This is one of the many dark patterns that Facebook uses. It simply does not respect any boundaries the user might wish to have in place...
Install it on your phone? Anyone you have in your phone's address book gets to see your picture under "people you may know".
Someone in your family joins Facebook and friends you? Now everyone you are friends with gets prompted about whether or not they know your family member.
Want to delete some pictures you uploaded to Facebook? It's extremely difficult and they must be deleted one by one.
Other than LinkedIn, I'd say FB is the prime innovator of UI dark patterns that exploit users' unwitting behavior for profit.
The youngest generation of internet users gets this which is why they largely do not use Facebook. Soon they will realize that IG and Whatsapp are connected, and will avoid those too.
What's interesting to me is that the recommendations are fundamentally not useful. It's easy to look someone up by searching for their name without the privacy-invading helpful suggestions.
Some girl from a dating site Googled my phone number, found my name, searched for me on Facebook and then Facebook suggested I friend her, providing me with her full name, which I did not previously know.
If you search for someone on Facebook, then Facebook will suggest to that person that they friend you. Seems a massive privacy hole to me.
I've been aware of how Facebook attaches people to you for a long time, so I deactivated that one, made a new Facebook several years ago primarily for development purposes, different name, different email address, friended a few people from one particular circle, never installed it on my phone
Occasionally I will get random friend suggestions about people in different chapters of my life
Facebook didn't have my address book, or a big enough graph to make these connections
I hadn't considered that those were the people merely searching for my name or variations of it
I didn't know about this either, but it sounds like you may have found another possible source of the leak: patients putting the name of the psychiatrist into FB search.
If B searches for A and C searches for A, does that imply a relationship between B and C? Especially if they live nearby? Who knows :(
I noticed that too. The more often you search for someone and click on their profile, the more facebook will promote the connection both ways.
I think it's kind of interesting to 'figure out' how the facebook machine works. How a simple interaction, a location, a conversation or even a purchase on amazon shapes your news feed and the feed of people around you.
Its interesting to me you think youngest generation of internet users get this. I do hope its the case. I always thought it was the people around at start of net who would get it. I was around preNet and remember how dangerous and scammy everything was so I never sign up for things like facebook or use real name etc. My first thought when I saw facebook was its a great way to get stalked and killed or targeted for whatever people can think of.
They get it because in the jungles of many junior high and high schools, anything that can get you bullied will get you bullied, and young people quickly realized that all the accidental oversharing (by themselves or by their parents, elders, etc.) were easily exploited by bullies.
Thus they came to prefer simpler networks with simpler security/sharing models and features (like automatic photo deletion) that respect user privacy.
I know it's seems like it's 'dark pattern' week on HN, but not everything is a dark pattern.
Dark Patterns are user interfaces that are designed to trick users.
Facebook requests the permission to go through your stuff and if you read their data use policy, they go so far as to tell you in detail exactly the information they're taking from you, as well as how they use it.
Sure, it's a little bothersome when the information that you've given them goes farther than your personal preference, but it's not a 'dark pattern', it's just a feature that you don't like.
> it's not a 'dark pattern', it's just a feature that you don't like
It's a similar sort of dark pattern to the practice of putting the important details of a contract hidden in a massive block of text rendered in a tiny font.
Yes, they are technically being upfront about what is going on, in the same way that two pages of 8pt legal boilerplate informs the signer of the details of a written contract.
If it weren't a dark pattern it would be very easy to turn off the undesirable bits, and users would rarely be surprised by the consequences of the default settings.
Let's not forget that contrary to our poor performance on abstract logic puzzles, humans of all levels of intellect are superbly good at reasoning about potentially embarrassing social situations. Hence FB must work hard to de-emphasize the way FB actually works to make people consent to many of the default permissions. That is in my opinion the definition of a dark pattern.
It is the gray area enabled by these practices that makes FB's content interesting... because accidentally over-shared content is interesting to us about a small percentage of the people we are friends with. It's nearly a law of human nature that we are fascinated by obscure details of a small percentage of people for all sorts of reasons (sexual interest, jealousy/aspiration, schadenfreude, stalking, etc.) and we all have some small group of people who are interested in our obscure likes/posts for the same reasons. Rarely do we overtly interact with such people (in either direction) because it is socially awkward, but FB generates revenue/engagement off of the lurking that we all do and the blindness people have that they too are the target of such lurking by others (which is why the dark pattern works)... it's what makes FB scratch a particular voyeuristic itch for people and why it's been so successful. LinkedIn works the same way but for things like job changes, promotions, etc.
> Sure, it's a little bothersome when the information that you've given them goes farther than your personal preference, but it's not a 'dark pattern', it's just a feature that you don't like.
Convincing users to accept a feature they would otherwise opt out of if they had a reasonable choice and/or fully understood the feature seems like a textbook dark pattern to me. Hiding the data collection policy inside a giant EULA or using a carrot feature as a lure is indeed intended to trick the user. The fact that many services have adopted these tactics does not change their being dark patterns; it just means dark patterns have proliferated and become the norm.
Indeed, I don't believe the problem here was that Facebook was tricking their users here into handing over their phones/emails contact information (aka this persons client lists). FB is explicit about permissions in this sense, although most users agree to everything without thinking twice.
The real problem is how the information was utilized by the recommendation engine, which is known to be creepily effective at matching people (people who just met for the first time, for example). FB is investing heavily in AI here so this is the natural outcome - where the results are very effective but has some unintended side effects. The side effects are largely due to the fact this connectivity happens in the background, outside of a place where the user can control privacy settings on particular contacts.
So I'm not sure there is an easy solution here. Mining contacts and social information is Facebook's business. It's what you hand over to use the service and why many people stop using Facebook voluntarily - or carefully limit what information they allow access to. I never allow FB to access my phones contacts, for instance, and their mobile app still works fine.
Fundamentally though that's the problem with the modern web - the services that users get is not a transaction in the sense that the user knows what they're giving up for the service - it's all hidden under an innocent permissions check (if it's Facebook) or not said at all (if its LinkedIn). The user provides permission for a small pittance like their email address or phone number and it snowballs into having every want need and action tracked and catalogued to make the service owner money. A product not intent on tricking the user into giving up every bit of the data on their life would ask if it could use individual bits of information to serve them ads and sell their information.
It takes more than it asks, and the fine print is there to cover its ass, when in reality if users were asked about what information they were willing to share they would be much more uptight. The users's have no real idea what is happening with their data, what they've given up or how its used to make the company money. It may be true that most user's don't care, and some might even prefer the outcome to them in the form of "relevant" ads (if the choice is made over "irrelevant" ads or paying for the service). It certainly is transforming what is in the public sphere about people, and the lessening of privacy can certainly be used as a weapon (and it is, to the extent that it is a big powerful force arrayed against a person independently figuring out what they want to spend their resources on).
> I know it's seems like it's 'dark pattern' week on HN
OK, what is a dark pattern by your definition?
Dark patterns are a relevant topic on HN because many startups are measured in terms of user engagement and the growth of their user-base.
What is the difference between advertising and information? Growth hacking techniques and clickbait? Nudges and dark patterns?
These things are interesting because the line is blurry, and many patterns (dark or otherwise) that used to work suddenly stop working. This is why banner ads worked for a while and why interruption ads are becoming more and more common, and why adblock is becoming more and more common.
The world is not static, and so there is not ever going to be a consistent definition of what constitutes a dark pattern... it depends on the audience. In the first world, most 70 year olds are now on Facebook, and they are vulnerable to many patterns that the younger generations are not.
Just as scammers send senior citizens envelopes that look like social security checks but are actually ads, Facebook offers something that looks like a way to voluntarily share information but is actually often involuntary.
I think FB should take a hard line against dark patterns and be content to grow based on the massive network effect it can get without them.
Dark patterns ask you to sit in a chair, without telling you that you can get paid to stand. (masking benefit without restricting access to the benefit; misdirection but without total erosion of trust)
This is about exploiting the exposure of unique identifiers (phone number mapped to email), and an interloping tattle-tale ratting out their correlation to the same owner.
It's something more akin to a Prisoner's Dilema, except people aren't cognizant that "They Are The Product" so no one thinks of themselves as prisoners ratting out conspirators.
LinkedIn is pretty bad at trying though. I got a new job not long ago, they congratulated me on it, two days later or so, and even now still they keep sending me emails about my next future job. I barely have gotten my feet wet at this one... What in the world?
I had a recruiter on LinkedIn do that to me. They literally said "I know that you're starting a new job next week, but are you interested in hearing about other job opportunities?" No, but now your recruitment company is on my blacklist, thanks for the heads up.
What's their benefit to putting in the extra work to delay such emails based on your start time? What if some people actually wanted the emails regardless of a recent new job? What if they don't trust the start times that people claim?
I used to freelance and FB started showing me one of my client as suggestion even though I use a work email for that, how? My client must have installed the FB app on the phone and his email client must have synced my email on the phone and now even FB had my email.
> Want to delete some pictures you uploaded to Facebook? It's extremely difficult and they must be deleted one by one.
THIS is a huge pain point for me. I would ideally like to delete all my Facebook photos and timeline/wall posts from all of history. However, I cannot find a greasemonkey or tampermonkey script which will actually accomplish this. There are a few that claim to, but none actually worked for me (outdated).
I have coworkers' phone numbers on my phone so I assume that's how Facebook is recommending them to me. I like my coworkers but this is kind of creepy. Wish there was a way to turn it off, both directions.
Even if you would "turn it off" and fb would not recommend it to you, they would still know the connection, and those same people would get you as a recommendation. So "turn it off" only would mean "hide the underlying connection".
Only way to prevent this is to hide/obfuscate/limit information that fb is accessing about you. And that would be a huge feat in an of itself.
The whole premise of FB is to "connect people", whether or not you like it, so it's not an entirely unexpected behaviour from them. It's also the reason I don't use FB, and never will.
I bet the patients of the Doctor found themselves through each having her phone number. Hey they both are "friends" with this person maybe they should be friends as well.
This doesn't require for the middle man to have an account. You are inadvertently acting as a conduit for people to connect to one another.
FB likely has a "ghost" account for you anyway that they use to do this connection. So it is like you are using FB in some alternate universe.
and the thing that sucks about us non-FB using people is that Facebook still has a pretty complete profile of our photo likenesses, names, emails, phone numbers, and other website profiles.
TLDR#1: The investigation still didn't reveal exactly how this happened.
TLDR#2: The recommendation to "prevent" these issues on the individuals side is, "Lisa’s medical community has started recommending that patients concerned about privacy not log into Facebook or other social media accounts at medical offices, or even leave their phones in their cars during appointments. "
This is about as practical as recommending people just figure out how to fly and occasionally levitate into the upper atmosphere to go out of the cell tower's range, move a few kilometers west, and then fly back down to earth to scramble all these tracking algorithms.
So basically don't install Facebook or Whatsapp try to use the Facebook website if you can or better yet don't use Facebook at all on your phone if you value your privacy.
It's sad that we are at this stage but it's mostly our fault for being so complacent with companies doing these kinds of things.
If people stopped using their service when they did these kinds of things they would change their behaviour really quickly but most people don't know or care that this is happening.
An individual's data sharing with Facebook is less of the issue, here, though. You personally not using it doesn't prevent you from becoming the common thread that ties others together.
Just because I'm not on Facebook (I'm not), anyone that's allowed Facebook to see their own contacts, in their phone or email, has shown that they are or are not connected to me in some way. Without me actually ever even having an account with Facebook they can correlate this data from users to see who is likely to know one another by a shared connection to me. Just because my particular node on the relationship tree has more blanks than it would if I was a Facebook user does not mean I don't create a node at all.
My guess for this Facebook issue in particular is that the Doc potentially did absolutely nothing herself, but rather all of her patients had mail and phone contact lists that included her and that common thread along with the same geographic area was enough to trigger a recommended match. In other words, this was equally likely to happen even if the doctor never had a Facebook page of her own.
I think we're in for a slow painful transition until people (in aggregate) intuitively "get" exactly how invasive and unfriendly data-correlation can be when you expose yourself -- and your friends -- to when you share seemingly-innocuous facts with our welcomed-digital-overlords.
That doesn't seem to be very important. It's not the doctor who wants privacy.
The people who want privacy allowed Facebook to scrape their contact lists and monitor their locations. They then expected Facebook not to correlate this data with others who contact and visit the same doctor. Why not?
> They then expected Facebook not to correlate this data with others who contact and visit the same doctor. Why not?
Because that would be a dick move.
But clearly that is not enough to dissuade companies from doing this kind of thing, because they have no morals.
And that is the crux of the problem. They don't give a shit what would be considered "reasonable behaviour" for a human being, because they are just giant correlating machines with access to data they shouldn't have been given access to by people who don't know better.
At the end of the day, we are allowed to have reasonable expectations of others, including companies, so I take issue with any implication that they should have known better. We are allowed to have these reasonable expectations. And we will be constantly disappointed. But we should maintain them, I might even say that it is a duty to do so.
Saying "they should have known better" is giving up the fight prematurely. They shouldn't have to know better. They should be able to expect that their privacy (a right) will not be violated.
It is an ideal, not a reality, but it is something to work towards. One step might be to sue the hell out of Facebook for this.
Sherman, set the wayback machine for about 110 years ago...
The people who want meat didn't demand tours of the meatpacking factories. They then expected the meat they bought to not be unsanitary and diseased. Why not?
> So basically don't install Facebook or Whatsapp try to use the Facebook website if you can or better yet don't use Facebook at all on your phone if you value your privacy.
I've been doing this for years now, and you know what? I don't miss it at all. I use the Facebook website from my computer, and that's A-OK.
Neither do I, but as I've described at tedious length here a couple of times recently, I do miss the social life I had a few years back, and which opting not to sign up for Facebook cost me.
It would be really great if the choice not to use Facebook did not often entail serious negative consequences. For one thing, I'd be a lot less annoying on the subject. Unfortunately, that happy state of affairs does not appear to obtain in either case.
> I do miss the social life I had a few years back, and which opting not to sign up for Facebook cost me
You don't know if it was "opting not to use Facebook" that lead to decline in your social life, because you didn't test whether "being on Facebook" would not have lead to decline in your social life.
(I've seen many articles that state exactly the opposite - that people who have less social interactions spent more time on Facebook.)
>So basically don't install Facebook or Whatsapp try to use the Facebook website if you can or better yet don't use Facebook at all on your phone if you value your privacy.
It's sad that we are at this stage but it's mostly our fault for being so complacent with companies doing these kinds of things.
Exactly: it's our fault. None of this privacy-invading stuff is secret, it's all over the news. At this point, if you get burned by Facebook, it's your own fault for using it.
You're being overly complacent. Facebook might find it harder to track people who don't sign up to it, but they still have shadow profiles for tracking non-users. You get tracked by what your friends and contacts share about you as well as what you choose to share. If anyone who put you in their mobile contacts let Facebook's app loose on their phone, then smile, you're already on Facebook.
Privacy is an environmental issue, not a transactional one. With the current system, there's really no opt-out short of opting out of social life altogether.
Only if "our" is taken to include "most people". If we, the people who are aware of the situation, were less complacent, we would inform more of the general population (who don't read HN) and potentially convince others they should care too.
Especially since odds are the data being correlated comes from the contact lists in her patients' phones. Even successfully confounding geolocation won't solve that.
The other tricky thing is, even a single lapse in forgetting to turn the phone off, or bringing it with you is enough to undo all vigilance ever. I don't see it as feasibly, especially for people that are anxious or distracted by something more important on their mind.
You know, it really says something about our industry that our preeminent modern accomplishment requires everyone to choose, blindly and unaware, among effective social nonexistence, espionage-grade opsec, or the kind of radical transparency that no one but maybe a performance artist would even have contemplated just a few years ago.
Yeah, I know this can get brought out a lot in these circumstances, but remember how everyone thought Richard Stallman / rms was crazy for being so disconnected from the Internet? Somehow that doesn't seem the case anymore.
Keep in mind, when you consider that, that Stallman is also almost entirely disconnected from the world, as well. Granted, that's by choice, and it seems to suit him. But it casts a great deal of doubt on the value of his perspective, especially his perspective on those people who choose otherwise.
It's sort of infuriating, if I'm honest. He has a lot of insight with regard to, for example, the extent to which Facebook abuses people who use it. But the best he can muster by way of response is "Well, don't do that, then, and if you do, then to hell with you." Which is, to say the least, not helpful.
Edit: And on further reflection, the insight he does have is hardly unique. The more I consider what I've heard and read him to say, the less I find myself able to see what he actually has to add to the kind of nuanced conversation which needs to take place on this subject.
Further edit: So your response, while of value, kind of misses the point I set out to make, in that Stallman's situation falls neatly into the "effective social nonexistence" category. The question I'm asking is larger, and more along the lines of: How the hell did we let our industry become something of which Facebook is the exemplar, and is this really something with which we're okay?
Effective social nonexistence? Come on. As someone who does not use Facebook and Twitter, yet miraculously has an active social life, I find your dichotomy to be false.
That's great. As someone who also does not use Facebook and Twitter, and saw the result this had on the social life he'd enjoyed before they rose to such preeminence in the field of mediating human social interaction, I find your experience to be lacking in universal applicability.
Or have the office assistant provide a metal tin container to use as a Faraday shield. "Put your phone in the box to prevent it reporting that you're here today."
That would create very conspicuous network exit/entry points at the office. According to Zoz's DEFCON 22 talk[1] about modern OPSEC, these are specifically targeted by various agencies, so I'm sure Facebook finds entry/exit data points just as interesting.
Which works fine for iPhone owners, and on the 15% of Android devices running Marshmallow, in the relatively rare case where someone knows this can be done and acts upon that knowledge. Everybody else is hosed.
You can disable the location access entirely on Android, and enable temporarily only for the short moments when you really need it.
Most Androids have a slide-from-top quick menu when you can toggle it with one click. Honestly, Google Maps is the only app on my phone that really needs location access.
Just because you turn it off doesnt mean it's not tracking you. Have a look at google location history, it doesn't use GPS but it can still pinpoint you very closely using cell tower triangulation. Stallman was right, we carry the worlds most advanced tracking device in our pockets.
So, I deactivated my account maybe 6 months ago, and uninstalled the app long ago. Since then, I moved halfway across the country and, using a brand new laptop, a fake name and number, and a throwaway email address, created another profile so I could use their API.
People You May Know still had old high school friends, my old real estate broker (??), and someone I starred on GitHub. I have absolutely no idea how they connected that account to my old one, considering Google Mail is the only other service I've used on that laptop.
If you're not using a plugin such as Facebook Disconnect, pages that have a "Like this on Facebook" embed or similar can accidentally or deliberately reassociate you with your prior identity. Consider this scenario:
3) When your browser requests the button from Facebook, the referrer is "http://example.com/?user=3834" which is a URL that you visited a lot when your old Facebook login was active, and it was never visited by any Facebook users apart from you.
There are other similar ways they could link you to an old identity if they wanted to, some not necessarily blockable by these plugins, but the above would be simplest.
You either logged your new account into a mobile device and it pulled your contacts, or you gave facebook your phone number for account recovery / two-factor and they already had your contacts either from your old account, or if you use whatsapp or instagram.
You can't provide a fake phone number for account recovery / two-factor authentication, as they verify that you control the phone number before accepting it.
Fully block all the Facebook network, they have trackers on virtually everything. From ad network (including "free" apps) to all the sites/services in their network (WhatsApp, Instagram)
I'm not, in fact I'm using a different ISP entirely. You really think my behavior patterns are uniquely identifiable at FB's scale? I can't imagine how many other users must have similar typing/clicking/resting/etc. patterns.
Interestingly, my comment's getting down-voted without refutation. C'mon, let's talk :)
Anyway, no, I don't know if FB can do that at scale.
What I do know is that sites, especially complex ones like FB, like to track user interaction to evaluate UX (hover targets, click targets, time it takes to find call-out etc).
If I were a data science type at FB, and knew FB was collecting that stuff, I think I'd like to find out what other questions I could answer with it.
Or more banal - did you use your laptop as a wifi endpoint and connect your phone & WhatsApp to it?
The phonebook hypothesis seems most plausible to me (especially considering that WhatsApp is owned by facebook). All those apps gaining access to a phonebook is a privacy disaster.
You would be surprised just how few people know Facebook owns WhatsApp. When I mention it to my non-tech friends, they are first surprised, and then nod their heads like its no big deal, and then a few weeks later exclaim utter surprise at some new privacy intrusion.
Someone should start a project with the sole purpose of mining all kinds of personal data about FB employees from Facebook/Google and publish it as a Kaggle dataset for mining. Wonder how they would feel about that?
The main issue, which you and I both see, is the sheer asymmetry of the whole thing. We are in this weird situation where the individual, the typical cognitive miser who even on his/her best day cannot possibly take all the preventive actions, is up against tireless machines with perfect memory and ability to generate extraordinary pattern recognition working all day to mine just that little bit more information to then hand out to the advertisers.
But I see your point, and certainly would like to see more constructive suggestions than mine.
I see so many potential ways of aggregating this kind of information in massively privacy intrusive ways on a day to day basis. And it's terrifying how many of them are just stopped by my lack of willingness to sacrifice my morals over it.
Because I know very well how easy it is for people to think "oh, well, but that one little thing isn't so bad, when faced with bills to pay, or a raging boss. Many of which really aren't all that bad in isolation. Except it doesn't take all that many "one little things" before you have a total privacy disaster.
If employees are having trouble saying "no" to unsafe, unethical, or unlawful projects, then a professional association or union is needed. A professional association can create duty requirements external to a company; it's easier to say no to your boss is have the excuse that "as a member of $ORG, I have follow $ETHICS_RULE".
Alternatively a union can put pressure companies to never ask for certain things or to meet a standard for any privacy issues. Unions are usually seen with hostility in the tech industry, but they are just another tool; a union can be made for specific purposes, and ignore e.g. wage or anything else.
I would like to have more constructive suggestions to offer, too. It's not a simple problem, though, and it will not be quickly solved. Threatening Facebook employees (doxing people is a threat) does not seem likely to make anything better.
Well, facebook is "doxing" non-members by virtue of shadow profiles and by encouraging to tag everybody in the pictures. Counterintelligence could be a valid way to keep democratic society.
Your aversion to threatening employees reminds me a bit of the old "just following orders" canard.
Developers are not sweatshop workers beholden to the company store. They have a plethora of employment options. If they willingly choose to work for such a company, the case could be made that they have made themselves legitimate targets for having made this choice.
It's a moral hazard¹, or possibly an externality; the people writing the algorithms that violate people's privacy are not themselves the victims.
Normally in a market system you want to keep the chain between cause and damage short enough to be comprehensible for the people causing it; otherwise, there's no good way to make them avoid it.
Of course they have FB accounts. That isn't the point. The authors of these algorithms introduce - often without conscious intent - their own biases. They bring their own background, morals, etc when they design an algorithm.
This is a general problem with creating an algorithm to supplement or replace anything previously done by humans. Even if the algorithm is given accurate and unbiased data (which is rare), the choice itself to use an algorithm in the first place and the design of the algorithm also contain bias.
Sometimes this bias is intentional such as "redlining" where housing loans were denied to blacks using various proxies for race. I suspect that in most cases the bias is accidental, which is why it is very important to check the results carefully for any unintended bias. In situations like Facebook, simply asking their users first (opt-in) if they would like to participate in "local friend discovery" would be a great start.
No they are not. For example, it is now common knowledge that Mark Z bought off all nearby houses in every direction to get more privacy. [1] Do you and I have similar access to resources?
Suppose your identity is stolen and you find yourself penniless because someone hacked into Facebook which also affected your friend who works at Facebook. Who is more likely to be in great financial distress the next day? Who is more likely to know the full impact of the situation?
Also, if someone in Facebook were to be negatively affected in some way, they probably have friends inside who can help them out. Do you and I have a direct line to a similar friend? In fact, we are likely to be the very last people to know of any such exploitation.
Besides, the closer you are to the algorithm, the more likely that you know how to circumvent it, even exploiting some simple bugs that others are not aware of.
And how about opting out? As a technologist, how hard do you think it would be for an insider to add himself/herself to the opt-out database, and also make sure that there were no hiccups in the process? Contrast that to something as simple as opting out of junk mail - have you been 100% successful?
I just made four observations about how you and I do not possess the same advantages as an insider at Facebook. What are the odds that, something can slip through four different test cases you set up and still turn into a bug in production? Minimal, don't you think?
You make really good points about not countering immoral action with more immoral action. But your notion that FB employees could somehow become unwitting victims of their own technology sounds seriously far-fetched to me.
I recommend that we all add the office number of a health care professional we don't need to our phone book. It will muddy the water just a little bit.
It would be better if Facebook didn't hoover up data not explicitly entered into their app or website.
In fact I think that should be the basis of privacy laws everywhere: You can only use data that the user personally entered into your application or website. Data should only be available across your different "properties" it they are branded as being part of a single platform.
It would be much more in tune with the average persons understanding of something like Facebook.
Your suggestion might actually lead to something very interesting.
Once a day when someone logs into FB, they should be presented with a word problem asking if the data they have thus far submitted to Facebook can be used to mine such-and-such fact about them.
If they cannot answer correctly, FB should not do said type of mining. As their understanding of the potential for mining info increases, FB is also allowed to add that type of mining.
This would be a win-win. People would actually understand what is going on, and FB itself has something to fall back on when the day comes when people turn this into an inquest (more a question of when than if in my view).
And I wish all the big tech companies would do something like that.
>People would actually understand what is going on
I don't think that's in the interest of companies like Facebook or Google. If people understood how their data can be used, many would close their accounts immediately. Data mining companies, and their customers are best served by keeping the public in the dark as much as possible. Revealing how much they actually know about us would cause trouble, if nothing else then simply because it's creepy as hell to many of us.
The funny thing is that while I think all this data mining is creepy, I also believe it's useless in most cases. The only thing I've seen work well over time is Amazons recommendation of books.
Its also not in my interest to reduce my net worth by paying taxes. But it happens promptly each year. Maybe its time we demanded this from the companies.
Also, I would argue it is indirectly in the interest of said companies and their employees if they prefer that their legacy is to avoid being referred to in the same bracket as the Enrons and the Arthur Andersens of the world.
The trouble is, they are also too big to fail now. The thing that petrifies me more than a thriving Facebook is a Facebook on the brink of collapse and which has nothing to lose.
This is almost certainly the "phonebook" hypothesis.
If Lisa has her phone number associated with her Facebook account and either Lisa or the client has the others phone number in their smart phones contacts and the Facebook app installed that relationship can pop up in people you may know. If there aren't good "people you may know" suggestions the ones you get can end up being "people who may be known to people you know".
The reason I think this is because a therapist friend of mind had this exact problem and deleting her cell phone number from her Facebook profile made it stop.
What Lisa (and anyone else with a professional responsibility to protect client privacy) need to do is to stop associating the phone number they give to clients with Facebook or other social media.
> What Lisa (and anyone else with a professional responsibility to protect client privacy) need to do is to stop associating the phone number they give to clients with Facebook or other social media.
Understanding how Facebook connects different people might help prevent this from happening, but as Facebook's tech becomes more advanced/pervasive Facebook will need to provide an explicit feature to protect user privacy for situations like this. As it stands, the implications of sharing your phone number, location, etc are already far from explicit.
1. Sharing my mobile number via the Facebook app without my explicit consent or knowledge
2. Using my Whatsapp contact list to recommend people I might know
And now, I've recently started getting all sorts of arbitrary notifications even though I've stated several times I don't want to be notified of anything.
The only reason I still have a facebook account is so that I don't have to share stuff like my email address and phone number with people. But at this point it doesn't seem worth it any more.
Note that everyone's favourite privacy-respecting app (mine too!), Signal, also does contacts-sharing, although it doesn't do friends discovery (so the server knows one's contacts, but one's contacts don't). If Open Whisper Systems wanted to be evil, though, they could do this form of analysis.
Back in March I laid out how they could use a private set intersection protocol to enable any pair of users to privately share their contacts: https://news.ycombinator.com/item?id=11289223 (I'm not posting this to shame them or something: March wasn't that long ago for developing a feature like this, and of course it's open source; I could develop it myself and submit it to them).
I think it's something they care about; they've just not found a solution they're comfortable with yet.
Well, that's the good thing about PIR — with the protocol I discussed, OWS wouldn't have access to one's list of contacts. They'd still know with whom one spoke (anonymising that is a hard problem), but at least they wouldn't know everyone one knows.
I uninstalled the Facebook app from my phone when it kept trying to push Messenger on me. I only use the webclient these days.
This bolsters my resolve to keep that app off my phone. You know, it doesn't bother me too much to have companies like Google analyzing my email to send targeted ads because I assume that information is not going to get out to the public. Facebook is a different case because there's a bidirectional flow of private information. It is a HUGE privacy concern (especially as someone that will be a physician in a few years).
I succumbed to the Messenger app and the first thing it did was message a random handful of my friends to say I've joined Messenger... instant uninstall. Now I also just use the web client and if I want to read my messages on my phone I can do that by requesting the desktop site.
You can also request the mobile site (m.facebook.com), but with a desktop user interface. This seems to be the most practical way of reading Facebook messages on mobile at this time.
Amazed that this 'feature' hasn't been killed yet. At this stage of Facebook's maturity, everybody finished adding their real friends about five years ago, and suggesting non-friends with tenuous connections to the user serves only to remind everyone what a privacy disaster Facebook is and generate bad press.
The other side of that argument is: You don't stop making friends & meeting people, why should Facebook stop suggesting people you might know?
I moved out of state three years ago, most of the people I see & spend most of my time with a completely different than the people I did five years ago.
I feel like most users can perform a basic search and add or can exchange contact information elsewhere. When the ratio of weird/unsettling/awkward suggestions to helpful suggestions is high then the feature is not working as intended.
I normally reply to people who cart this argument out: "so you're ok with someone following you around with a camera videoing you? At work....in the toilet....in the bedroom...?"
There's still a stigma, most places. It's a shame, and I wish there weren't, but there is. So it's not hard to see how that argument can have a hard time getting traction.
Oh, I just mean it as an example of something that you should absolutely do if you need it, but something that most people wouldn't want publicised (because of that stigma).
By the way anyone has a link to the full transcript/video? I can only find the cut version (and iirc there was something else between the trusted friend question and the quote, but all videos online have a cut/voiceover in between which is kinda suspicious).
(I seem to remember the "it" in the quote meant putting information online / publicly available, no the "something" that you don't want anyone to know)
The "it" in the quote meant, "if you're going to commit a crime, don't tell Google about it. If you tell a big company all about your plans to commit crimes, don't be surprised when the cops come knocking."
Schmidt has a way of saying reasonable things using the most offensive and misinterpreted language ever.
You never know, things you consider normal today might become retroactively punishable tomorrow. Maybe you "offend" someone on-line who in the future becomes powerful figure and they might bring vengeance on you or your family.
This is a real problem. My sister is a legal clinic domestic violence attorney, and apparently there are concerns about DV clients unwittingly friending their legal clinic advisors, not realizing that by doing so they're outing themselves to their abusive partners.
> Facebook and the other companies in the Facebook family also may use information from us to improve your experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads.
[whatsaap privacy policy]
Or 10 people checked psychiatrist’s facebook profile, facebook found common interest, saw that none of these people are fb friends and suggested to become friends, because hey, you all have something in common, you are all interested in this person.
I think it's also quite likely that the psychiatrist's patients are searching for her profile just to checkout how's her personal life on FB which might give FB some clue as these people might know each other hence a friend suggestion. I do that sometimes to see some of my not-so-close friends.
I have a number of psychologist FB friends and every one that I know of has changed their name on FB to make it harder for patients to find them. Many go with FirstName MiddleName, some make up a last name, etc. That's not to say that it's impossible to find your therapist on FB, but I'd be really surprised if it's easy.
That's why I am getting more and more reluctant to share anything. It's starting to be impossible to predict how your data will be used and what is private and what isn't.
I wonder if there is an open WiFi access point in the vicinity. I noticed that I had several coworkers suggested as friends shortly after I connected my phone to the office WiFi.
It makes sense that people using the same access point or connecting to Facebook from the same external IP would likely know each other.
Actually wayyy before WhatsApp announced [0] that they were going to share data with Facebook, Facebook had already started suggesting me to add friends. These are people whom I have no mutual friends with, but after more suggestions popped up, I realized they were all people I added to my address book and contacted before on WhatsApp.
I definitely did not consent to sharing my address book contacts with Facebook, and frankly nor would I want to. Now WhatsApp is offering an "opt-out" option, but I'm not sure how that will help. Isn't it a little too late for that now?
The funny thing is that this would be very easy for Facebook to fix - just a line of text under each friend request explaining the suggestion:
* "You're both friends of Duffman McPartyDude"
* "We found Psycho Ex Boss's phone number in your contacts"
* "Location Services confirms you were both frequenting a dubious drinking establishment at 4am three Saturdays ago"
Would they do it though? Of course not. It would scare the hell out of their users if they knew how this algo actually worked.
"People You May Know is based on a variety of factors, including mutual friends, work and education information, networks you’re part of, contacts you’ve imported and many other factors,” said the spokesperson by email. “Without additional information from the people involved, we’re not able to explain why one person was recommended as a friend to another."
Facebook is full of shit. Of course they are using locations, why else would I get suggestion to friend the guy that cuts my Mother in Law's yard - he stops by for a check from my wife.
Isn't it more likely he has your mother in law's/your wife's/your phone number programmed into his phone and shared his contacts with Facebook?
It seems like that is the source of 99% of 'creepy' Facebook recommendations: Facebook doesn't realize that while 'has phone number' is a great indicator of 'knowing somebody' it has poor transitive properties.
...because the gardener has MIL's number in his phonebook, you have your MIL's number in your phonebook, and MIL has both numbers in her phonebook. See the network?
Yeah, I don't buy it either. I only use FB in a browser (Android) but have had multiple friend suggestions of people I do not know but have seen out at a bar or party a couple of days afterwards. They aren't in my contact list, pretty damn sure I'm not in their contacts either. I wasn't tagged and didn't check in, but probably did log in to FB at some point while at the location.
It should be a lot easier for everyone to collectively sue Facebook and other social networks for violation of privacy.
This is just one of the economic asymmetries where small annoyances to everyone, but not enough to individually do anything about it, aggregate to billions for a few in power.
The only social network we need is a collective legal one.
I know for a fact that Facebook uses my phone contacts to suggest friends. When I started at a new job and was exchanging numbers with coworkers, they would appear as a suggested friend within 24 hours.
My doctor also showed up as a suggestion. I figured either the office phone number was linked to his FB page, or FB was scanning my calendar events and linked me to him that way.
I regularly have people show up on my "People You May Know" that have no mutual friends with me, and I don't know them so they certainly don't have my email address or phone number. Oftentimes it's people who went to the same university as me, so I wonder if they base it on friends of friends of friends and other less direct connections.
I assume the connector is the doctor - why doesn't she have a work phone with the patient's numbers that she doesn't use Facebook on? Then the chance of patients being connected to one another is dramatically lower.
But will that actually help? I could easily imagine Facebook matching people who have shared contact numbers, even if the contact number shared is not associated with an account. Possibly they don't do that to try to avoid this situation.
I think this issue requires action from Facebook. The minimum they should do is allow numbers to be registered to be not used for making connections. Much better would be for them to be more explicit about what information they are collecting (with sufficient guidance that the user understands that medical privacy can be affected) and allow users to not send them that information in the first place. I can't imagine them doing that voluntarily, though.
If she is allowing Facebook to view patient's phone numbers in her own phone, this may be a punishable HIPAA violation, and is obviously completely inappropriate.
What's also just as likely is that patients are allowing Facebook to view the contents of their own phonebooks (which they are certainly free to do, unless of course, they're medical professionals with patient information as well...). Facebook sees that these dozen people have the same contact number, and recommends that they all friend each other.
"When Lisa looked at her Facebook profile, she was surprised to see that she had, at some point, given Facebook her cell phone number. It’s a number that her patients could also have in their phones."
Ironically, before it lets me read this story the site pops up a "LIKE US ON FACEBOOK!" prompt. I'm pretty sure once I do that all you fellow article-readers will be my next friends.
She lives in a small town, she specializes in treating a small subset of that population. It is quite possible the patients were recommended as friends as coincidence, not having anything to do with her.
"Most of her patients are senior citizens or people with serious health or developmental issues, but she has one outlier: a 30-something snowboarder. Usually, Facebook would recommend he friend people his own age, who snowboard and jump out of planes. But Lisa told me that he had started seeing older and infirm people, such as a 70-year-old gentleman with a walker and someone with cerebral palsy."
One outlier hardly establishes a pattern, it is still reasonable that the connection to Lisa had nothing to do with these suggestions, and that there was something else in play.
I'm not arguing that any pattern exists- I am merely arguing that we don't have enough information to demonstrate conclusively that Facebook is recommending these people as friends simply because they are all Lisas patients. Such a pattern may be probable, but there simply isn't enough information to come to a conclusion.
I don't suppose I feel it necessary to reach absolute incontrovertibility on this matter, given Facebook's longstanding history of doing things very like it, but find mere strong preponderance of likelihood to suffice. But I understand that some may feel otherwise.
Facebook must understand how weird that sounds. How can they not know why people are recommended to each other?
They really do need to dig into the issue, if in fact they don't know. Because something seriously need to be excluded from their recommendation algorithm if the article is true.
She can't reveal the patients to them, so Facebook wouldn't be in a position to give a specific reason -- only generically how the algorithm is calculated.
In fact, they can expect very serious investigations throughout Europe if someone complains about it to their local information commissioners or equivalent here.
If they are in fact sucking in contact details from users phones and using them for matching and recommendations, that would seem to be something that would be serious enough to likely require express consent (in other words: users taking an explicit action, rather than being "opted in" implicitly by agreeing to a TOS or similar) under EU data protection regulations.
Not a lawyer, but I'd be surprised if there isn't one or more data protection violations lurking in there somewhere.
not surprising really, I have often written software, returned a decade later and had to unravel why it does what it does, even though I am one person and it's just a few thousand lines of code, I can well imagine the FB system is too complex for any individual to inspect, and if the record keeping and documentation on the whys as well as the hows is incomplete then we are we are...
Technical question: does anyone know if FB can easily answer why X was recommended to Y? That is, do they have to manually check or can they query this easily and get the precise answer why a recommendation was presented(for example: the reason why X was recommended to Y on date d, cannot be that X is connected to Z and and Z to Y, if X connect to Z on d+1; I assume bad inferences like this will probably happen often if such questions are answered manually).
But I'm still a paranoid lunatic because I don't want to smear my picture all over the web and give my every scrap of data away for the dubious benefits of Facebook or Twitter...
Talk about blowing something simple out of proportion.
All these people have one friend in common with this person, maybe they know each other as well? Being a psychiatrist or whatever has nothing to do with it.
EDIT: I stand corrected. Not so simple regarding where they get the "potential friendship" data from. Diagonal reading mistake on my part.
I'm not sure how they get it at all, except via contact list mining. It makes sense that the doctor's phone number is part of her Facebook account. It does not make sense that her patients, who have not added her as a "friend" there, would nonetheless have explicitly told Facebook her number from their end. (I don't even think that's a thing you can do.)
Facebook will happily slurp your entire contact list even if you're not FB friends with all of them. And the algorithms almost certainly know and take into account having someone in your contacts as a way to build a graph of relationships.
Exactly. And, of course, there is not even a way to flag some contacts as private, or otherwise to be excluded from social graph analysis.
I mean, I guess you could keep those contacts in a note or some other record outside your contacts list, and just tap to call or email or whatever. But that only works as long as the Facebook app doesn't decide it needs access to that kind of record, too. And when you find yourself going that far out of your way to circumvent something that's installed on your phone, maybe it's time to think about whether that thing is more trouble than it's worth.
For several official numbers (local taxi company, local police station, local pizza place) I've been random people's names and facebook profile pictures be added to the phone contact where the app has been installed and asked to sync "profile pictures to contact list". This must be people on facebook that jokingly puts in one of these well known phone numbers in their profile, but these strangers then start to appear and take over otherwise reasonable "local pizza" type phonebook entries on completely unrelated people's phones...
Install it on your phone? Anyone you have in your phone's address book gets to see your picture under "people you may know".
Someone in your family joins Facebook and friends you? Now everyone you are friends with gets prompted about whether or not they know your family member.
Want to delete some pictures you uploaded to Facebook? It's extremely difficult and they must be deleted one by one.
Other than LinkedIn, I'd say FB is the prime innovator of UI dark patterns that exploit users' unwitting behavior for profit.
The youngest generation of internet users gets this which is why they largely do not use Facebook. Soon they will realize that IG and Whatsapp are connected, and will avoid those too.
What's interesting to me is that the recommendations are fundamentally not useful. It's easy to look someone up by searching for their name without the privacy-invading helpful suggestions.