Home & Office

Facebook breach: user phone numbers exposed but who's to blame?

The latest privacy breach on Facebook can't be fully blamed on Facebook. This time, users are the ones putting themselves at risk.
Written by Sam Diaz, Inactive

There's a privacy breach of sorts underway on Facebook right this minute - and it involves your phone number.

But before you go blaming Facebook for this one - and, yes, the company should share in the blame - we, the users, are the ones who deserve a slap on the hand this time. The Los Angeles Times today profiled a new service called Evil, which scours public Facebook pages for phone numbers and then exposes all but the last three digits, along with the person's name and Facebook picture on a Web page.

If you've ever typed your phone number on a Facebook wall, maybe as part of a small group or just to tell a friend to call you, it could be out there for anyone on the Web - even non-Facebook members - to see, depending on the privacy settings in place for that wall.

That's where Facebook's share of the blame comes in. Facebook has once again compromised user's privacy settings by not only making the process more complex but by making it an opt-out process, instead of opt-in. Users may not necessarily be aware that their wall page is set for everyone - the entire Internet - to see. So when they announce to their friends that they've lost their phone on a Facebook wall and friends reply by posting their phone numbers... well, you end up on Evil.com.

Also see: Facebook's privacy timeline: Possible backlash or just evolution?

The developer, Tom Scott, told the Times that he's not looking to expose the phone numbers but rather to send a message to users that Facebook can't truly be secure until users start acting responsibly about what they post. Facebook can only do so much. On the Evil home page, Scott explains:

There are uncountable numbers of groups on Facebook called "lost my phone!!!!! need ur numbers!!!!!" or something like that. Most of them are marked as 'public', or 'visible to everyone'. A lot of folks don't understand what that means in Facebook's context — to Facebook, 'everyone' means everyone in the world, whether they're a Facebook member or not. That includes automated programs like Evil, as well as search engines... Evil uses the graph API to search for groups about lost phones. It picks them at random, extracts some of the phone numbers, and then shows them here.

Scott also said that he isn't doing anything that anyone else couldn't do manually - even just by way of a Google search. The service, which Scott developed and is hosting on his own site, is not evil - but it could be. He writes:

It's called Evil, not diabolic. Those digits are publicly available though, and I - or anyone malicious - could easily flick a metaphorical switch and show them here. Or produce a phone directory. Or nick them for marketing. Don't forget, the Facebook pages you "Like" are public too.

By the way, Scott says he's looking for work doing web, video and viral stuff. Hopefully, Evil becomes viral enough for people to go in, delete posts with their phone numbers and be more careful in the future.

Editorial standards