposed to _start_ work at FB assuming I get a visa.

I'm a bit curious about why a search for name won't show the alternate persona? I've had friends who made 2 profiles and both used to show up whenever I typed their name in; and his # being listed publicly doesn't affect the argument either way.

Edit: Reply to child comment by jarofgreen: apparently the comments are too deeply nested to reply directly: "using FB wrong therefore deserves to have his privacy violated"

I've never stated that he _deserved_ to get his privacy violated; it's simply that the behaviour of any s/w is based on what settings you choose. Your argument would have to be that it's the S/Ws fault for not being transparent enough/not easily understandable enough leading the user to be misled - but the general response seems to be that the s/w is actively out to get the user.

Blogs down so cant check but I'm pretty certain it said the the gay profile was under a fake name.

Also, are you trying to make the argument that his gay friend is using FB wrong therefore deserves to have his privacy violated? That sounds like a pretty shit argument to me.

Not so much of a "fuckup" as it is a "feature".

Not to say that I agree with this practice (I don't), but someone deliberately implemented this, and there's a good business case for it.

The privacy implications are unfortunate, but what else are we to expect from Facebook these days?

Hum. Respect the law ?

I don't know in the US. But here in Europe that's pretty much against the law in most countries.

Point of order:

If you don't even know what the law is, you might try finding out, before sniping about how someone supposedly is not "respecting" it.

If you did, you might then find, for instance, that the best course of action is to complain about the law (or lack of laws), and do something about that.

Wow ? Why so much anger ?

Anyway, I think you're wrong. I do know the law in France and Europe. And since I live in France, I have a contract with Facebook Ireland. Not Facebook US. So it's the Irish law that is the appropriate law. I don't know the details of Irish law in that matter. So your Argumentum ad nauseam saying I should know the law could have been correct... (if not excessive and irrespective) but since Ireland is part of the European Union... I do not need to go seek the exact Irish law. Directive 95/46/CE is there to unify the European law on that subject.

See by yourself :


"SECTION I PRINCIPLES RELATING TO DATA QUALITY Article 6 1. Member States shall provide that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use."

Do you think what Facebook Ireland is doing, yes because Facebook Ireland offers the EXACT same service than Facebook US, respects the law in Ireland ?

Then you should know that it's the everyone's right to ponder about the due respect of law without having to file a formal complaint and start a trial. Otherwise, journalists would have to sue half the world. By the way suing costs money that I don't have. So if the only ones that can complain about some problems in a company policy, are the ones that have the money to sue the company... we're in a sad society. I think that's the moment when an American starts complaining about socialism in Europe.

I suppose it's worth noting that your gay friend had to add your phone number to his secret account, which is a privacy snafu on his part. After all, if he was trying to hide his sexual orientation from you, why would he enter your contact details into that account?

We also have to take some responsibility for our security and privacy.

He didn't... Most likely his phone did it for him.

Headline is a little sensational. I'm not big fan of FB but this is just an artefact of the recommendation algos they're using.

Any contributor to HN shouldn't be surprised that a web app is using every possible bit of personal information it has to influence recommendation.

Someone mentioned a similar issue with Twitter recently (they signed up a with a new email but using a machine they had used previously and it recommended based on an existing cookie or something).

If you submit personal information - the recipient is likely to use it in many ways that make you uncomfortable - either immediately or at some point in the future.

Just because you feel secure with the current management team you donate personal data to doesn't mean your relationship with the next one will be so cosy. Nobody deletes data any more.

I guess at some point in the future identity online will be a lot more formal (Google+) and we'll be able to explicitly set the context (circle) we expose to services.

you seem to confuse being able to explain why something happens with whether or not it is a security breach. that this is an artefact of the recommendation algorithms does not change the importance of the information leaked.

and the argument "you should not be surprised companies fuck you over" simply gives away moral ground without a fight.

i really can't understand posts like yours. is the chance to appear world-weary and knowledgeable really worth selling your soul for?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact