BBC BLOGS - dot.Rory
« Previous | Main | Next »

Facebook phonebook: Privacy confusion

Rory Cellan-Jones | 14:43 UK time, Friday, 8 October 2010

How worried should Facebook users be that the social network is making it a little too easy for private phone numbers to be shared?

Telephone directory


That's been a hot topic of debate in our office this week after the Guardian's piece suggesting that the iPhone Facebook app could result in numbers being uploaded from phones onto the site without users being aware.

The piece said all it would then take was for someone's Facebook account to be hacked and lots of private numbers would be laid bare. That did not strike me as particularly worrying, unless you think Facebook is less secure than other services - after all, the same would be true if your Gmail account were hacked.

But then my colleague Jonathan Fildes started examining his own Facebook phonebook - and found something mildly worrying. He told me:

"After reading the Guardian piece, I checked my own phonebook. Luckily, the paper explained how to find it, as it is not at all obvious from your profile that the feature even exists - but you can find your own at
"Everything seemed to be in order. I hadn't synced contacts from my iPhone, so there were only around 20 numbers there, most drawn in from friends who had chosen to share their phone number with me."

Most, but not all?

"There was one oddity: a prominent tech blogger who I recognised, but who I was not friends with on Facebook and whose contact details I did not have in my phone.
"I checked his profile; sure enough, he chose to share his number with anyone. No privacy breach there, but how did the number appear in my phonebook?
"I spoke to Facebook; after a chat with the engineering team, a spokesperson suggested that I might have the blogger's contact details in my Gmail address book and that I might have decided to import my contacts from there.
"I checked. I had e-mailed this blogger and he was in my contact book. But I e-mailed him earlier this year for the first time; the only time I imported my contacts from Gmail was when I set up my Facebook account in 2007."

So how do you think his number was put in your address book?

"I told Facebook that this suggested one of two things: that Facebook periodically trawls my Gmail account for new contacts without my consent or that the phonebook makes recommendations based on my friends, four of whom are friends with the tech blogger.
"Facebook categorically denied my first theory and pointed me towards its friend finder, which states: 'We will not store your password after we import your friends' information. We may use the email addresses you upload through this importer to help you connect with friends, including using this information to generate suggestions for you and your contacts on Facebook.'
"Which left my second theory: the blogger's number was suggested by Facebook based on my connections. This seemed to be likely, Facebook said, and sent me a link to explain: 'When you import contacts into Facebook from your email, mobile, instant messaging service or other social network, we may use this information to create friend suggestions for you and your friends. We also display these contacts in your Facebook phonebook.'"

So, is that the explanation?

"Well, then I was sent another e-mail: 'Just to confirm that your second suggestion is not correct. Suggestions do not appear in the phonebook.'
"At this point I was getting more and more confused. Phonebook doesn't make suggestions, but someone who was friends with four of my friends appeared in my phonebook automatically. So, I asked, what was happening?
"The most likely explanation, Facebook said, was that 'one of your four mutual contacts has used the contact importer tool and uploaded contact details for both you and [the blogger], which creates that link'.
A "link". "So, he was suggested to me? 'No,' Facebook reiterated, 'we don't make suggestions. This was a link.'"

What's the difference between a "suggestion" and a "link"? I'm confused.

"Me too. In this case, there is nothing sinister - I am quite happy to have this particular blogger's number and it would appear from his profile that he is happy to share it with anyone. But this is just one example. We have been contacted by many more people confused by the people they see in their phonebook. One could see his wife's phone number, but it was attached to the profile of someone he didn't recognize.

"Facebook says that this could be because the algorithms and system used to match phone numbers may not be working accurately. Or that the person now attached to his wife's phone number may have uploaded the wrong number or a number without the correct country code. It says it is now reviewing the system.
"It could be a technical problem that is easily fixed. But I think what this episode really highlights is the ongoing confusion around knowing what you share and how you share it on Facebook."

I agree. Facebook keeps refining its privacy settings, and promising that it's offering users new ways of controlling their data. But which of us even knew that there was a phonebook option?

And are we any clearer about just how it works, and whether we can be sure that our data is not being passed around by people we may not even know?


  • Comment number 1.

    Hi Rory,
    This may be of use to some:
    [Unsuitable/Broken URL removed by Moderator]

  • Comment number 2.

    whether we can be sure that our data is not being passed around by people we may not even know

    You never knew that before. If I were talking to a contact of mine who had your number, they may choose to share it with me. By email, on facebook, over the phone, in person, or whatever.

    There does seem to be a tendency for people to worry about privacy on Facebook in particular in ways that they'd never never worried about it before. It's good to be aware of what information you have published, and what not, but it isn't fair to expect the likes of Facebook to enforce better privacy controls than the old offline world.

  • Comment number 3.

    I'm sorry to say this but I'm absolutely certain that your first theory is correct; that Facebook periodically trawls Gmail accounts for new contacts without the user's consent.

    Recently, I've been repeatedly suggested a former work colleague as a Facebook friend even though I only added his details to my Gmail contacts around a month ago and have not synced the two accounts since then. The theory that it's a suggestion (or link) through mutual friends cannot be correct either, as he is relatively new to Facebook and only has four friends, none of whom I know. The only way in which Facebook could have made a connection between me and this individual is to have gone back into my email account without my consent in the past month.

  • Comment number 4.

    So facebook collect and link your details without you knowing? Not only that but they link those details with others. No big surprise there really. I'm sure there will be some legal loophole in the T&C's that cover this from facebook's side of things.

    What does surprise me is the amount of people who continue to sign up with facebook and enter all their personal details. These are the same people who are actually expecting a high level of service and respect for their privacy. You don't pay for the service and nothing in this world comes for free so logic dictates that there must be a catch somewhere.

    Surely it's a matter of time until there is a massive facebook based scandal that shocks all these users into realizing the amount of information they willingly give away online?

  • Comment number 5.

    I too vote for the Gmail connection. Just the other day I was going through my dashboard and Facebook was showing up as being authorised to check my contacts whenever it wanted, just because I had once allowed it to do this.

    Needless to say this authorisation was quickly revoked!

  • Comment number 6.

    Going by all that feedback from Facebook, yes, and your response to it, you are certainly clearer, Rory.

    The Phonebook feature has been around as a part of Facebook Mobile since it launched, as far as I can remember ( though I can't find any official announcement of them making it available on the main web service, which I suppose would have been nice so that more people are made aware of its usefulness. All it does though is display a list of all your friends with the phone numbers they have added to their profiles (and hides the ones who haven't added any) - for me that's around 15% of my Facebook friends.

    My question though, is why are phone numbers such highly valued/private data?! If you get any phone 'spam', you can get it blocked (like with e-mail). If you get kind of abuse, you can report it to the police and/or take legal action. And if you're the kind of public person that people might want to contact by phone, but you don't want to be contacted that way by people you don't know, simply set your privacy settings accordingly (just like you would with the rest of your Facebook profile). Phone numbers aren't secret or coded, they are just permutations of numbers. Yes, there is some value to knowing which number belongs to which person/people, but it's not like someone can break into your phone (like they could with your physical address) just by knowing its number.

    Personally I'm quite happy to share my mobile and landline numbers with my Facebook friends - I want my friends to be able to call/SMS me... that's part of the reason why I have a mobile phone and landline in the first place! My Facebook friends are people that I trust. I don't share the numbers publicly, and Facebook respects my wishes, but if someone calls me who I don't know and I don't want to talk to them... I can hang up. It's not the end of the world!

    It keeps amazing me how people who are Facebook friends with others they don't really know/trust, then seem to be shocked that the information they choose to give to Facebook is shared with the people that they've told are their friends. Unless you tell Facebook otherwise, it assumes that the people you tell it are your friends are people that you trust - which is a pretty obvious and logical assumption. If you don't trust someone, you are pretty foolish to choose to share all your private data with them. Every Facebook friendship connection is an opt-in choice that you either initiated or approved.

    As a Facebook user, it is your responsibility to choose what data you are and aren't sharing with people you trust and people you don't, and Facebook has always given users the most granular controls of any web service (that I know of) in order to do this.

  • Comment number 7.

    The most sinister thing obout this is that there is a link on Facebook for you to delete the phonebook - and it doesn't work. Google it and you'll find numerous people saying it never has worked..

  • Comment number 8.

    This is slightly off topic but I'm sure facebook does some very sneaky / advanced (depending upon your viewpoint) snooping to make these links - here's why:

    I have two facebook accounts, one which I setup using my (current and active) gmail account, which I use in the normal way. Also, a second in which I've made no 'friends' with anyone and which has a false name - I use this facebook account purely to test privacy settings. The worrying thing is, when I login using this 'test' account, the friend suggestions I get are 100% accurate - they're all people I know. I should also point out that I've never allowed facebook access to either my gmail or yahoo address book.

    You could attempt to explain this by saying that perhaps some of these friend suggestions have themselves allowed facebook access to their own address books and therefore fb has made the link between them and me - but, lots of these friend suggestions are people I've only recently met and therefore there is no possible link via the (very) old yahoo account.

    So how is facebook making these links? I can only assume they record the IP address you login from and then assume that multiple fb accounts used from the same IP address might actually be the same person, and so they (correctly in this case) infer that my two facebook accounts actually belong to the same person. Whatever the explanation, I personally find it quite disturbing that they're going to such lengths to determine who knows who.

  • Comment number 9.

    I've just been looking at the phonebook on my Facebook account. There is a link to 'remove imported contacts' which states:

    "When you import contacts into Facebook from your email, mobile, instant messaging service or other social network, we may use this information to create friend suggestions for you and your friends. We also display these contacts in your Facebook phonebook.

    If you choose to remove your imported contacts, they will no longer appear in your Phonebook and friend suggestions may be less relevant to you and your friends."

    This to me says that the blogger showing in your Phonebook WAS there as a suggestion!

    To my mind, the trouble is that Facebook doesn't leave anything alone for more than 5 minutes so you never know where you are and what new settings are now there, and it seems to be that the default setting is "show everyone".

  • Comment number 10.

    It's quite simple really: the link between you and this person could have been established when -they- used the Friend Finder. You are in their address book, so that link is noted by Facebook when they use the finder. Later, when you view your Facebook phonebook, it shows phone numbers relevant to you - those of your friends which have been set to be visible by friends, and those of people otherwise considered to be linked to you, if the number is set to be visible to 'everyone'.

    It's just using information that the other person supplied to show you a phone number that the other person has made visible to the world. No tricks here, just clever use of data.

  • Comment number 11.

    I can agree with the inability to remove details....

    I apparently have 9 people on my 'phone list', i used the requisite link on Facebook to try and delete them at 3pm today, and as of now (10pm) the webpage is still saying 'We are deleting all email and phone contacts you previously uploaded to Facebook. This may take a few minutes.'

    I'll leave my machine on overnight, see if it's finished when i wake up tomorrow........

  • Comment number 12.

    About a month ago a friend of my Boyfriends sent him an invitation to view his photo's on Facebook. My bf has never had a Facebook account, but at the bottom of the email was a section of "Other people you may know on Facebook:" there were 4 recommendations of people that he knows but have no relation to each other nor the sender of the original invitation. We were so confused about this, but after reading this article it has become clear that all those people at some point have imported their contacts, and when the invitation was sent Facebook found other occurrences of the address and linked them. Not sure how I feel about that but pleased to have had the puzzle solved!

  • Comment number 13.

    Slightly off topic, but it is another internet social network letting down individuals' privacy - Twitter just launched a new user interface - I can now read the Tweets of users who have "protected" their tweets on the old version!!!

  • Comment number 14.

    The simple answer is if you don't want to take part then don't. I do not have a facebook account and I have spoken to several people who don't have them for the same reason. Data mining without your consent is a fact. Grip the invasion or leave it alone.

  • Comment number 15.

    Totally agree that Facebook are lying to you and periodically go through GMail. I haven't synched them for years but still find myself getting suggestions for friends which I have no mutual connections with and the only way Facebook could know that I know them is if they have been in my email address book in the last year!

  • Comment number 16.

    Good Day All,

    I am not nor ever been a member of Facebook. When I receive offers to join it, lists of people I know are append to the invitation. They are not in my Gmail address book.

    Some of the names were head scratchers, but after checking most were known. Just not known very well known, such as a business office listing without a Facebook presence.

    The moderator of this list can pull my Gmail address for Mr. Cellan-Jones if he would like to use a non and never been a Facebook member for his research on Facebook security practices.

    The opt-out button at the bottom of the invitation email to stop receiving invitations works.


  • Comment number 17.

    Facebook has been notorious for abusing privacy since its inception.. using their friendfinder feature appears to regularly bombard every name in my gmail address book every month or so if that email has not been registered with facebook as yet.

    I'm quite happy leaving my phone number off my facebook profile altogether - I'm certainly not risking 'accidental' access to it by trusting them!

  • Comment number 18.

    The ongoing confusion around knowing what you share and how you share it on social networks.
    Facebook keeps refining its privacy settings, keeps promising that it's offering users new ways of controlling their data.
    I’ve known people who got surprisingly deprivitized.
    Case 1.
    Female didn’t know about about phone number hitch until she got a "hello" through the messenger application. This person felt very uncomforatble because she didn’t want to say hello. She had deleted the guy’s number; she never expected hello.
    The guy involved had also deleted the female’s number, but she remained on his messenger list. That’s how come his hello.
    This case is just one of several privacy loopholes in social networking services.
    Case 2.
    A certified public accountant whose privacy was extremely important to him found that his “friend” had uploaded a group photo on Facebook and tagged him without asking his permission.
    Facebook (the largest social networking site, 500M members), allows users to tag usernames of third-parties, which can be revealed to strangers without consent.
    The certified public accopuntant asked his “friend” to close the photo. He didn’t.
    While most users DO NOT BOTHER TO READ FACEBOOK’S PRIVACY POLICY STATEMENT, it clearly states that it cannot ensure that information users share on the online or mobile service will not become publicly available. This is a highly uncomfortable statement that serves the social networking site, not the user.
    The statement says specifically: “We are not responsible for third party circumvention of any privacy settings or security measures on Facebook.”
    I’ve also seen some news reports about how social networking tools are being used by sexual predators and identity stealers.
    Case 3.
    Victim of identity theft on Facebook.
    CEO of Social News said using social networking sites and disclosing private information is ultimately the user’s responsibility.
    Ceo of Social News also said that those who call for more strict regulation on social networking sites in the name of privacy protection do not really understand the nature of social networking.
    Surely, he doesn't mean that social networking is intended to facilitate identity theft.
    Legally, I believe that inlisted phone numbers of third-parties are regarded as Private Information which a social network user cannot use as a derivative use of the social network – in other words, you need permission. Let’s say you have 300 phone contacts. To have those numbers, you have to ensure that each number is "publically" available.
    Case 4.
    Exposure of body. The victim took legal action and won.
    Just because the victim's name and face were not revealed does not mean that exposing her private body parts was legal.
    I'm getting a headache. It's no wonder I do not chose to participate in this "social" newtowrking business that has more loopholes that fish netting.
    Google CEO Eric Schmidt - people might change their names to “disown hijinks stored on their friends’ social media sites. SNS users should be more prudent in checking what kind of information they are giving and to whom.

  • Comment number 19.

    Why do people assume Favebook trawls your data? It can link in so many different ways. If, for example, you've both listed the same school, or the same course at university, or they've sent a bunch of requests to people that are mutual friends?

    I don't trust Facebook as far as I could start up a rival company, but at the same time, I actually doubt they raid your GMail account periodically.

  • Comment number 20.

    What I want to know is, how, when I imported my phone contact list from my old phone into my Blackberry, did it instantly link up the people in my contacts with their Facebook accounts, putting their profile pictures in the contacts section, without me doing anything and having nothing in there besides their numbers, which aren't even on their Facebook. :/

  • Comment number 21.

    There is a simple rule.

    ANYTHING you put up on a site hosted in a state with no data protection legislation (i.e. the USA) WILL be used against you for the remainder of your LIFE and the lives of your children and children's children - So if in doubt DON'T!!!

    The rule should be: nothing should be shared at all. Break this rule and on your own head be it!

  • Comment number 22.

    Welcome to the wonders of a free cloud

    You signed up, gave them your data and then complain when they use this data to create additional business for themselves.
    If you don't like they way they catalogue your personal life, then don't sign up there to start with.

  • Comment number 23.

    After checking my Facebook phonebook it appears I too have people on the list whom I am not friends with! Strange

  • Comment number 24.

    From some experiments I undertook on Friday, there may be a simple explanation for people I don't know coming up in my Facebook address book. Looking at the people I didn't know and their telephone number in each case the number matched someone else I did know in my address book - often because they used a default work exchange number. It is possible therefore that Facebook are matching telephone numbers and not doing so well and/or not carrying forward the name properly and mis-asscoiating it.

  • Comment number 25.

    All this is caused by people not understanding what their phone or facebook account is doing. If people were to actually read the screens which come up stating what the phone/web application will do, there should be no surprises.

  • Comment number 26.

    Now call me stupid but why on earth would anyone let alone anyone with any brain cells upload their "phonebook" to a so called social networking site where all this information is available to all and sundry?? why?? if you are putting your name up there and a photograph, if people know you then they will still know you wether you post all your friends phone numbers or not. And talking of which surely its a breach of privacy laws to post such information because you are posting private information of a third party without their permission??

  • Comment number 27.

    Reading the above comments there seems to be two things in common the "evil" facebook made out as the utter vilan of the piece and Gmail, I cant see another web based mail application mentioned. HHHHHmmmmmmmmm another suspect perchance

  • Comment number 28.

    mmm ---

    "Remove imported contacts
    When you import contacts into Facebook from your email, mobile, instant messaging service or other social network, we may use this information to create friend suggestions for you and your friends. We also display these contacts in your Facebook phonebook."

    ...anyone notice - "....we may use this information to create friend suggestions" ?

    No wonder we are all paranoid about what data is being used on the net. :)

  • Comment number 29.

    And then just for a laugh, I thought I would delete all my "uploaded contacts" :

    "Sorry, something went wrong.

    We're working on getting this fixed as soon as we can."

    * 10


BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.