On Friday, and again on Monday, Facebook told me that it uses smartphone location data to recommend new friends to its users. After I reported this, lots of people said that this explained why certain people had popped up in their “People You May Know” box on Facebook.
But on Monday night, after lots of negative feedback, Facebook reversed course. A spokesperson told me that the company had dug into the matter further and determined that “we’re not using location data, such as device location and location information you add to your profile, to suggest people you may know.”
I have reportorial whiplash. I’ve never had a spokesperson confirm and then retract a story so quickly. So here’s how we got here.
Last week, I met a man who was concerned that Facebook has used his smartphone location to figure out people he might know. After he attended a gathering for suicidal teens, Facebook recommended one of the other parents there as a friend, even though they seemingly had nothing else in common but being in the same place at the same time. He asked me whether Facebook was using location to figure out if people knew each other.
I was skeptical, because that seemed like such an egregious violation of privacy. On Friday, I emailed Facebook:
A Facebook user told me that he attended an event last week with people he’d never met before. The next morning, one of the people at the event came up as a suggested friend. They had no other ties beyond being in the same room the night before. Could their shared location have resulted in the suggestion?
A spokesperson responded, saying that location is one of the signals for “People You May Know.” I was surprised, since this could lead to all kinds of negative outcomes—unmasking strangers, for instance, who wanted to stay anonymous at a gathering for alcoholics. Security technologist Ashkan Soltani pointed out that using shared phone location to figure out people’s real world associations was a technique used by the NSA, as revealed in 2013.
I called the spokesperson on Monday morning to talk about those potential negative outcomes, whether Facebook disclosed in any way that it was using location for friend suggestions, and what users could do to prevent this from happening. The spokesperson said that location alone would never result in a friend suggestion, and sent me the following statement:
“We often suggest people you may know based on things you have in common, like mutual friends, places you’ve visited, or the city you live in. But location information by itself doesn’t indicate that two people might be friends. That’s why location is only one of the factors we use to suggest people you may know.”
Thus I reported that “Facebook is using your phone’s location to suggest new friends—which could be a privacy disaster.” The story garnered lots of negative feedback, with people upset about Facebook using their location information this way without telling them.
Then, on Monday night, the Facebook spokesperson reached out again, saying the company had dug into the matter and found that location isn’t currently used. She sent an updated statement:
“We’re not using location data, such as device location and location information you add to your profile, to suggest people you may know. We may show you people based on mutual friends, work and education information, networks you are part of, contacts you’ve imported and other factors.”
We do know that Facebook is using smartphone location for other things, such as tracking which stores you go to and geotargeting you with ads, but the social network now says it’s not using smartphone location to identify people you’ve been physically proximate to.
If Facebook were using smartphone location that way, it may well have violated its agreement with the Federal Trade Commission, which requires that the company get affirmative consent from its users to use their information in new ways and requires the company “to protect the privacy and confidentiality of consumers’ information.” Outing users’ identities to strangers because they were near each other for an extended period of time might be frowned upon.
As for how Facebook is able to figure out people we know with whom we’ve only shared physical space, that remains a bit mysterious. There are other ways that they could divine this information beyond using your phone’s GPS coordinates, such as looking at shared use of a wireless network or looking at the IP address you are signing in from. IP addresses can be geographically mapped, sometimes precisely and sometimes imprecisely. The FTC recently fined a mobile advertising company $4 million because it was figuring out the location of people who had not given it location privileges by looking at the wireless networks they were near.
To know for sure, Facebook would need to spell out the “other factors” that go into their suggestions for people we may know. But for now, the company considers that proprietary information.