Privacy test: How does Facebook read your phonebook?

Mar 11, 2016

Have you ever wondered Facebook’s ability to find and suggest “people you might know” both accurately and timely? We at Privaon did a test to find it out for you.

Quite often you and your contacts might have shared some common background details within Facebook, making it reasonable for them to assume that there is a connection between the two of you. However, it is surprising how FB is able to draw a connection between you and your new acquaintances – even when nothing seems to connect you online. In fact, Facebook draws these suggestions based on phonebook contact details. Even without your permission.

There is a simple way to test how the Facebook mobile application accesses your recently updated phonebook and draws FB contact suggestions based on new entries found. Just simply add the phone number of a contact to whom you have no previous connection and sit back for a few days. Around this time, your contact will be included on the list of persons you might know, provided that he/she owns a Facebook account. Now why is this of particular concern?

When doing the above test myself, I refrained from consenting to the FB app accessing my phonebook. After I created a new phonebook entry, FB was quick to show me a pop-up banner on the friend requests page, asking me to “turn on” automatic uploading of new and updated contacts. I did not do so and assumed that my default setting, consequently, must have been “off”.

On the third day my fresh phonebook contact appeared on the FB suggestions list.


Blog_FBphonebook_finalReading into Facebook’s data policy, the company states to collect contact information users provide if they upload, sync or import this information (such as an address book) from a device. Such action would seem to pertain to clicking the automatic uploading of contacts banner I was displayed. Yes, the one I did not click and which implied that I had not permitted FB to upload my information.

The GSM Association’s Privacy Design Guidelines for Mobile Application Development recommend that mobile applications must not surreptitiously access or collect personal information. Specifically, contact details held in a device’s address book must not be accessed by apps unless this is part of their functionality clearly explained to users.

Notice that the journey of any contact detail data collected from your phonebook does not necessarily end into to being cross-matched with existing Facebook accounts in order to produce recommendations. What happens to data comprised of contact details who do not have a Facebook account? No one knows, except Facebook.

When installing and using mobile applications on your phone, it may be worthwhile to have a look at the app provider’s privacy policy. However, often there might be no policy at all, and very rarely in the extent provided by giants such as Facebook. Consumers wishing to retain control over their personal data are advised to keep an open eye.