If you’ve used Facebook on your mobile phone before, then you probably have also used at least one mobile app that requires access to your email address. The only problem is, there’s a bug that causes Facebook to return your 10-digit phone number instead, and it took a solid nine months before the team finally decided to resolve the privacy breach.
A report of the phone number issue was brought to Facebook’s attention as early as June of last year and was posted on the developer site, where it was immediately confirmed as a bug. According to the report, instead of receiving the expected properly formatted user’s email address via the graph API, at least one of a thousand queries return a 10-digit phone number.
Other app developers have actually experienced a higher frequency of this bug. The American Legacy Foundation, the non-profit org behind Ubiquitous, reported that they were retrieving one phone number for every 200 queries.
Though the bug is now completely patched, there really is no way to know if app developers who’ve encountered this bug in the past actually used the information exposure to their advantage by calling up users on their phones (or harvesting and selling that information to phone list services). The fact that the social networking site twiddled its thumbs for nine months while this bug remained unresolved gives privacy die-hards more reason to believe that Facebook, rather than help you protect your personal information, is secretly selling it to the highest bidder.
Graph Search, Facebook’s latest feature that lets users search their friends’ data using simple, specific phrases (like ‘photos my friends took in New York City’), is apparently also a potential threat to users’ privacy. Here’s to hoping that Facebook watches this new tool’s activity like a hawk before it gets out of control (like, before “frenemies” in your circle sift through your old posts using cleverly phrased queries and find out details about your life you thought were safely under the radar).
Looks like there’s more to this story that we didn’t know. The report we read as basis for this article had some of the details wrong, so we’d like to apologize and issue this correction:
According to Fred Wolens, Facebook Policy Communications, any FB user could sign up to Facebook with either an email address or a phone number, and if that user decided to not give an email address, “in keeping with the users privacy we provided the phone number since this was the piece of registrant information used”. Also, users are given ample warning by applications before sharing personal information, and in the case of giving out a phone number, it may be called an email address (in the absence of one). The real bug is the mislabeling of the API call, calling a phone number an email address. It has been corrected.