As you know, Facebook have a long, storied history, including several ongoing brushes with the Privacy Commissioner of Canada, and despite repeat warnings against abuse of end-user rights, they recently deployed facial recognition software with no notice given their 500,000,000 users.

Today, however was the straw that broke the camel's back. Unbeknowst to me, perhaps by way of their new 'Facebook messanger' [update: actually, by way of Facebook's iPhone app.] they have uploaded the address books of hundreds of millions of users' mobile phones.

I found the home, private, business and mobile telephone numbers of 700 friends, colleagues, co-workers, and associates (Facebook users or not) published on their site [update: on my account only – at least, for the moment, but nonetheless up on Facebook] – I never agreed to this, I never knew about this, and it was only by way of the Sophos blog post below that I discovered this.

To check to see if you have had the same unfortunate thing happened to you:

  1. Log into Facebook
  2. Click on Account (upper RH corner)
  3. Click 'edit friends'
  4. Click 'contacts' (LH side)

(There is the option to disable this feature. Turn OFF synching on your mobile phone, then go here)

update: CAUCE Director Matt Sergeant had this to say on his blog – he nails exactly what is wrong with this:

Addressing the latest Facebook privacy issue

(This is a non-work post, but Disclaimer: I work for Symantec and regularly talk publicly about security issues)

There’s been lots of talk today online about the latest Facebook privacy debacle whereby they have all your cell phone contacts listed on your “Contacts” page.

Facebook have been trying to quiet the storm, as people are posting to their status updates for people to disable this.

First, to combat some FUD: Facebook is not sharing this information from you with your friends. Your buddies aren’t going to be able to call up your Grandma.

But what Facebook have entirely ignored, and why this is again an issue, is the question of permission.

I have two phones. One is a work phone (BlackBerry), and one is my personal iPhone. The only phone the contacts I had listed on Facebook came from is my BlackBerry, which is good, because I have a lot of random old numbers in my iPhone (don’t ask!).

So what happened here? I believe that the latest BlackBerry Facebook app (which recently underwent a major upgrade) automatically set the preference to sync contacts with Facebook. Now it may very well have been in the multi-page user agreement that I accepted, but yes I admit, I don’t read those things. And those agreements don’t even appear on the iPhone version, because, and here’s the fundamental difference I guess: the iPhone version doesn’t transparently change your preferences.

Facebook needs to stop that. I don’t care if it’s useful, or if you’re not sharing it with anyone else. I don’t want you uploading my contacts to your servers without ASKING me first.

It’s that simple. And this is why there are laws against what they have done in various countries, and why this will probably result in yet another lawsuit against them.

Rant over.

CAUCE are stunned by this move, it is beyond the ken. We will be calling upon Facebook to remove this facility immediately (it should always bo opt-in by default, as should ALL end-user options) and failing that, filing complaints with the proper authorities.

See more:

Neil Schwartzman
Executive Director
CAUCE : The Coalition Against Unsolicited Commercial Email