Last year, I was trying to solve a mystery. Facebook’s “People You May Know” tool was outing sex workers’ real identities to their clients, and vice versa, and I was trying to figure out how. A sex worker using the pseudonym Leila told me she had gone to great lengths to hide her identity from clients by using an alternate name, alternate email address, and burner phone number—contact information she didn’t provide to Facebook—yet Facebook was still inextricably linking her with her clients, suggesting them to her real-name account as people she might want to friend.
Facebook expressed concern about this happening, but its spokespeople purported to be as mystified as I was as to how it happened.
“We take privacy seriously and of course want to make sure people have a safe and positive experience on Facebook,” a Facebook spokesperson told me at the time. “We test a variety of signals for People You May Know and suggestions are always based on multiple signals.”
That latter sentence says everything and nothing at the same time, but earlier this year, a possible “signal” that could have caused this came to light. Five months after I published the story about Leila, a Facebook user who had Facebook Messenger on his Android phone downloaded his Facebook file and discovered that it contained a history of all his calls with his “partner’s mum,” including the missed ones, and how long they lasted. That led Facebook to disclose that, yes, its Facebook Lite and Messenger apps on Android collect “call and SMS history” and had been doing so since 2015. It was never rolled out, according to Facebook, in the main Facebook app.
Facebook included this permissions screen in its post, saying that it had popped up for users of Facebook Messenger, with the request for “call and text history” in tiny grey font, before the app would start sucking up that data. I think it’s fair to say that would have been easy to miss on a small phone screen.
Then last week, an internal Facebook email from 2015 came to light in which Facebook employees discussed the decision to add the “call and SMS history” permission on Android, saying the “growth team [would use it] for improving things like PYMK,” Facebook’s shorthand for “People You May Know.” One of the Facebookers, a product manager not on the growth team, said this was a “pretty high risk thing to do from a PR perspective” and could lead to headlines about Facebook trying to “pry into your private life in even more terrifying ways.”
Regardless, Facebook decided to go ahead with those permission requests and apparently no one noticed… that is until a user saw his call history with his potential mother-in-law in his Facebook folder. The internal email from 2015 documents something pretty disturbing: a scheme by Facebook to make the data grab less noticeable. Yul Kwon, who was Facebook’s lead privacy sherpa (and—fun fact—also a Survivor winner), said the growth team was testing an update that wouldn’t trigger Android’s permissions request screen, meaning users wouldn’t get the alert they might expect.
Despite being Facebook’s lead privacy sherpa, Kwon did not object to this. There should have been someone in the room at Facebook saying, “Hey, maybe we should notify users both in the Android permissions and in big print within the app that we’re planning to track everyone they call and text because that’s a pretty invasive thing to do without their explicit and informed consent!” But no one in this 2015 discussion raised that concern, at least not in the released emails, including the person specifically tasked with making sure Facebook’s products are privacy-compliant. Facebook apparently hoped it would only have to notify users what it was doing when it asked them to sync their contacts within the Messenger and Lite apps, in that place where it can use the tiny grey font.
A Facebook spokesperson told me that employees at the time were spooked by the public hysteria that resulted in 2014 when users on Android were asked to give the Facebook app access to their microphones. Or as the employee put it in the 2015 email, a “screenshot of the scary Android permissions screen becomes a meme,” which would clue “enterprising journalists into exactly what the new update is requesting.”
It’s unclear whether the scheme not to trigger Android permissions actually worked. Technologist Ashkan Soltani and I ran a test where we downloaded the versions of Facebook Lite from this time period to an Android with an operating system that was also from this time period. (I have a surprising number of old Androids around my house!) When I upgraded to the Facebook Lite Android app that wanted to suck up data about who I call and text, it triggered a permissions request to “read call log.”
And then when I signed into Facebook in the Lite app—a version of Facebook meant for users on low-bandwidth connections—it asked me to add my contacts with this screen:
This was not a rigorous or definitive test—we only tested Facebook Lite, not Messenger, as we didn’t have an applicable version of that available. And it’s entirely possible that a Facebook user’s experience could have been different in 2015.
Regardless of how Android users were notified, this would help explain why People You May Know recommendations are so creepily accurate for Android users. And why Facebook would be able to link a sex worker with her clients if she had Messenger or Lite on her Android: The app would potentially be collecting information about everyone she called and texted regardless of whether she added them as a contact and regardless of whether she was using a “burner number” that she’d never given to Facebook.
But Facebook, as always, says it’s more complicated than that. A spokesperson says this was one team talking about what another team was doing and that it does not accurately capture what was happening with People You May Know.
“When we made it possible for people to sync their call/SMS logs in Messenger in May 2015 we did not use it to inform PYMK,” said a Facebook spokesperson by email. “We ran tests to understand whether the call/SMS log information people uploaded could improve suggestions in People You May Know. We didn’t launch the feature, so I would not characterise it as playing a ‘key role.’”
In other words, Facebook only ran “tests” with an unknown number of users to see whether this was a good way to figure out who they knew and were close to IRL. According to the spokesperson, the history of who people had called and texted wasn’t incorporated into PYMK for all users. The spokesperson could not tell me how many users were part of the tests, when the tests were run, or whether the tests continue. So Leila could have been part of the tests or she may not have been. Who knows????? Apparently not this Facebook spokesperson.
He did say Facebook could still decide to make this a feature in PYMK one day.
As usual, Facebook’s machinations are shrouded in mystery to the detriment of its vulnerable users. If Facebook would be more forthcoming about the information it’s collecting about its users and how it uses that data, whether for advertising or for People You May Know, then users like Leila could protect themselves. But Facebook prefers to be vague, whether because it’s “proprietary information” or information that would disturb its users enough to abandon the platform altogether.