Yes, Rogue Marketers Can Steal Your Public Facebook Data

-Email List Scam-A post by the Wired Epicenter blog today suggests that the Facebook contact import tool is a system easily manipulated by rogue marketers looking to expand data within their email list. The article is accurate, however the article is a sensational take on something that has been possible for years. The Electronic Frontier Foundation, an organization which is now fully dedicated to pursuing weaknesses in Facebook’s privacy settings, is of course criticizing this feature.

Does Facebook have systems in place to avoid abuse of the contact importer? Of course. Andrew Noyes of Facebook told Wired, “We’ve developed several systems to detect and block malicious use of the Friend Finder. For example, we don’t allow users to upload contact lists past a certain size. We also block users who upload contacts at an anomalous rate.” The way email marketers could abuse the system is as follows:

  • Email marketers visit the friend finder page using a fake account
  • By clicking on “Upload a contact file” (pictured below), an email marketer can import a marketing list and then view information about any of the users who are on Facebook

-Email Import Abuse-

This method bypasses Facebook’s search privacy settings according to Max Klein, which means a marketer could theoretically access basic information which you didn’t want others to see (your name, photo, gender, location, etc). While Facebook should block the friend finder from accessing the profiles of users who have turned off Facebook search visibility, blocking rogue marketers is a whole other issue. “Rogue marketers” by definition use questionable tactics to get information from users.

Taken to an extreme, they’ll use illegally obtained data (taken through spyware and other sources) to improve the quality of their marketing lists. Should Facebook do as much as they can to protect users from rogue marketers? Definitely. Can Facebook protect users against themselves? Not at all. The privacy loophole should definitely be fixed, but there’s no way Facebook will be able to perfectly protect those users who don’t protect themselves.

The information that these marketers can collect were already made public by the user, they just weren’t accessible through Facebook search. As Wired states, “Users should know that the information exposed in this little hack is not unlike that which is turned over to third-party applications whenever you or one of your friends installs an application, including such things as quizzes to decide what kind of pet you are.” In other words: the data was already public.

Update
Andrew Noyes of Facebook reached out to clarify that this action is a clear violation of Facebook’s terms of service and those accounts risk being shut down. Here’s the full statement: “Collection of information from users requires their consent under Facebook’s Statement of Rights and Responsibilities and we may disable accounts of those found in violation. In addition, we’ve developed several systems to detect and block malicious use of the Friend Finder. For example, we don’t allow users to upload contact lists past a certain size. We also block users who upload contacts at an anomalous rate. We’re always working to improve these systems and others that help protect the privacy and security of our users’ information. Finally, the Friend Finder and data collection restrictions are not new and information the blog post suggests can be obtained either is not something Facebook collects (e.g. ethnicity) or is not available to non-friends by default (e.g. age and sexual orientation). However, we encourage people with concerns to configure their privacy settings appropriately.”