I’m sitting here in a hotel working on a Request For Proposal for full disk encryption while listening to a movie in the background. (It helps me think.) I take a peek at the Facebook feeds and, lo and behold, my wife is blasting out some fresh Facebook privacy angst!
Keep in mind, she’s not a security pro and can barely spell HTML. To see her concerns about what you are about to read will surely evoke some emotion:
WTF FACEBOOK! ALL THE PHONE NUMBERS IN YOUR CELL PHONE are now on Facebook. No joke -Go to the top right of the screen, click on Account, then click on Edit Friends, go left on the screen and click on Contacts. All phone numbers from your cell phone (FB friends or NOT) are published. There is an option on the right to disable. Feel free to repost this on your status, so your friends can remove their numbers and thus prevent abuse if they do not want them published.
Her Facebook post contains the steps you need to take to reveal the mobile numbers of your friends along with anyone you are friends with that you really don’t know.
In the event you feel that this is not a privacy risk, let’s put this into perspective based on how I use Facebook.
I have just under 1,400 Facebook friends. Most of them are a result of playing, dare I admit, Mafia Wars. Even though I stopped playing over a year ago, I still have lots of Facebook friends as a result.
I clicked on ‘Account’ -> ‘Edit friends’ -> ‘Contacts’ – and there they were: the mobile numbers of 213 friends. I estimated that about fifteen are people I know well, and a good number more are former or current colleagues.
I compiled a list of graphics pointing to some of my Facebook friends whose mobile numbers are now visible to me, even though they almost certainly never intended to share them. I smudged their mobile numbers to respect their privacy.
Here’s what I think could have happened.
Some time ago, Facebook started posting messages on users’ accounts saying that their account protection status was “very low”, and they should increase their protection.
Naked Security criticized Facebook at the time for using what we thought were scare tactics to encourage users to give Facebook alternative email addresses and mobile phone numbers.
Facebook’s thinking was that if users lost control of the email account they normally use to log into the social network with, there would be an alternative contact point which could be used to regain access.
That’s fair enough if you’re comfortable with sharing that additional information with Facebook – we just didn’t like their wording which gives users the impression that there’s something seriously wrong with how they have defended their Facebook account.
But what if you did follow Facebook’s recommendation and gave them your mobile phone number to enhance your account’s security?
Once you’ve confirmed the mobile phone is in your possession, Facebook craftily includes a setting (already enabled) sharing your mobile phone number with your Facebook friends.
In other words, regardless of how you had previously set up the privacy settings for your mobile number – it’s now been over-ridden..
.. and your Facebook friends can now see your mobile number in their Facebook phonebook.
In fairness to Facebook, it was you the user who agreed to this in the first place. Although you might not have liked them enabling this option by default after supposedly enhancing your account’s security, you did allow it to happen.
My advice is to consider doing the following:
Remove other people’s mobile phone numbers that you may have imported, using the steps given by Facebook. You’ll still see the phone numbers of Facebook friends who have chosen to share their contact details.
Some of your Facebook friends may be listed in your phone book because you synched your Facebook account with your iPhone or Android smartphone using the Facebook app.
Be sure to tell your smartphone not to sync with Facebook in future if you’re not comfortable with this and, at the same time, you should disable Facebook’s ability to email your non-Facebook contacts with a reminder to join Facebook every two weeks.
Finally, check the privacy settings on your own account to prevent others from seeing your phone number.
And what about the next cool Facebook feature? Should users simply get used to this sort of thing?
No! Facebook, if being here for the long-haul is your plan, upsetting users like Jenny is not the way forward.
Most of your users are much like Jenny. She treasures her privacy; so should you.
Asking your users to opt in when new features and services become available is a much better approach to keep them happy and using your services than forcing them to opt out.
If you’re on Facebook, and want to keep informed about the latest security threats, I would recommend joining the Sophos page on Facebook where we have a community of more than 100,000 people.
Update: Thanks to readers for their comments below! I’ve updated the article above to reflect the advice regarding synching of contacts, and additional steps for resolving the issue.
Furthermore, check out Facebook’s own statement on the scare.