Facebook Using Physical Location to Suggest Friends

This could go badly:

"People You May Know are people on Facebook that you might know," a Facebook spokesperson said. "We show you people based on mutual friends, work and education information, networks you're part of, contacts you've imported and many other factors."

One of those factors is smartphone location. A Facebook spokesperson said though that shared location alone would not result in a friend suggestion, saying that the two parents must have had something else in common, such as overlapping networks.

"Location information by itself doesn't indicate that two people might be friends," said the Facebook spokesperson. "That's why location is only one of the factors we use to suggest people you may know."

The article goes on to describe situations where you don't want Facebook to do this: Alcoholics Anonymous meetings, singles bars, some Tinder dates, and so on. But this is part of Facebook's aggressive use of location data in many of its services.

BoingBoing post.

EDITED TO ADD: Facebook backtracks.

Posted on June 28, 2016 at 6:56 AM • 34 Comments

Comments

Slime Mold with MustardJune 28, 2016 7:43 AM

Hell, let the NSA sell its data too. This horse is out of the barn and over the mountains. Might as well get a stud fee.

Michael PJune 28, 2016 7:53 AM

Facebook wants users to let them have access to location data, so they pitch it as enabling features like this. What Facebook really wants location info for is "Advertisers You May Know".

JimJune 28, 2016 7:54 AM

The whole "people you may know" thing is kind of creepy. I once had Facebook suggest a person who had died not long before the friend suggestion. It was probably based on our mutual (though unbeknownst to either of us) interest in a local organization. Interesting thing is that this was a person I worked with briefly, whose position I was going to fill after she retired (she died before she could retire), and who I couldn't stand (very stand-offish, kept all the information I needed to take over her job to herself, not the least bit friendly or personable), and who I never in a million years would have "friended" on Facebook.

Mike BarnoJune 28, 2016 8:18 AM

It's not just Facebook. Last year LinkedIn (based on importing my Gmail contact list) suggested my mother, who had recently died and who never joined LinkedIn.

So it wasn't a difficult decision to remove myself from LinkedIn when it was announced that Microsoft was buying it.

vwmJune 28, 2016 8:51 AM

Lots of speculation in that article. I find it quite hard to believe that Facebook matches people who happened to be in the same location for some time. That would generate an awful high number of false positives. Think of all the people in shops, public transport, office buildings, bars...


It would be interesting to know whether the anonymous persons at the event did "check-in" to the event. Maybe via some auto check-in feature?

Also it would be interesting whether those anonymous persons did actually have some common friends, common memberships in groups etc.

It might be not as spooky as it sounds.

Still, I have to admit, that I do not use social media Apps but rather the web frontend, to keep control on what kind of data (contacts, location, etc.) to share and not to share.

SasparillaJune 28, 2016 9:27 AM

The simple answer is do not install the Facebook App, ever. If you have to go onto Facebook, then do so with a dedicated browser that you use for nothing else (except maybe LinkedIn if you have to go there) as they try to track and log wherever you go on the web.

Facebook strip-mines your personal data for their monetary gain, has a history of making bad moral judgements flowing down from their CEO (i.e. part of their corporate culture IMHO) and is probably one of the best friends the 3 letter agencies could have.

Bumble BeeJune 28, 2016 10:06 AM

Lol that's hilarious. I happened to be in Detroit the other weekend (posting on this very forum) when they had some kind of gay pride parade going on downtown, (the same weekend there was that shooting in Florida, in fact, now that I remember.) I must be somewhat an androgynous person, because a bunch of ladies with weird purple and pink dyed hairdos were flirting with me, which made their male cohorts extremely jealous, humans being humans, and human nature being what it is, "LGBT" or not, ... but I wasn't really all that interested in them because in my experience people with purple or pink hair tend to do drugs and hang out at Whole Foods, as if natural foods could somehow mitigate the damage drugs do to the body and mind, and anyways the damn coffee they serve at Whole Foods, if it isn't 10x caffeinated or with cocaine, is spiked with rohypnol or just plain old alcohol or all that shit together, and I just don't want to hang out with those people.

Not to mention some crack-addicted guys in Flint were yelling "Faggot!" at me and shooting at me and I just don't need that shit in my life and if people are so damn proud of their sexuality like they haven't anything else to be proud of, (but the drugs they do,) well, they're all a bunch of sex offenders to boot, and I really don't want to hang out with them, and anyways there's a better grocery store in Mexicantown Detroit.

So life's great, birds chirping in the trees and salmon leaping in the Flint River and alive to see, hear, and appreciate.

albertJune 28, 2016 10:27 AM

@vwm,
"...That would generate an awful high number of false positives..."
LOL
Do you think fb gives a rats ass about false positives?


@Bumble Bee,
Are there still lifeforms in the Flint River?

---------

Just as folks get the kind of government they deserve, so do they get the kind of 'social' media they deserve.

. .. . .. --- ....

FreemanJune 28, 2016 10:29 AM

Facebook also uses your phone number to determine your possible friends.

I have closed an account associtated with a phone number a few years ago, then I have created a new account last month, using the same phone number to activate the account creation (I used a different email and all).
Ever since then, I was getting emails suggesting people who were in my friends list all that time back before I closed the account.

This might be a problem, due to the fact that phone numbers are not life-long (even if they might seem so). In case someone else had been assigned my phone number (in case I stopped using it), that person would get suggestions of possible friends, all of which are directly connected to the previous phone owner - aka me.

blakeJune 28, 2016 11:42 AM

@albert

> Do you think fb gives a rats ass about false positives?

Yeah, FB really likes false positives, because it can activate that "no you got this wrong!" part of the brain which leads people to correct FB and provide them with more accurate data.

But, that's not really your point, I know.


A more security based comment: this is apparently a boon for stalkers - you'd only have to spend time in the same sorts of places as whoever you're stalking, join a FB fan group for that band you overheard them talking about, and after a while FB will *offer* you their contact details. Maybe much more than that if parts of their profile are public.

Bumble BeeJune 28, 2016 12:47 PM

@albert

Re life forms

Sure. I just saw a guy bowhunting fish in the Flint River. He had a hunting bow and some sort of spearheaded arrow with a string attached so he could retrieve it in case he did catch anything.

Must not be any law against bowhunting (or bow fishing) while high on cocaine...

lessismoreorlessJune 28, 2016 1:23 PM

You can deny location access to Facebook on Android (at least in Lollipop and Marshmallow). There is no need for location permission to use the app , unless you need location data for checkin/photo (but even then as long as you know the name of where you are you can type it in and choose from the known results).

FB messenger also tries to ask for your location (like a petulant child actually, ie very often), but once again just deny location permission for the app. If you really need to share your location with someone, open Google Maps and send the co-ordinates.

These apps really get greedy for things that are really only needed at discrete points in time...Yes once in a while I would like to share my current location with a friend I'm trying to meet. FB takes this one event and decides that FB messenger needs location access all the time. Instead it could easily just temporarily turn on location permissions for the app when I ask for it.

Mr. HappyJune 28, 2016 1:32 PM

Bumble Bee, I hate to harsh your all-natural buzz, but those aren't salmon leaping in the Flint River. They're Asian carp. At this point, it wouldn't matter if bowhunting with tactical nukes was made legal. Game over for the Great Lakes in 3... 2...

But don't worry, some asshole in Silicontits Valley will build an "app for that".

Bumble BeeJune 28, 2016 2:27 PM

Re Mr. Happy

No buzz. No harsh. Some sarcasm, sure. Faggotry overflows in Silicon Valley. They think what "straight" people don't know won't hurt them.

I'm sick of the hypersensitivity over micro-insults and people who can't take rejection without retaliating with a bullet. It's never your right to rape the object of your sexual passion or stay "in the closet" when your attempts fail. And you people wonder why so many businesses and organizations hate the IT department with such a passion. (Hint: #1, their porn addiction.)

JeremyJune 28, 2016 2:32 PM

The article has been updated to say that Facebook is NOW claiming they do NOT use your location (after confirming twice that they did).

There is no explanation offered for the anecdotes where it looked like they did.

YankeeJune 28, 2016 6:06 PM

@Freeman, Hey that's great! Say the guy gets murdered and his phone number gets picked up by a retired police detective. He's bored and/or disgraced and/or paraplegic from heroism, so he makes fb-friends with the recommendations (including the murderer, obvs.) and ... dot dot dot. Updating Rear Window. Gonna do a script treatment here, don't tell anybody.

e4thuJune 29, 2016 12:59 AM

@Sasparilla "The simple answer is do not install the Facebook App, ever. If you have to go onto Facebook, then do so with a dedicated browser"

Great point. Facebook can do a lot more invasive data mining in an app than in a web browser. Why install proprietary apps that have access to many parts of your device (mic, camera, accelerometer, contacts, photos, location, ad UID, system info, etc) when you can do the same tasks in a browser? The apps are equivalent to spyware. By switching to a browser, you become immune to Facebook's app-shenanigans because a browser can't do all those things. The browser doesn't even need to be a dedicated one, although that would certainly help.

65535June 29, 2016 1:51 AM

Here is Emptywheel’s take on the facebook location matching:

“Facebook is not using locations you mark for yourself (so if I said I was in Grand Rapids, they wouldn’t use that to find new Grand Rapids friends for me). But it’s not really clear what they mean by “device location.” Determined by what? GPS? Cell tower? IP location? Wifi hotspot colocation?

“Which got me thinking about the way that federal law enforcement (in both the criminal and FISA context, apparently) are obtaining location data from social media as a way to tie physical location to social media activity. Doing so with Facebook would be particularly valuable, as you could target an event (say, a meeting of sovereign citizens) and find out who had attended the meeting to see whose location showed up there. The application would be even more useful with PRISM, because if you were targeting meetings overseas, you wouldn’t need to worry about the law on location data.” –Emptywheel

I think Facecrook's triple "explanation" is self-indictment of their word games.

https://www.emptywheel.net/2016/06/28/facebooks-flip-flop-is-it-a-law-enforcement-thing/#comments

Senator Wyden has put a spanner in the language slipped into Intelligence Authorization bill which allows the FBI complete freedom to spy on all Electronic Communication Transaction Records with zero court approval. That would probably apply to Facecrook’s chat and location logs.


“…Ron Wyden has placed a hold on the Intelligence Authorization in an attempt to thwart FBI’s quest to be able to obtain Electronic Communication Transaction Records with just a National Security Letter.”-Emptywheel

“…unfortunately, the FBI’s track record with its existing National Security Letter authorities includes a substantial amount of abuse and misuse. These problems have been extensively documented in reports by the Justice Department Inspector General from 2007, 2008, 2010 and 2014. As one of these reports noted, “the FBI [has] used NSLs in violation of applicable statutes, Attorney General guidelines, and internal FBI policies.” No one in the Senate should be surprised by this pattern of abuse and misuse, because this is unfortunately what happens when federal agencies are given broad surveillance powers with no judicial oversight.”- Wyden

https://www.wyden.senate.gov/news/press-releases/wyden-places-hold-on-intelligence-authorization-bill-that-needlessly-expands-fbi-surveillance-undermines-independent-oversight

Good for Sen. Wyden. He is practically the only senator standing up to the FBI and blocking them.

Mark SuckerburgJune 29, 2016 1:57 AM

Facebook also don't spam people repeatedly with emails every few months after they have been asked repeatedly to delete users email address from their database... yeah right. They have been using location information for years and they don't need to always rely on a smartphone to get that info or your school records, or electoral roles... Yes you keep posting it...

Criminals don't need you to join facebook to rob you when you're out, most likely your phone provider is providing them with your phone number via a modified header and that is just as good as facebook in providing the right time to rob your home or other nefarious activities, but it does sure help when you post pictures of stuff they can sell for crack.But heck, why would you be worried about your privacy Joe Public, you don't think you do anything wrong, you're just ignorant and that can't be helped I'm sure.Now quick upload some more pictures of your house as someone maybe looking for a new TV and a new kidney.

Roger ReynoldsJune 29, 2016 2:41 PM

As a security professional, my initial take on facebook geolocation was negative.
However, my mind change when my son called me and was incoherent on his cell phone saying he felt something was wrong and he couldn't tell us where he was - we told him to call 911 and he hung up and thereafter did not answer his cellphone.

We called 911, asked for assistance which was denied - we were told he would have to call 911 and they had no record of a call from his mobile. My son's cell phone is in my name with the TELCO, and they refused to ping the phone to get a tower approximate location due to 'privacy concerns'.

Worst case scenario for a parent.

Then, we had an idea - his brothers were friends on facebook. They hopped in their cars and started driving towards where the 'distance' kept reducing. We finally isolated to a 3 mile radius near downtown fort worth which was about 28 miles off of where he should have been.

We then checked hospitals in that area (where he shouldn't have been) and yes, he was in the ER.

Happy ending, thank you facebook for geolocation services. I still have reservations about privacy and geolocation services, however, they *can* be useful.

Security issues:
* As the authorized owner of the service, i should have been able to ascertain the equipment location - the carrier disagreed.

booJune 29, 2016 6:09 PM

@Jeremy

One possible "explanation": "NOT" means "NOT ANYMORE (we stopped earlier today!)"

save me!June 29, 2016 6:20 PM

@Roger Reynolds

I initially disagreed with the declaration of a new form of government the other day, but it's sure come in handy when I almost died the other day, and I was friends with the dictator, and he could just wipe away all the red tape and save me with one swift edict....

After all, saving me is absolutely more important than the holocaust that followed.

Dirk PraetJune 29, 2016 6:23 PM

@ e4thu, @ Sasparilla

By switching to a browser, you become immune to Facebook's app-shenanigans because a browser can't do all those things.

But it will still not stop them from collecting troves of data about you, irrespective of whether or not you even have an FB account. Everything Facebook is blocked on my home network, full stop.

Somewhat related: Facebook crushes Belgian attempt to ban tracking of non-users. A Belgian Appeals Court today saw fit to reverse a previous ruling to kill DATR tracking cookies within 48 hours for people not signed up to – or logged into – its service, the main argument being that it had "no jurisdiction" over Facebook Ireland and that the Belgian Privacy Commission has to address the issue with Facebook's European headquarters in Ireland.

Now this kind of felgerkarb is exactly why increasing numbers of Europeans are becoming skeptical about the EU, globalisation, TT(I)P and the like.

CuriousJune 30, 2016 3:30 AM

@65535
Having looked at emptywheel's blog, I suspect that the use of the phrase "device location" could be abused or cause misunderstandings if ever used in a boilerplate response to the media: in the sense of 'device location' meaning nothing other than presumed 'location of the device'.

It would not surprise me if maybe Apple thinks that making presumptions about the location of any device, is totally ok.

RekazaJune 30, 2016 6:02 AM

The question is what advantage would a dedicated browser for facebook use offer, over a browser using some sort of incognito/private mode?

CallMeLateForSupperJune 30, 2016 8:47 AM

@ fellow critics of FB

"...Facebook... has seen a reduction of 21% in “original sharing”, users making posts about their own life. As people have become more aware of the downsides of sharing personal details publicly, it seems that they’ve stopped sharing altogether. [...] But at the same time, it relies more on network effects than most social networks.
[...]
"So it’s perhaps unsurprising to find that gradually, the highest tier of privacy settings have been removed by Facebook. You can still hide individual posts, but your Facebook account itself is now public, whether you like it or not.

"How do I know? Because my own Facebook presence has been fully exposed to the outside world with no warning or control."

https://www.theguardian.com/technology/2016/jun/29/facebook-privacy-secret-profile-exposed

The final section, "Update" is probably helpful to FB-ers. Personally, I found it amusing because it illustrates that the ancient art of hiding controls deep in layers of menus beneath an illogical root menu is still used. :-)


Just say "NO" to Facebook. (Mister Yuk sticker here, for emphasis)

SJJune 30, 2016 8:58 AM

I had something slightly odd happen to me. It wasn't location-based, but it did involve FaceBook discovering that I had interacted with another person outside of the FaceBook ecosystem.

From memory, the sequence of events was close to:

(A) I had a profile on a dating website
(B) One potential date that I met had lots of online conversation, and we tried to plan a meet-up
(C) During the plan for the the meetup, we shared phone numbers via the dating-website communication.
(D) I didn't have full name, so I entered "DatingSiteHandle DatingSite.Com" in my electronic phonebook, with the new number
(E) The meetup happened, but no second date ever happened.
(F) A month later, FB suggested that I be friends with someone who looked familiar...then I realized that the person had used the same ProfilePhoto on the dating site and on FaceBook.

My suspicion is that FB has permission to see the electronic phone book on my smart-phone.

AA MemberJune 30, 2016 11:26 AM

Turn off location services for the Facebook app. People are giving Facebook information about themselves and are all up in arms when Facebook uses that information. Just don’t give them the information in the first place. At least on iOS, the user had to explicitly give Facebook permission to acquire their location.

I wonder if the original author is familiar with AA meetings. As an AA member, I am friends with my fellow AA members, and becoming friends is a great way for a newcomer to establish a sober network. It’s also somewhat of a myth that we do not use last names. While different areas are more sensitive to this, we often use last names in meetings. After all, we are not anonymous to each other, simply at the public level.

I know this doesn’t take away from the article any—I just had to rant because it’s so tiring when people who know nothing about AA use us in their “privacy” examples.

rJune 30, 2016 2:36 PM

@AA Member,

Unfortunately, brother (or sister) location as data can be mined from other sources readily. Yes, by installing the application you give the application permission to 'goto the source' but even using my laptop I've seen suggestions based on the network I've used e.g. a certain McDonald's etc. There's only a few ways to protect yourself from that (Tor, VPN, Proxies in general) and there are downsides to using such technology as it raises the question 'what are you trying to hide?'. Worse yet: are the networks of sensors deployed at malls across America that have been engineered to identify and correlate your device's self-identifying features with it's owner's purchases.

There's a very large dragnet out there waiting eagerly for us outside.

Not-So-AnonymousJuly 1, 2016 6:01 PM

Facebook is evil. I have seen some very interesting behavior from the web version, involving information it should have been impossible for it to obtain as the information involved is not linked in any way to information FB knows, yet somehow it still obtained it.

My suggestion is sanitize your account, then delete it.

BA_RJuly 3, 2016 12:50 PM

@Not-So-Anonymous
Better yet, over the course of 3 to 6 months proceed with feeding it fake info.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.