Facebook and Discovering Your Sensitive Contacts in Two Easy Steps

Recently, Zeynep Tufekci highlighted an article by Kashmir Hill regarding a particularly severe privacy problem. Facebook, like all social networks, uses a "people you may know" suggestion mechanism in order to grow connections among users. The problem is that this mechanism does not just rely on Facebook's own social graph, but instead uses other information including, apparently, phone numbers harvested from user devices.

Suppose Alice and Carol both have Bob's phone number saved in their phone contacts, and both Alice and Carol share their contacts with Facebook. There is evidence that Facebook's recommendation engine now uses this data to suggest to Alice that Carol is a potential friend. It might seem common sense or even harmless, but this is actually a severely exploitable vulnerability. It confuses a single-sided phone contact graph with public relationship information.

IT'S OUR SIXTH BIRTHDAY! Support Lawfare so we can continue bringing you articles like this one.

Suppose Mallory is an intrepid reporter who now has a list of a large number of congressmen's private cellphones. Mallory could then create a number of different Facebook accounts and for each account share only the contact number of an individual member of Congress. If Bob, referenced above, is a member of Congress and Mallory’s fake account (technically called a "sibil" account) shares only Bob's phone number, then when Facebook suggests Carol as a "suggested friend" to Mallory, she is able to deduce that Bob has Carol’s phone number in his contacts. Depending on Carol’s identity and relationship to Bob—a journalist relying on anonymous sources, a specialized medical doctor, even a mistress—the fact of this connection can be a significant leak. Using this kind of method at scale could be a pretty good way of harvesting private information from Facebook.

The flaw affects anyone with sensitive contacts on their phone. Even if Facebook can close the public leakage by removing single-sided phone numbers as criteria in suggesting "friends," that information still exists within Facebook itself.

This is made worse by Facebook's own security policies. In order to secure your account with two-factor authentication, or even to have a better password recovery mechanism, many users need to provide Facebook with their phone number. And those who use WhatsApp for secure communications are out of luck as well, since WhatsApp now provides its parent company, Facebook, with those users' entire contacts list for the purpose of "better friend suggestions"!

At the moment, I don't have a concrete policy suggestion for what should be done about the massive troves of sensitive information collected by Facebook, Google, and others. But this is yet another example of the importance of understanding the real world implications of collecting and sharing personal data and how such data might be used internally or leaked to an attacker looking to harm an individual.