A tipster pointed out to us that Facebook integration in iOS 6 could fill in details someone might not otherwise have if they get a hold of a phone number and put it into their Contacts app. Daniel Ioffe noticed that should a number in Contacts correspond to a Facebook profile, it’ll populate that entry with a profile photo and Facebook user name, even if all of the above information is kept private by the user.
[Update: There is no bug or new privacy issue, based on follow-up discussions with Facebook about this feature. Here’s some more detail on what we know. If users mark their phone numbers to “Only Me” in the About section of their profiles, the number will stay private to only them.
However, Facebook has a separate privacy setting in the “How You Connect” section of your Privacy Settings page. Within the Edit Settings here, the company lets you choose the answer to “Who can look you up using the email address or phone number you provided?” The options are Everyone, Friends of Friends, and Friends, with the default being Everyone. If you have this option set to Friends, then your name and profile photo should not appear to random strangers who have your phone number, whether they search for it on Facebook or if they auto-populate their app in iOS 6.
However, Ioffe says he has found in tests that at least some profile name and photo information are auto-populating to iOS 6 even if those users have marked their numbers to Only Me and marked their phone number sharing settings to only Friends. We haven’t been able to duplicate this yet, and at this point we can’t affirm that there is any sort of problem. Unless anyone comes forward with evidence of a bug, we’re assuming there is no issue. ]
Here’s how Ioffe first noticed this:
This started yesterday because a friend of mine tried setting me up on a blind date. He sent me a girl’s phone number and I registered it into my phone and just started chatting with her. I only had her name and phone number. Then I Updated All Contacts with iOS 6 and boom I all of a sudden had her full name in the form of her Facebook user name and her photo.
That may not sound like that big of a deal. After all, it’s generally pretty safe to assume that if someone has your phone number, they know your name, and may have a good idea of what you look like. Also, Apple tells users that it’s temporarily providing phone numbers to make a match in the Facebook section of Settings on iOS devices, as you can see below.
Here’s the thing: it works even when you don’t have any information about a contact beyond their phone number. I confirmed this by entering some random numbers. On my second try, I found one that populated with a full name and picture, even though the individual’s profile was hidden on Facebook. I called the number and it did indeed go to that person’s voicemail. Likewise, when I tried it with the numbers of two colleagues (who I am not friends with on Facebook), without using their correct names and only their numbers, I got their full names and current profile photos in my Contact entries for them. I also tried it with a number of other numbers I knew were on Facebook, but who weren’t friends of mine and who didn’t make their info public, and again, I got full names and photos back.
There’s clearly an assumption at work here: If someone has a phone number already, they likely know someone, what they look like and what their full name is. That’s fair, but it doesn’t cover all cases, as mentioned above. And if users aren’t making themselves searchable by phone number on Facebook, as was the case with the random individual I found, it stands to reason that they wouldn’t want their information shared via the Contacts app, either. Also, if I can find a user’s full name and photo just by entering a phone number, and maybe even more info depending on how much they share on their Facebook profile, I might stand a better chance of talking them into something not in their best interest on the phone.
It’s worth noting that this didn’t work in every case; when my colleagues put my number into Contacts and tried updating from the Facebook settings, nothing populated, even though I share my phone number with my friends on Facebook. But it worked more often than not; often enough that it’s worth noting, in the hopes that this loophole will soon closed down completely.