There are many ways in which Facebook might know your phone number. The easiest (and most common) way is to give it to them, by including it in your profile so that your Facebook Friends can look it up when they need to give you a ring.
So your Friends have your number, but that makes sense – after all, they probably already had your number, or could’ve gotten it easily. And Facebook has your number, and while I don’t think it makes sense to “trust” Facebook anymore, I think users can trust in the fact that even Facebook is not so colossally stupid as to do something like sell your phone number to used car hucksters.
But who else has access to your number?
Think no one? Think again. Are you sure that only your Friends have access to your profile info?
What about those Groups and Events – you know, the ones that start “I dropped my phone in a pond, send me your numbers!” Have you posted in them? Do you know their privacy settings? Have the privacy settings changed since you posted?
The ever entertaining Tom Scott – creator of invaluable Internet entertainment such as StupidFight – has just produced the privacy equivalent of a horror film. It’s called – simply and appropriately enough – “Evil”.
As Scott explains:
This site randomly displays the private phone numbers of unsuspecting Facebook users.
There are uncountable numbers of groups on Facebook called “lost my phone!!!!! need ur numbers!!!!!” or something like that. Most of them are marked as ‘public’, or ‘visible to everyone’. A lot of folks don’t understand what that means in Facebook’s context — to Facebook, ‘everyone’ means everyone in the world, whether they’re a Facebook member or not. That includes automated programs like Evil, as well as search engines.
Evil uses the graph API to search for groups about lost phones. It picks them at random, extracts some of the phone numbers, and then shows them here.
Here is Scott’s screencast of what Evil looks like when it is working:
So what should you do? Scott says:
Go into all the “lost number” groups you’ve ever joined. Ever. Delete your posts. (You might want to try searching for your own phone number on Google, too; it might turn up in unexpected places.)
The thing to remember here is that the fault doesn’t lie with the users. That is to say, the fault doesn’t like with the users any more than someone can be faulted for stepping on what appears to be a solid deck only to have it collapse under their feet because it wasn’t built to code.
It is patently ridiculous and unreasonable to argue that all of these users wanted their cell phone numbers and names to be accessible to the entire Internet. But that’s what has happened, because of stupid, unsafe, and (indeed) “evil” design.
(h/t Ian Brown and PVN)