What is concerning is that we can guarantee private investigators and professional identity fraudsters are well on top of all these little loopholes. And combined, I'd say Facebook is probably pissing data out.
Some sweet law enforcement potential here - slap in a request to Facebook on a drug-dealing suspect, find a list of everyone with his number in their phone. Repeat until !exists($drugNetwork).
Your post is unclear on one point. Did you see this screen BEFORE confirming via SMS that you were in possession of the mobile number you entered? If it was after confirmation, that's a very different thing.
1. I'm not concerned about harm to users from this issue, I don't pretend to be. That should be Facebook's role.
2. This isn't a bug or a vulnerability, it's something you've actually coded - a feature. It doesn't 'accidentally' match up the number I've just entered with other people's phonebooks, you've programmed it to do that. Fine, that's a commercial choice made by Facebook (value of engaging new users vs concerns over publicising people's phonebooks) - but reporting it through those links would be nothing more than a complaint letter.
(edit: removed snark)
If every decision had to get approval from the management team, then progress would grind to a halt, and Facebook would end up like Microsoft.
Insightful: while it's seemingly simple and obvious, everyone I know has fallen prey to the opposite belief, myself included.
And because of that we should hold it with less responsibility than a single person? Even though it holds an order of magnitude more power than a single person?
Yeah, how about, no.
And about your other remark, that is nonsense. It is very possible to keep those checks to a reasonable level of responsibility and many corporations do so, with proper software engineering principles, without "turning into Microsoft".
When dealing with people's private information, one should err on the side of caution, not on the side of $$$, and it is obvious which route facebook took.
In fact, they are already in violation of several EU privacy laws, just because their privacy-pissing database has grown out of hand, they collect more data than they have the internal corporate infrastructure for to deal with this amount of private data of EU citizens in a legal manner in Europe. They went way overboard, maybe not in the US, but they are also incorporated in the EU and cannot oblige by our privacy laws because they collected too much data.
As far as I'm concerned, Facebook is on the verge of criminal negligence as EU laws for citizen privacy are concerned. So personally, yeah, I think nothing wrong with headlines of "Facebook privacy fuckup", as long as they're behaving like that, singular conscience or not.
That's why we have such laws, to keep corporations responsible.
Also, I see no need to respond to your hyperboles. I mean, "criminal negligence"? C'mon.
You assume malicious intent. It might be. But it also might be a engineer who thinks "this would be a cool feature" without stopping to think about the ramifications of this.
Happens all the time; think of the Google engineer who decided that Buzz should auto-follow your most emailed contacts publicly or the NetFlix competition that outed a lesbian in small town America.
Not that I'm saying it's ok if that's the case; it's still a fuck up that needs to be fixed and in general companies need to be better about this - it happens to often.
Just saying I would have reported it to FB first and seen what they did. Responsible Disclosure, and all that.
The potential privacy compromise here is that people who might've not wanted the user to know that they had them in their synced-to-Facebook phonebook, or may have a secret profile connected to said phonebook, could be unwittingly exposed to the user. As your example of the friend with the hidden gay profile shows, that can have alarming results. I'd say that example's bad enough and worth addressing (even if the answer is just better messaging about how synced phonebooks can be used) and that the PI/law enforcement talk is just muddying the waters.
As time went by, it seems that Facebook left behind their mantra of exclusivity and private social circles. They are vigorously facilitating the opposite when you see 'features' like this.
For example, if you tag a photo with a friend's name, all of that friend's friends can see this photo, even if you restrict who can see your photos. You cannot change this, which means you have now lost control of your own privacy. I do not want strangers seeing my photos, but I can't prevent this unless I stop tagging photos, which is what I have done.
More importantly, I'm moving away from Facebook because they don't give a fuck about privacy.
Just because a company is big doesn't mean it has to sell out and stop caring about user privacy.
Yeah me too, I deleted my profile last week.
Good point, but it's not a very different thing, it's a slightly different thing. SMS confirmation would not have stopped FB outing his gay friend to the author. The only different thing is that it would have stopped others abusing this. This is still something that can be abused and should be fixed.
Preventing harm to users is your job, not ours.
Associates of mine have made SEVERAL complaints to FB about security concerns through your standard "hoops" (including /whitehat), and have received exactly ZILCH, NADA in response.
Please also remember that not every report actually pans out. I can't say we should have prevented this because I don't yet know if there is something to prevent. It now appears that the behavior the OP is calling a "fuckup" happened after he confirmed ownership of the phone number. This might change things a bit.
Preventing harm is our responsibility. But if you happen to find an open door, or what might look like an open door, it's more helpful to get all the facts first, report to the vendor, and disclose later if you think the reporting process is unsatisfactory.
For instance, if you have not heard a response from /whitehat, please email me and I will see what I can find out. Or disclose it. I can't stop you.
When it comes to the rules of disclosure, I'm well aware that where you stand depends on where you sit, but I personally think these kinds of firedrills aren't the right way to do it.
Signed up with a fake name and throwaway email. Was asked to enter mobile number for verification. Entered mobile number and verified.
The top few 'People You May Know' suggestions were all people who I know have that number on their iPhones, all of whom use the Facebook for iPhone application. (It obviously happens if they use any platform's app to sync contacts, not just iOS)
Don't have the time to check now, but I would imagine Facebook uses this exact same method for suggestions if you use your primary email to sign up. People who have you in their email contacts - and have imported them to Facebook - are probably suggested to you too. That way you'll know who keeps you in their email address book too.
 Note: to trigger the SMS verification stage, you have to enter a semi-obviously fake name.
I noticed this behavior when I signed up to test this first using an old email address. It had known friends as suggestions as well as people who had already requested to be my friend, including my actual profile. I don't explicitly remember important my email contacts but it is a possibility.
Looks like it treats both contact books the same, even if a user didn't add the individual contacts at the time of import, it keeps a record of them to potential make suggestions at some future point in time.
A few years ago, I created a Google profile with a vanity URL  and a Facebook account with the same Gmail address. I never linked those two accounts, used third-party apps or imported contacts into Facebook. I recently created a Google+ profile and publicly circled some users when I suddenly noticed that those circled users started showing up in my Facebook account as "suggested friends". Those users don't follow me on Google+, aren't linked to any of my Facebook friends and they don't know my Gmail address.
I can't think of any other method used by Facebook to recommend those friends, except by crawling my Google+ circles. It's as easy as extracting my Google+ username from my Gmail address and scanning my circles at profiles.google.com/username.
I can't reproduce this with different accounts as vanity URLs aren't available for new Google accounts.
Could anyone with confirm this with their own Google profiles?
Do you think Facebook should be authorized to "scrap" contacts from other social networks, to extend build their own social graph about their users, without possible opt-out and no disclosure?
Should it disturb us that those statements are true for millions of people? Or do we not care?
It will be interesting if we get to where Facebook is required to send a pamphlet to your house explaining how they use the information they collect about you, who they sell it to, etc. Log on to freesocialnetworkreport.com to see what information the Big 3 social networks have stored about you! See your social network score, etc.
On a different note, I do hope they harvest all the numbers for pizza places I have stored on my phone and find a way to help me get cheaper pizza.
Actually, they are, in the EU.
Well not literally with a pamphlet, of course, they are required to send you a CD with this data on request.
Except that they're (illegally) refusing to provide most of that data under the guise of "intellectual property" (whose? not theirs, under any legal definition of IP I'm aware of) and "trade secrets" (which I'm sure won't hold up).
They just provide the profile and your comments and messages and whatnot kinds of data that are all already visible in some sense or other, on Facebook.
They do not provide the invisible data, the things they collect behind the scenes, such as what data they collect from your phonebook, what data is available about you being tagged in photos, things like that, all the data you know Facebook is collecting (due to deduction from friend suggestions, or just because it's there), but never really get to see because it's either a) buried behind some algorithms (friend suggestions) or b) just stored and not really used for anything.
These two kinds of data are EXACTLY what this EU Privacy law is intended for. The right for EU citizens to know what data about them is being stored especially when it is not immediately obvious that this data is being collected, stored or used in some manner.
These two kinds of data are also EXACTLY what Facebook is withholding from EU citizens legal requests because of "trade secrets". It won't hold up. I really hope it won't.
Their reasoning for why something is a "trade secret" is the same reason why a law exists that requires them to provide that data: because the data is not used in the open and otherwise EU citizens would not be able to know this data is being collected and stored about them.
Remember, the privacy laws protect the fact already that certain data is just stored, not even whether it is used or not.
I bet there's many kinds of data FB is simply storing about its users that it doesn't really use yet, data they should have provided on formal request but declined to do so because of "trade secrets".
Alex: as a gay man who came out as an adult, I urge you to reach out to your closeted friend. Let him know that Facebook violated his privacy and you accidentally and unexpectedly came across his secret. Reassure him that you care about him as a friend and that his sexuality makes no difference to you.
Unless he is in physical or serious financial risk from coming out, his life will be unimaginably better if he comes out. If he's going to lose his job or be disowned by his parents, at least having one friend to share his secret with may make a world of difference.
If he has a girlfriend or wife, for her sake, you need to reach out to him. It's an incredibly awkward situation, but think about what an enormous positive difference you can make in one or two people's lives.
From a data aggregation perspective, it is (unpleasantly) fascinating to me that a programming choice in an ostensibly opt-in social networking database has resulted in a public bulletin-board discussion of what could be perhaps the most private part of a person's life.
Examples like this are the perfect answer to the dangerous nonsense propounded by the "anonymity needs to go away" crowd. Not everyone's life is or should be an open book.
The result was definitely people who had done what the author said but it was also interspersed with friends of friends, muddying the waters a bit.
On "Step 1: Add Friends", it showed people who I actually know (presumably who have my phone number, since that's the only info I gave that actually relates to me)
On "Step 3: Profile Information", it offered many more people, most of whom I don't actually know (presumably friends of the people from step 1)
Note that to trigger the mobile-number-confirmation request, you may need to enter dubious-looking profile information. In my case, I entered a name like "Blaah Blahh", with a throwaway email address from www.mailinator.com. If your fake name is too realistic, it won't necessarily trigger the security check.
I do have the same mobile number on my primary account, so it's possible they found me that way. But either way, it's notable that in step 1 they managed to show just the people who I would expect actually do keep track of my phone number.
1) Apparently my cell phone number used to be registered to my primary account. When I created the fake account, it removed my number from my primary account and assigned it to the fake account. So what happened there was they suggested friends from the account that used to have the same phone number assigned to it. The creepy thing here is that it also suggested people that I had recently defriended.
2) I did the same thing, using my Google voice number which had not previously been registered to any FB account, and was suggested three friends who apparently have me saved in their address books.
- Signup. (ignore that you need to confirm your email)
- Go to your account settings>mobile
- Go to mobile.
- Add a mobile phone.
- Enter your password
- Click "Add your phone number here."
- Verify your phone number via text.
- Click the facebook logo.
You should be able to see recommendations based on your phone number.
I then tried adding my phone number to my profile (a phone number that I also have on my actual Facebook account). Went back to the home page and looked around a little more, still no friend recommendations. It's actually a solid possibility that nobody who has uploaded their phone contacts to Facebook has me as a contact (I didn't even know that was possible, actually).
That's the URL that I'm still being directed to - I haven't actually clicked 'Next' yet.
I signed up with a new email address. Put in my phone number. I _do not_ have this phone number on my primary account. Now on my dummy account, I get a long list of friend suggestions, most of them from my primary account, and some unknown.
My dummy account and primary account are not linked in any way. All cookies cleared. So how did my dummy account suggest so many friends from my primary account? It didn't before I entered my phone number in my dummy account. Some of the friend suggestions live in other countries, and I doubt they would have my US phone number.
Try that page - it shows me most of the same people at the top, and then tails off into their friends.
About a year ago I started getting emails from facebook recruiters, and guess what my name was resolving to in their system? Yep, that's right -- "DLC Text".
For 6 years they have kept my information even though it was deleted.
A friend of mine ragequit facebook a little less than a year ago, came back, and it allowed him to reactivate his profile. I don't think it ever said 'delete' though.
I really don't agree with this, but I can't deny that there's value in this data. It's unscrupulous to hold onto it, though.
In my opinion, there should be some way to hard-delete information like this, even if the user has to go through some two-key-nuclear-launch confirmation process to prevent accidental deletes.
It doesn't seem to be required, I've always just dismissed those "security" prompts by clicking the FB logo in the top left, which forwards me to the homepage just fine.
The chances of facebook getting my mobile number are about the same as my chances of flying to the moon by willpower alone.
I've no idea if they are doing this, but I wouldn't put the possibility in moon/willpower territory.
I went to delete my account the other day just because there is so much crap and it's time wasting and I go searching for delete but couldn't find a link! I then came across the deactivate which I had heard about before and went with that but they still keep all my data and it's ready for me just by logging in again.
To delete I had to Google and find an actual link in a forum on how to fully delete my account. And after I found the link you are taken to this page that asks you to confirm and then you have to wait two weeks (I guess to let people go back after Facebook withdrawal.) I guess what I'm getting at is: Facebook makes it easy to deactivate with a false sense to their users that it's sort of being 'deleted.' Yet they are keeping everything, even messages, from your account. I wonder if they still count these accounts in their user count?
Not for the guy who was outed, they didn't.
There seems to be some confusion about how friend suggestions work, and we definitely want to people to understand how their information is used and their options to control it.
Generally, the contact importing tools and resulting friend suggestions have been used by millions of people to make hundreds of millions of friend connections. We're proud of this (since it is clear that real connections are made) but also understand that people should have control. That's why we include a notice in the contact sync (on phones) and upload (on the web) flows that makes it clear that contacts you import may be used generate friend suggestions for you and others. If you're concerned about being suggested as a friend to others based on the contacts in your address book, you can either not upload it, or if you have already uploaded it, you can remove your uploaded contacts (http://www.facebook.com/contact_importer/remove_uploads.php). You can also block any individual people. These steps prevent what the Alex (or rather, his friends) experienced — people being suggested as friends based on having a phone number in their address book.
Also, some of you have noticed that we don't always require a phone verification for an account. This is a security feature designed to prevent spam and fake accounts that is only triggered when certain conditions aren't met.
In other words, I think that this sort of thing is implicit in using Facebook. But for some people, they're not. So do you remind them about this every time they do anything new? I don't know.
After a group perfects Gentry's work.. someone will gear up a homomorphic scheme combined with a generative personal cloud.
The " personal " in PC was most important when C stood for computer. Next, it will be most important when C stands for cloud.
 - http://crypto.stanford.edu/craig/
 - http://futureoftheinternet.org
It's pretty much possible. And Facebook is Evil. But I don't understand how he did to be certain of that ?
We are to the point that to maintain any semblance of privacy, you need at least two email accounts (one you don't mind getting spammed), two phone numbers (one you don't care about facebook and others tracking) and two addresses (a mailing address/box service and your actual physical address).
I'd rather lose my google accounts altogether than link any of my main phones to my gmail account.
(Yes if they scrap someone's else phone and your phone number happens to be there then ya there is some issue. Is there any precedent of google scraping phones through any means ?)
How can Facebook have access to numbers on anyone's phone?
It seems that I am heavily downvoted, so... sorry for my comment.
An iOS app needs explicit user permission to know your location, or to send you push notifications. It doesn't need to ask if it wants into your phone book and calendars.
Any app on the iOS App Store can read your phone book and calendars and do anything they want to this information. This is a mind-bogglingly gaping security hole.
Results were not that unexpected save one, but it seems like a friend of a friend.
I'm assuming phone number verification checks that you own the number via SMS; so it just acts as a reverse-stalker (I'd be worried about people I _don't_ know having my phone number saved).
At the very least, the friend could have blocked the set of people he didn't want to know about his preferences from the "gay" account: otherwise what stopped a simple search by name from showing both accounts?
1. People may very well have an account with a fake name, so that it doesn't show up in search. In France, for example, a large number of FB users are stripping out the vowels from their last name to make their FB account less findable.
2. According to the article, it's not the "gay friend" that put his phone number on his hidden account. He merely has OP's number in his phone address book (wich is normal since they are friends in real life), and the FB app is pulling this information.
2) That was what I meant -- syncing actual details with your anonymous persona.
You work at Facebook, don't you?
I'm a bit curious about why a search for name won't show the alternate persona? I've had friends who made 2 profiles and both used to show up whenever I typed their name in; and his # being listed publicly doesn't affect the argument either way.
Edit: Reply to child comment by jarofgreen: apparently the comments are too deeply nested to reply directly: "using FB wrong therefore deserves to have his privacy violated"
I've never stated that he _deserved_ to get his privacy violated; it's simply that the behaviour of any s/w is based on what settings you choose. Your argument would have to be that it's the S/Ws fault for not being transparent enough/not easily understandable enough leading the user to be misled - but the general response seems to be that the s/w is actively out to get the user.
Also, are you trying to make the argument that his gay friend is using FB wrong therefore deserves to have his privacy violated? That sounds like a pretty shit argument to me.
Not to say that I agree with this practice (I don't), but someone deliberately implemented this, and there's a good business case for it.
The privacy implications are unfortunate, but what else are we to expect from Facebook these days?
I don't know in the US. But here in Europe that's pretty much against the law in most countries.
If you don't even know what the law is, you might try finding out, before sniping about how someone supposedly is not "respecting" it.
If you did, you might then find, for instance, that the best course of action is to complain about the law (or lack of laws), and do something about that.
Anyway, I think you're wrong. I do know the law in France and Europe. And since I live in France, I have a contract with Facebook Ireland. Not Facebook US. So it's the Irish law that is the appropriate law. I don't know the details of Irish law in that matter. So your Argumentum ad nauseam saying I should know the law could have been correct... (if not excessive and irrespective) but since Ireland is part of the European Union... I do not need to go seek the exact Irish law. Directive 95/46/CE is there to unify the European law on that subject.
See by yourself :
PRINCIPLES RELATING TO DATA QUALITY
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use."
Do you think what Facebook Ireland is doing, yes because Facebook Ireland offers the EXACT same service than Facebook US, respects the law in Ireland ?
Then you should know that it's the everyone's right to ponder about the due respect of law without having to file a formal complaint and start a trial. Otherwise, journalists would have to sue half the world. By the way suing costs money that I don't have. So if the only ones that can complain about some problems in a company policy, are the ones that have the money to sue the company... we're in a sad society. I think that's the moment when an American starts complaining about socialism in Europe.
We also have to take some responsibility for our security and privacy.
Any contributor to HN shouldn't be surprised that a web app is using every possible bit of personal information it has to influence recommendation.
Someone mentioned a similar issue with Twitter recently (they signed up a with a new email but using a machine they had used previously and it recommended based on an existing cookie or something).
If you submit personal information - the recipient is likely to use it in many ways that make you uncomfortable - either immediately or at some point in the future.
Just because you feel secure with the current management team you donate personal data to doesn't mean your relationship with the next one will be so cosy. Nobody deletes data any more.
I guess at some point in the future identity online will be a lot more formal (Google+) and we'll be able to explicitly set the context (circle) we expose to services.
and the argument "you should not be surprised companies fuck you over" simply gives away moral ground without a fight.
i really can't understand posts like yours. is the chance to appear world-weary and knowledgeable really worth selling your soul for?