This is really, really creepy. Facebook is redefining online stalking again.
So MSN is shutting down, and since I don't like Skype for chatting, I thought Facebook chat might be a good replacement. Skype does not offer XMPP or any other way to interface with their network, so clients like Pidgin are not going to support it. In fact, Microsoft is actively preventing third-party clients from interfacing with Skype, whereas with MSN they mostly left them be and sometimes even helped out.
Facebook is taking another approach. There is a Facebook plugin for Pidgin, and even an XMPP interface to the Facebook chat network. Since just about everyone has Facebook (at least everyone that's not on Google+), it would be a great solution to remain in touch with everyone.
I don't trust Facebook much, but I trust them just enough not to publish all my chat messages. Since that's just what I plan using it for, it should be okay.
Yesterday I signed up for Facebook. I spent twenty minutes configuring privacy settings, added one friend as sort of a "beta" member to try things out. See what he could see on my profile (such as my friends list) and what not.
Facebook immediately started recommending people from his friends list, none of whom I knew. All just fine.
Then I wanted to setup Facebook chat in Pidgin. Apparently this required having a username, and a username required verifying my account. The only way to do this is by text message, so I reluctantly entered my phone number. It's prepaid, unregistered, and I never publicly posted it anywhere, so I figured it was fine.
I change my password, change it back, and now chat works. Apparently that was needed.
A day passes.
Today I open Facebook to see that the friend accepted my friend request. Next thing I see are "people I might know". These are, in order:
- My two cousins
- A friend
- An acquaintance
- My grandmother
And the list goes on.
I scroll down, stunned.
A couple hours browsing while being signed in to Facebook, is that it? It can't have been my e-mail address this time, not everyone has it in their contacts list on Hotmail (like always, Facebook offered to find friends by signing in to Hotmail, which I rejected, but others still might have done this), nor is everyone who has me in their contacts on the "you might know" list. It doesn't make sense
The personal details that I shared with Facebook were:
- The same profile picture as I use here and for my MSN profile
- My first name
- That I'm male
- My phone number
- A link to my Google+ profile
- My IP address that has been the same for years
With these details, it's impossible to put the list of "you might know" people together as it is. I've read through the entire list, but it just doesn't add up. Facebook probably used multiple pieces of information, but then there are some people I'm missing. What about my other two cousins? They have my phone number and my e-mail address. And Facebook uses both, because:
- The only way to know that I know my grandmother is by e-mail address*.
- The only way to know that I know this acquaintance is by phone number.
* And even finding people I know by e-mail address is a stretch. The email address that I used on Facebook ended in @lucb1e.com
, and my MSN address started with lucb1e@.... Facebook must have searched the database of all MSN contacts from all users, and matched the second-level-domain (lucb1e) with the user part of their email address database. The only alternative is scraping my Google+ profile from the link and parsing "lucb1e hotmail (dotcom)" to the actual address. Looks extremely easy, but a computer wouldn't figure this out unless someone spent hours adding parsing rules for addresses. I thought my format was fairly unique.
So the two remaining cousins double-match, but they don't show up. It seems unlikely that they both chose not to let Facebook look for friends in their contact list, and
both didn't allow Facebook to read their address book on their phone. They both have a smartphone. In fact, there are lots of people I'm missing that could have been matched in various ways. What information did it use that I don't know of? Does it randomly leave people out of the "you may know"-list just to obscure its methods or make it seem less creepy?
I'm really creeped out. Should I close the Facebook account again? Where did it get this information? Is it even legal to trick millions into violating Dutch privacy laws, which prohibit people from sharing personally identifiable information such as my phone number or email address? How do I get my information removed? What does this mean for other websites, could they also know everything already?