[simonduponte]

Factors that contribute to friend suggestions on FB:

1. Facebook tracking pixels on websites (if you visit a website with the pixel, you can be targeted in many different ways).

2. Email. If you have sent or received an email to the doctor, and either of you has associated that email to FB, you can be tracked.

3. Searching on FB, you say its unlikely for him to look you up on FB, yet theres always a chance that being a family doctor, he might have at some point seen one of your family member's FB and stumbled upon a picture or post in which you were tagged.

4. Whatsapp Contacts. As you know, Whatsapp and FB are part of the same company, hence have access to linked information. If you share certain Whatsapp contacts, a connection can be inferred.

[bogomipz]

Also it might be relevant that FB buys third party data:

http://www.businessinsider.com/facebook-data-brokers-2016-12

It wouldn't surprise me if a credit card payment for a doctor visit might lead to such an association or suggestion.

[tyingq]

Ugh. Hadn't thought of that. That means, probably, they are also filling in their social graph for people that have never touched Facebook at all.

[bogomipz]

Right the "shadow graph."

I've also noticed other trends to where using a credit card at a store has resulted in receiving postal junk mail from the store I have just used the credit card at. I suspect credit card companies give give stores access to your credit card billing address when you use your credit card there.

Protecting against these creeping incursions is certainly a feather in the cap of crypto currencies.

[patcheudor]

I'm glad you covered the bi-directional aspects of the association. A number of years ago FB had a vulnerability I discovered whereby it was possible to register an account with an e-mail you don't own. Obviously it wouldn't be possible to then verify the account if the owner of the e-mail targeted failed to click on the verify link. To get around this, upon first authenticating with the account after registration it was possible to change the e-mail address to one you own then send a very request. After verification, it was then possible to change it back to the original e-mail at which point it was verified.

In testing with a few people who never even had FB accounts and who I clearly did not import any contacts, etc., was that they fairly immediately received friend suggestions and even requests from people they knew. This was also despite the fact they'd never used the computer or even IP address used in the registration of the account. At the time it helped me prove a point that not participating in social media could be a security problem & to always take social media verification seriously. Obviously FB has since fixed that vector.

[caseysoftware]

This was easy to do as late as 2010. I haven't tried it recently but it was a common attack for quite a while:

https://caseysoftware.com/blog/social-media-for-social-evil-...

[patcheudor]

At the time a number of us were arguing with FB that it was a vulnerability. How times have changed.

[hollander]

Using the wifi at the doctor's office would be another methods of linking. (I know this doesn't apply to the poster, but just giving another method.)

About 2: Email. I don't understand. If I send an email from my gmail address to his hotmail address, and both of us use the addresses for Facebook registration, how does that link us? And you say "either", so only one of us uses it for Facebook. I don't get it.

About 3: Maybe he has many links to other people on FB, people in his social circles, one or two or even three steps away. If you have enough of these people, the link is made. And they just show these people, and at some point you see it and all the others go unnoticed, but this one pops out.

[deeth_starr]

>> email

I agree that it's likely not "either" but both email addresses matching but I'm convinced that some friend recommendations come from gmail. There's no other way.

[ams6110]

I question point 2. Are you suggesting that Facebook reads my email? Have I given them my email password? If not, how? (I ask, because I don't use Facebook).

Sure, if we have each other's email addresses in our contact lists on Facebook, I can see how the connection was made.

[patcheudor]

In this scenario you don't know if the doctor uploaded their contacts list to FB. You further don't know if they are using a lousy e-mail app that sends usage information to FB, perhaps as part of an advertising integration.