Facebook was warned five years ago that the “reverse-lookup” feature in its search engine could be used to harvest names, profiles, and phone numbers for virtually all its users. But the company ignored the red flags until last week, after it happened.
In prepared testimony to Congress released Monday, Mark Zuckerberg acknowledged that malefactors had used the reverse-lookup “to link people’s public Facebook information to a phone number,” he wrote (PDF). “When we found out about the abuse, we shut this feature down.” He said that Facebook only discovered the incidents two weeks ago.
Zuckerberg is set to testify at a joint hearing before the Senate’s Judiciary and Commerce committees on Tuesday, and then return to Capitol Hill on Wednesday to appear before the House Energy and Commerce Committee. This will be the first time Facebook’s billionaire founder and CEO has ever appeared before Congress. Last fall the company’s vice president and general counsel Colin Stretch appeared at the hearings probing Russia’s election interference campaign.
The hearings are a response to last month’s revelations that Cambridge Analytica, a U.K.-based consulting firm that worked for the Trump campaign, harvested data on as many as 87 million Facebook users without their knowledge.
Facebook revealed the separate reverse-lookup data spill while responding to the Cambridge Analytica controversy.
The issue was that Facebook allowed users to find anyone on the site by entering either their phone number or email address. In 2010, computer science researchers in Greece showed how spammers could use that feature to validate address lists and “craft personalized phishing emails that are far more efficient than traditional techniques by using personal information publicly available in social networks” (PDF).
But Zuckerberg’s written testimony reveals for the first time that it was phone number lookups that were used in the large scale scraping. That’s a more potent weapon for bulk harvesting, because a data miner can programatically cycle through every possible phone number to get a complete corpus. With some exceptions—custom privacy settings or accounts with no phone number attached—sequential mining would yield every Facebook profile. [Continue reading…]
Don’t miss the latest posts at Attention to the Unseen: Sign up for email updates.