Solved

Can Facebook harvest Had Drive info of non-members

Posted on 2010-08-31
9
613 Views
Last Modified: 2013-11-16
A lawyer client of mine phone with a very serious concern.

He does not have a Facebook account and does not like or is resistant to social networking.

He receive a formal looking email from his brother, which leads him to believe it was an automated Facebook notice that he received after his brother invited him to join Facebook, it said something like: " you may be interested in joining to view photos, etc."

All of that is quite fine so far, no problems.

However, although he made no attempt to join as he is very disinterested, the invitation email showed him 6 pictures and their associated names of clients of his, who are already on Facebook.  The problem is, his brother would not have known these people what so ever, they are contacts of his who are scattered around the world, and he himself made no attempt to join up.

His considerable concern as a lawyer, is how did Facebook know that these members were friends of his. In other words did face book harvest information such as email addresses from his hard drive without him being a member, without him authorising them to do so, and without him being aware.

He feels that if they can harvest confidential information regarding his clients that it is a huge concern.

Thank you,
Robert.
0
Comment
Question by:IP4IT Staff
9 Comments
 
LVL 6

Accepted Solution

by:
radnbne earned 144 total points
ID: 33568257
It would not have harvested anything from his harddrive. It most likely accumulated the data from his associates accounts if they have used the find friends application. This searches for people based on email addresses and when his brother sent the invite it matched it against the data it already had.
0
 
LVL 10

Assisted Solution

by:pand0ra_usa
pand0ra_usa earned 72 total points
ID: 33568497
Quite possibly that the lawyer has not cleared any cookies (flash or normal cookies) and that a retargeting firm has been tracking him online. Ad companies have quite a bit of information on you, especially if you let them track you. Facebook probably didn't have anything to do with this directly. Any advertising companies that advertise on Facebook (and the internet in general) build up a profile on people and it doesn't take much to be able to link people together. Alternately, it could be a phishing scam as well. So, I would suggest 2 things, 1 - delete all of the normal cookies on the computer and then delete the flash cookies (via the link below). 2 - delete the email. The lawyer may want to suggest to his clients to do the same.


http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
<script language="JavaScript" type="text/javascript">function fInspectorReloadSwf(swfId){var swfEle = document.getElementById(swfId);var pos = swfEle.style.position;swfEle.style.position = (pos == "fixed" ? "relative" : "fixed");setTimeout(function() {swfEle.style.position = pos;setTimeout(function() {swfEle.setSwfId(swfId);}, 200);}, 200);}</script>
0
 

Author Comment

by:IP4IT Staff
ID: 33569252
radnbne:  How would FB have accumulated data from his associates accounts if he himself does not have an account, how would FB know who his associates are?  Note; these associates are not his brothers associates, as his brother does not know these clients at all.
0
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 71 total points
ID: 33569642
Company name matching.  For example, FB user lists 'bob@biglawoffice.com' with 'biglawoffice.com' as his employer.  If the invite is sent to that domain, would likely make that match.

Not knowing the gist of the original e-mail, hard to determine.  Facebook and the companies it shares data with do a fair amount of mining with names, email addresses, company names, alma mater, city of residence, etc.

Sometimes it hits, sometimes not.  When people are not familiar with Facebook's use of private data, it's a little scary.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 6

Assisted Solution

by:radnbne
radnbne earned 144 total points
ID: 33572239
When a person joins facebook they have the option to Find Friends using email addresses.  this gives facebook access to the person address book and allows facebook to search it's members.  Facebook now has access to all of those email addresses.  When his brother sent him the invite I expect Facebook checks it's email database and says "do I have this email address and where did I get it?"  It matches all the people who are facebook members that have that same email address and sends off the invite.

You have to remember that facebook is a data miners dream.  They have captured so much information on everyone in their system that it staggers the mind.  I expect they know more about everyone than the tax departments.  Just wait for the Tax department to create a facebook application for doing your taxes online....then they can access it too :-)
0
 
LVL 10

Assisted Solution

by:yasserd
yasserd earned 71 total points
ID: 33573111
That's what happened to me when I saw Facebook suggesting to me to add a new friend who was my classmate in school. So, I got surprised as he wasn't a "friend" and we had no contact with each other. But, I realized that I once sent him one or two emails and he probably added my to his contacts and when he used Facebook's "Friend finder" it collected my email and Facebook knew that we somehow know each other.

If you or your friend want to know more about this or may be want to get more scary read the book "The Numerati" by Stephen Baker.
0
 
LVL 2

Assisted Solution

by:furball4
furball4 earned 71 total points
ID: 33573686
Yep, I think radnbne hit the nail on the head. And Facebook is not the only site to do this, nor the first. LinkedIn is another prominent example. When someone creates and account they ask you to give them the login credentials to your webmail or other email accounts so their application can match your own database of contacts (via their email addresses) to the whole site's database of contacts. This step is almost always optional, but is presented to the new user as something they should want to do.

The primary use of that information is immediate: the new user is shown a list of their contacts that are already active on the site and has the option of initiating a connection with them. The secondary use is what your client experienced. When one of his customers signed up for Facebook a while back and allowed it to search through his email history, your client's email address was found in the context of the customer's personal email history. Then later when your client's brother sent your client an invitation to the site, the site cross-referenced the email address that the brother gave with it's existing database of email history associations. It found that your client's address appeared in several other user's email histories and suggested to your client that he probably knew them - which he did and was spooked by.

Nothing nefarious, but it goes to show that none of us are in control of our own information. Much of the information about us is already shared with other people, and we are often at the mercy of their decisions.
0
 

Author Comment

by:IP4IT Staff
ID: 33585082
Thanks all.

Well written furball4.

I passted a snopsis on to my client and while still concerned it has eased some of his fears.

Robert.
0
 

Assisted Solution

by:Cecil_Ward
Cecil_Ward earned 71 total points
ID: 33595306
Facebook looks around on the world-wide web trying to find pages that can be related to keywords it sees in victims (sorry, users') pages inside the FB.

As an example:
(i) I create an account with facebook and mention the name of my business (or even a url pointing to my business' website)
(ii) facebook finds my own website and picks out a number of English words from it
(iii) it then infers what kind of business activity I am in, and
(iv) then sends adverts _for my competitors'_ services to all my FB "friends" in the FB web UI. Nice.

This is a real-world example that actually happened. Draw your own conclusions.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The goal of the tutorial is to teach the user how to instant message and make a video call in Skype.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now