Privacy Fail: How Facebook Steals Your Friends Phone Numbers

In early January, Facebook updated their iPhone app to include a Contact Sync feature. In a nutshell, “Facebook Contact Sync” allows you to synchronise your friends’ latest Facebook profile pictures with the matching contact entry in your mobile phone’s address book. Due to “Terms of Service Issues” however, Facebook does not sync your friends email addresses or phone numbers (listed on their Facebook profile) TO your phone.

Ironically, what Facebook WILL DO, with neither your knowledge or consent, is import ALL the names and phone numbers FROM your phone’s address book and upload them to your Facebook Phonebook app (Click HERE to see your Facebook Phonebook) on Facebook.com, thus storing your private contact numbers on Facebook‘s servers. Once your phone is synced , Facebook will attempt to match the newly uploaded phone numbers to users that have listed the same phone number on their Facebook profile, wether you are friends with them or not. If Facebook cannot make a match, it will create a new contact entry in your Facebook Phonebook using the contact details imported from your phone, and add a link to invite them to join Facebook. And guess what? There is no way to delete the names and numbers Facebook imports from your phone’s address book.

Boom. You just got jacked by Facebook.

So what is so worrisome about Facebook uploading your mobile phone’s address book to their servers? Several things:

1) Facebook doesn’t warn users that they are uploading their phone’s adress book to Facebook. In fact, because Facebook doesn’t sync contact numbers or email addresses TO your phone, most users wrongly assume that Facebook Contact Sync only syncs user pictures. In reality though, they are pumping your address book, without your consent.

2) Phone numbers are private and valuable. Most people who have entrusted you with their phone numbers assume you will keep them private and safe. If you were to ask your friends, family or co-workers if they are ok with you uploading their private phone numbers to be cross-referenced with other Facebook users, how many of them do you think would be ok with it?

3) Facebook doesn’t exactly have a perfect track record when it comes to protecting your privacy. And whilst it’s unlikely that your data will fall into the wrong hands or be used for evil, it’s still a possibility. If you can look past that and entrust Facebook with your own information, that’s fine. But can you really make that call (pun painfully intended) for every single person in your mobile phone’s address book? Would you like it if someone else was making that call about your own private information?

4) Facebook‘s privacy policy isn’t a two way street. While they won’t let you sync phone numbers and email addresses from Facebook TO you mobile phone, they are quite happy to to sync ALL your phone numbers on your mobile phone TO Facebook and not let you delete it. How is that not a Terms of Service issue?

5) Whilst checking my Facebook Phonebook, I noticed that there were a number of people that I did not know and was not friends with. Facebook had matched them to phone numbers imported from my phone. Turns out some of these unknown users had fraudulently listed the phone numbers of hotels or businesses, that I had saved on my phone, as their own. Other users simply had phone numbers that matched some of my contacts due to both them and I not including an international dialling code before the phone number in question.

Here is another scenario: Random guy, meets random girl in random club. Girl gives boy phone number. Boy is blasted. Boy doesn’t enter phone number correctly and confuses the last two digits. In a twist of fate, the phone number he enters is YOUR phone number (Your phone number and random girl’s phone number are the same, except for the last two digits). Boy syncs phone to Facebook. Facebook matches your newly uploaded phone number to your Facebook profile. Now random boy has your name, Facebook profile and phone number. Unlikely scenario, perhaps, but still possible. When a wrong number is dialed, someone usually picks up, right? Well why couldn’t that person be you?  The point is your phone number is being cross referenced in a system-wide Facebook phone directory, and you never opted in.

6) Facebook is notoriously littered with hundreds of malicious “Facebook Apps“, phishing scams and hacked accounts. Their sole purpose is to pump your account for your private data and that of your connected friends. Facebook is not the type of environment most users are comfortable storing phone numbers on, nor should it be. As much as I have defended Facebook in the past, the amount of hacked accounts I see on a regular basis on Facebook forces me to think otherwise.

The Bottom Line:

I’m not suggesting uploading your address book online is tabboo. A large portion of my address book lives in Gmail, so I’m no stranger to the concept. In fact, I’m a fan. The difference is, with Gmail I did so willingly. It wasn’t done so for me or without my consent. Furthermore,  I chose WHICH contacts I wanted to backup online. There are some contacts and phone numbers who’s privacy I simply refuse to risk on the Web. Facebook has taken and continues to take liberties on behalf of their users. Their perception of privacy and their users perception of privacy is often very different. I don’t think this is maliciousness on Facebook‘s part, but it does show me that Facebook is painfully out of touch with the needs and beliefs of their CORE users, who are still wary of the openness that a Web 2.0 lifestyle entails. It’s their right. Facebook needs to either respect that or openly provide a disclaimer that they do not.

(NOTE: The above post outlines my experience with Facebook Contact Sync and my iPhone. If you are a Blackberry, Palm Pre, Android or other platform user, please leave me a comment bellow outlining your own experience and/or feeling on this subject matter. Much Thanks!)