53 comments

[ 2.4 ms ] story [ 115 ms ] thread
One of the comments explains it -- the mobile app uploads all contacts. So when he entered in his phone number, existing Facebook users using the mobile app were matched because they had his phone number in their contacts.
Surely it should ask for his consent prior to doing so?
I'm pretty sure it does.
I think there was a big privacy 'scandal' when Path did this last year and Apple starting requiring apps to ask permission (or they built it in to the OS).
The app asked his friends if it was ok, but obviously not him, as he was not a Facebook user at the time.
Facebook officially does not ever perform any privacy-violating recommendations. Since he can't know that he's present in other people's contact lists, those contact lists are not used to create recommendations in the way you described.
(comment deleted)
I don't believe this is true. I've set up a Facebook account, and provided Facebook an email address only, and had reasonable "Friend Suggestions" appear presumably based on the presence of that email address in other people's address books.

Facebook says that they save the contents of your address book, and that it might be used to suggest friends in the future: https://www.facebook.com/help/241275309301947/.

But users do. If you have my email address in your contacts list on Hotmail and you allow Facebook to search for friends in your Hotmail account (most people do I think), then I think you're illegally passing on personally identifiable information.
It's matching his entered phone number with their contacts. They imported their contacts. He didn't have to do anything other than verify his phone number. Solution? Use a one time use phone number to verify anything social.
First, it didn't do anything on his phone.

Suppose Alice and Bob are friends, and have each other in their contacts. Alice uses a simple, prepaid phone that only handles texts and calls. Bob has a smartphone.

Bob installs the Facebook app on his phone. The app wants permission to see his contacts, and he grants it. Maybe he's not paying attention, maybe there's a useful feature that needs his contacts, maybe the software asks the phone for permission, and the phone allows it without asking Bob. Whatever. Facebook now knows Alice's phone number.

When Alice gives Facebook her phone number to get a text (remember, that's all her phone can do), Facebook recognizes that it has seen this number before. Since Bob has this number, he is probably connected with Alice in some way.

Alice sees a recommendation for Bob when she logs on again.

Alice only gave permission for Facebook to text her. It didn't look through her phone at all.

I figured as much. But my grandmother has no smartphone (nor have I), and nobody from the list of recommendations was directly connected to her. And there are people missing, even if the phone number matching was the only way. These two things are what I find weird.
But your two cousins, who may have smartphones, could both have your grandmother as a shared friend — and thus, since they were both connected to you and were connected to your grandmother, Facebook assumed you might know your grandmother?
Good idea, but I thought of that. They don't have my grandmother as shared friend (she's from the other "side" of the family as we call it, not sure if that's proper English).
> The app wants permission to see his contacts, and he

> grants it. Maybe he's not paying attention, maybe there's

> a useful feature that needs his contacts, maybe the

> software asks the phone for permission, and the phone

> allows it without asking Bob. Whatever. Facebook now

> knows Alice's phone number.

IIRC the app simply doesn't install if you don't grant the permissions.

Facebook doesn't find my real friends. Well, the phone I have attached is a prepaid card I haven't given to anyone and I have no real friends in my phony FB account, so I guess there's no way they can find me.

If I had an account with real data I wouldn't link my phone to it. Not any phone that my real connections know.

Even if he hadn't used the mobile app, it could also suggest people who have searched for him.
Facebook officially does not ever perform any privacy-violating recommendations. Since information about how another user searches is not known to you, it is not used to give you a recommendation.
You keep saying that, but it is very obvious that if people searched for me it would recommend them to me, it's been shown to happen.

So yes, Facebook might officially say they don't do it. But they do. Facebook has no interest in user privacy, their track record shows it again and again.

"Since information about how another user searches is not known to you, it is not used to give you a recommendation"

Saying that this is the case does not make it true.

If one isn't in the US or Canada Facebook is theoretically legally obliged to send you all data it has about you, if you request so. They seem to make that more and more difficult though.
Does Facebook have any other legal entity (other than the irish and the US entities) that would circumvent the EU rules?
It's very easy for them to withhold some data though. I doubt if it's really everything that might build my "case".
The irony is that this story was posted on Google+.
How is that ironic?
I assume he is saying Google knows just as much about you as Facebook.
I think the irony is that this prove Google doesn't know social but Facebook does.
I think the irony is that the dude is using Google+, yet he is as technically advanced as any average Facebook user.
Of course the recommendations are made from the friend he just made! It's just traversing the public, non-privacy-violating graph of mutual friends, and suggesting a small (and possibly random) subset of nodes near to him.

There's no conspiracy. He just doesn't understand how much information is encoded by that first friend he made.

On a different note, as I've put in other comments, Facebook officially does not make privacy violating recommendations. In other words, it won't use private information other people have generated, like what profiles they visit or what messages they send or what contacts they have, to create recommendations for a person who can't access that information.

You've been posting this stuff all over the thread. How about a link to the source of "Facebook officially does not make privacy violating recommendations". I'd also like to see them define it the way you have, because as written that is pretty vague.
Yes, I did ask an employee of Facebook directly. It's hard for them to communicate about in the same way that Google doesn't talk about how it ranks pages. It's not a trade secrets issue—it's an issue of spam, and I respect their interest in preventing people from exploiting the friend recommendation system.
> Facebook officially does not make privacy violating recommendations

How do you know this? Do you work for Facebook, or are you just guessing?

It seems to me it could be a combination between chaz's explanation and yours. If the friend he added is also friends with the OP's grandmother, cousins and other friends then it seems OK that Facebook would "recommend" those people to the OP.

But then, why those people and not all of his other friend's friends? Could it be using the contact list of the recommended friend's to prioritize those recommendations over all others?

I think one of the problems is whilst Facebook doesn't use 'private information other people have generated' it does leverage information your friends have shared in non-obvious ways to a layperson.

If it's unclear or people don't understand how Facebook is making its recommendations and as a result become creeped out then that's a problem - whether or not those recommendations were created according to the privacy policy.

I think you have an insightful point here. For something like friend recommendations, it seems inherently privacy-violating. And it's a problem Facebook doesn't communicate clearly how the sausage is made.

Like you, I don't believe that they need to be so afraid of the consequences—I don't think people will exploit friend recommendations knowing how recommendations are made.

Actually, the friend is completely unrelated from my other friends and family. I met him through an online game and he's not even from the same country.

I don't mean to make this a conspiracy theory, but I don't understand how Facebook can conjure up so much information to identify most of my relatives.

Maybe unrelated, but the amazing thing of social graph theory is that they'll still be "closer" in distance.

I think it's a problem that they don't explain this better. But I think they have a lot of complicated priorities.

LinkedIn has been similarly creepy to me. Someone I have never met with whom I share zero common connections has begun showing up in my recommendations because I viewed their profile once months ago.
At least there you know why Linkedin thinks you may know them, and you don't know them so it doesn't really matter. What I care about is that it figured out my entire family tree without much to work with.
LinkedIn once suggested someone with the same (very uncommon) name as my neighbour, but it wasn't actually my neighbour. I have never contacted my neighbour electronically. Either a weird coincidence or it somehow worked out I know someone with that name, somehow.
Can people stop submitting Google+ links? I see no way to get past w/o opting into more G+ stuff.
Try an incognito window. I don't understand why Google refuses to let people read public G+ content if they are logged into their Google account but haven't opted into G+, but I've seen a lot of people report it.
Open in an incognito window. If you're not logged into a Google account, G+ links work fine. Rather nasty user experience.
Works for me without any G+ advertisements. Are you logged into gmail from the same browser?

Here's a dumb mirror of the post content: http://ahcovl.pen.io/

You can always use a proxy if you're that concerned. Do you also block Google ads, Youtube's embedded videos (Google owns Youtube), and never search with Google?

I understand your point though. My posting this on Google+ is ironic actually, given the lack of privacy I'm complaining about.

Edit: Wait I think I misunderstood. You mean "get past" to read the post at all? I thought "public" meant that everyone (even when not logged in) could read it.

Right, Google makes you opt-in to G+ to read the content -- at least if you have a Google account that you're signed into.

All I want to do is read public content. I shouldn't have to agree to anything to do that.

It lets me see the content even though I'm logged into Google, and I have G+ disabled on the domain level.
Meanwhile, most of my sidebar is full of Christian "like if you love Jesus" ads. No matter how often I mark them "uninteresting", they keep coming up, despite Facebook likely having plenty of information pointing at my non-religiousness.
I swear this exact same thing comes up over and over again every few months.

I don't have the time to write much about this right now, but long story short - the top comment here is correct. When his some of his real life friends used one of the Facebook smartphone apps it uploaded their contacts to Facebook. Then when he signed up, it recognized him as being in his friends' mobile contacts and suggested them to him.

There was a great article here last year from somebody last year who experimented with all of this with a few fake, isolated accounts. If anyone can find the link that would be great.

Basically he found out that the above was true. He also found out that since Facebook logs every search you make, people who had searched for his name before he ever signed up were recommended to him when he did.

Yes Facebook are denying this, but he had clear evidence that proved the contrary.

Holy crap: google+ doesn't let you scroll up/down with up/down keys?!?! Wow this is abhorrent
An interesting experiment is that if you have FB on your smartphone, you can use the "Find Friends" feature to dig up all sorts of profiles for the contacts on your phone. I think it uses a combination of phone #'s and email addys from GMail...?

Among others, I've found:

  * several FOSS devs that I've emailed
  * a few people that I've had brief business dealings with years ago
  * my landlord
  * several that I recognize as wrong #'s from the past (such as the girl who texted me 10+ times even though I told her she had the wrong #)
  * some old co-workers from 5+ years ago (I have some old emails from them)
  * quite a few that I don't even recognize
They quite literally will trawl every piece of possibly-relevant data on your device.