back to article Facebook slurped phone numbers says Norton

Norton has pinged Facebook for slurping Android users' phone numbers without their consent. The findings, posted here, were announced along with a new version of the company's Android security app. Norton, which once famously blocked Facebook as a phishing site, says the updated Mobile Insight flagged Facebook for Android as …

COMMENTS

This topic is closed for new posts.
  1. mIRCat
    Big Brother

    Accidental data loss.

    Facebook has advised that it will update the app and, and that it has “stated they did not use or process the phone numbers and have deleted them from their servers,” Norton says.

    Don't worry the U.S. government has them backedup safe & sound in case you lose them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Accidental data loss.

      Indeed. And one has to wonder if issues like these are down to bugs/errors or maybe intended....

      1. Anonymous Coward
        Anonymous Coward

        @AC - "... one has to wonder ...".

        I think this sort of thing is all too frequent and well crafted to assume anything but intent.

        I'd be more inclined to accept the bug/error explanation if the apology was accompanied by a statement that the developer concerned had been redeployed for causing FB serious embarrassment.

        1. Gordon 10
          WTF?

          Re: @AC - "... one has to wonder ...".

          "I think this sort of thing is all too frequent and well crafted to assume anything but intent."

          Not convinced myself if it was a deliberate slurp I would have thought that it would have gone for the whole address book.

          Although it begs the question is this before or after the App permissions are set? if its before its an android fail for making the phones number available - if its after then its a false flag by Symantec and its the users lookout - if they have already given slurp permissions then there's not a case to answer.

          1. TomChaton
            Facepalm

            Re: @Gordon 10

            I agree, it looks more like a lazy /stupid developer to me.

          2. Anonymous Coward
            Anonymous Coward

            @Gordon 10 - Re: @AC - "... one has to wonder ...".

            It does seem that slurping the number before login was a bad design decision or even an error. You do have to wonder, though, why someone thought there was any need to pass the phone number on at any time.

            Whatever - this reminded me that I have the Facebook app on my phone, though I don't use it. It's gone now, along with Twitter.

          3. Anonymous Coward
            Anonymous Coward

            Re: @AC - "... one has to wonder ...".

            It was a deliberate slurp.

            FB is looking for ways to help identify that you are who you say you are and that you're a real person and not a fake name/identity. Or that you're connecting to FB from a known computer.

            So its trying to authenticate the real you and your external activities w their data.

            You can look at it as benign because they want to prove that you are you. Or you can look at it with the knowledge that they want to make sure you're real and even if you use a fake identity, its tied to a real person.

            1. Anonymous Coward
              Anonymous Coward

              @AC 16:19

              I get the point about identifying the device, though still it should not have sent the phone number until login was attempted.

              But I don't go long with the need to identify a real person, or that I'm me. The phone number only identifies a real person if that person has given it to Facebook already in their account settings. otherwise it is an unreliable means of infering identity.

              1. Anonymous Coward
                Anonymous Coward

                Re: @AC 16:19

                You do remember how a group of researchers took supposedly anon data from Netflix and was able to then, using an external data source, determine the real identity of the poster who made the recommendation?

                The point is that you can figure out who is who and your real identity much easier than you think.

    2. Wzrd1 Silver badge

      Re: Accidental data loss.

      Now now, we can trust both of Symantec's biggest customers, the US government and the PRC.

    3. Anonymous Coward
      Anonymous Coward

      Re: Accidental data loss... Not really

      When you sign up to Facebook you sign up with the devil.

      So what do you expect?

  2. dssf

    Kakaotalk

    Kakao and others do or did this, too. It REALLLLLLLLLY fracking pissed me off that they slurped my contact info withou any clear warning and no option to flag certain contacts as off limits.

    What is so fucked in the head about these companies and their self assignment of slurping rights is that they could be endangering relatives who have restraining orders against one or more people in my contact list., since early in the post slur phase they begin recommending contacts to be contacted.

    What is worse is that do not be evil should have anticipated this and created a tickbox system like a phone lust firewall to prevent these asinine and greedy purloiners of free software from slurping our data, marketing us, and riskng the safety and lives of thousands if not hundreds of thousands of people.

    1. Steven Roper
      Thumb Up

      Re: Kakaotalk

      "...that they could be endangering relatives who have restraining orders against one or more people in my contact list...."

      This, a thousand times this. All you "but I have nothing to hide, so why should I be worried" morons should take careful note of exactly this kind of issue. This sort of thing is why privacy is vitally important, and it is just one example of why the tired old "nothing to hide, nothing to fear' argument is invalid.

    2. MachDiamond Silver badge

      Re: Kakaotalk

      You drank the kool-aid, Kakotalk.

      With so many gullible sheeple out there, I should start a content-free ad service myself. I don't need to make billions, but so many people have nothing to hide, I could make a moderately phat living.

    3. Wzrd1 Silver badge

      Re: Kakaotalk

      Erm, I'm only surprised that Symantec took this long to notice it. I noticed it nearly two years ago when I was checking something with my phone and caught the traffic.

      Fortunately, the numbers changed quite rapidly in the phonebook, the contacts were mostly mailing lists and erroneous entries from a buggy version of software that I was too lazy to remove.

      Since then, I've only allowed certain traffic to depart from my phone, using a tether and networking tricks to ensure that.

      One only ponders why it took this long to notice or, erm, suddenly realize it should be reported to the public...

      Perhaps, after clearing it with the NSA?

    4. Chris_J
      Angel

      Re: Kakaotalk

      If you have an android phone what you need is a ROM with pdroid support compiled into the kernel, does exactly what your after, firewall for permissions. Search XDA developers for your phone and find a suitable ROM.

      If you dont want to root/flash your phone there are other apps that act as a permissions firewall, LBE Privacy guard is one I used in the past but I dont think they work 100% like pdroid.

      Pdroid also allows you to spoof phone numbers or device ID's so you can have the satisfaction of screwing up their nice and neat marketing data.

      1. Lallabalalla
        WTF?

        Re: you want a ROM with pdroid support compiled etc blah blah blah

        No - what they, I and a billion other people want is the right to own our data and to only release our data with express permission, not to have it stolen from us for whatever purpose.

        1. Chris_J

          Re: you want a ROM with pdroid support compiled etc blah blah blah

          In an ideal world that would be nice, unfortunately thats not the case so while you wait for that to happen I will be using Pdroid and my phone wont be leaking any info I dont let it.

          The choice is yours, I was just stating that there are options out there to protect your info, now.

      2. mickey mouse the fith

        Re: Kakaotalk

        "If you dont want to root/flash your phone there are other apps that act as a permissions firewall, LBE Privacy guard is one I used in the past but I dont think they work 100% like pdroid."

        LBE needs root like the others. Xprivacy using the xposed framework is the most complex privacy app i have come across and its very similar to pdroid in function. It allows fine grain permission and access management and works on most roms ics and up without messing about with patchers on a pc (unlike pdroid, which only works with select roms and requires making a patched zip). LBE is pretty good, but its closed source, hails from China and is getting more bloated with every release, not to mention it can leak data at boot, before it starts up, and hasnt got the vast choice of permission options that pdroid and xprivacy have..

        Having said that, I used the full fat xda translated LBE for years and it served me well.

        As for facebook, it bloody annoys me that it only takes one person who has my details in their contact list to upload their contacts to fb, and they have all my details, even though I have never had a fb account.

        Its getting almost impossible to stay off-grid and anonymous now when the average person doesnt know or care about the data on others they spunk online every day. And dont get me started on photo tagging....

  3. Roger Stenning
    Flame

    And my friends wonder...

    ...why I don't trust Facebook.

    Well, this is just one of many security and privacy issues that I have had concerns about over the years, when it comes to Facebook.

    THAT'S why I refuse to have anything to do with it.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: And my friends wonder...

      Yawn... every facebook invasion story prompts people on the reg to say almost exactly "facebook is evil, aren't i clever and smug for not using it".

      People use facebook. It is pretty standard to interact with other people using some form of social media.

      People use apps, that is what is going on in IT now... if you want to stay in the 80s and ignore the current world of IT then be my guest, but simply berating the rest of us for being stupid to expect any level of privacy from a piece of software is extremely arrogant of you.

    3. Wzrd1 Silver badge

      Re: And my friends wonder...

      I do, but I keep my contacts where some script can't find them, they're encrypted and I rarely use Facebook, save to see my grandchildren's latest pictures.

      That said, shall we discuss LinkedIn's sucking of contact lists?

      For that matter, who doesn't suck in contact lists these days? :/

      1. Crisp

        Re: Who doesn't suck in contact lists these days?

        Just because everyone else is doing it doesn't make it right.

    4. Aoyagi Aichou

      Re: And my friends wonder...

      And are you blocking the intersite tracking known as "Facebook Social Plugins" too? Or Google Analytics?

      1. Graham Marsden
        Happy

        @Aoyagi Aichou - Re: And my friends wonder...

        Looks at Ghostery, NoScript, Adblock Plus...

        ... Yep!

        1. Aoyagi Aichou
          Thumb Up

          @Graham Marsden

          Hah, a rather popular setup, I see.

    5. Irongut

      Re: And my friends wonder...

      The biggest problem here is that the FB app is preinstalled on a lot of mobiles and as the article states all you have to do was run the app and it sends your mobile number to FB. You don't even need an account. So they may have the number of people like myself and Roger who don't trust FB and would never have anything to do with it.

      I really don't care if the unwashed masses want to sell themselves to Satan, Zuck or Larry Page. I'm seriously pissed off when I'm forced to do the same.

  4. Mitoo Bobsworth
    Coat

    Remember this article?

    http://www.theregister.co.uk/2011/02/17/obama_hosts_tech_titan_meeting/

    Really does make me wonder what was really discussed at that meeting, in light of current events.

    </paranoia>

    I'll get my coat now!

  5. G2
    Mushroom

    heh.. diigo is far worse

    Diigo is far worse... if you're logged in with ANY account you can download ANYONE ELSE's exported bookmarks if you manage to get the download key (looks like a MD5 sum slightly modified) for one.

    The site doesn't check that the file actually belongs to you, only that you're logged in with a diigo account. (it used to be that the site didn't even check that you're logged in, but they added a login check sometimes last year).

    even data for PAST ACCOUNTS, that are currently deleted, can be downloaded. Diigo doesn't allow you to delete ANY EXPORT files even if the account that generated them is deleted by the user.

    http://feedback.diigo.com/forums/76543-bugs/suggestions/2724653-major-privacy-violation-exported-archives-cannot-/

  6. Anonymous Coward
    Anonymous Coward

    Like we needed for 4 more reasons to drop ZuckBook...

    !. Spying by US Govt...

    2. Spying by Advertisers....

    3. Behaviour Analysis Data Mining: M$' 'MoodScope app predicts smartphones users' feelings'

    4. This latest in a long line of 'you have nothing to worry about' Big-Tech privacy violations....

  7. Test Man
    Unhappy

    The funny thing is the other day (within the last two weeks in fact) the Facebook app presented me with my phone number with a message "Is this your phone number?". Cheeky bugger!

  8. Darren Coleman
    Thumb Down

    Not processed, now deleted

    "stated they did not use or process the phone numbers and have deleted them from their servers"

    If they didn't use or process them, why do they need to delete them? Not processing them would imply the data was just lost in transmission, but needing to delete them means they did something with that data - i.e. stored it - thus processed it.

  9. CheesyTheClown
    FAIL

    Wow!! Norton! There's a name from the past!

    First... Facebook is pretty much evil. We all use it because the only real alternative is Google+ which is fr ok the company who brings us 8.8.8.8 to track all our DNS queries. So, when you basically give 99% of your life to a company which is competing with Google to see who can be Orwell's big brother first, you can't really bitch when they try to get that last 1%.

    Second... Norten! Wow! I remember those guys. They're the ones who too over from Microsoft for a while with regards to making computers slower so you'd have to upgrade right? I mean, when MS started doing stupid things like making Windows use less RAM and CPU with each version, Norton Antivirus used more and more so Intel would sell more chips :)

    1. 404

      Re: Wow!! Norton! There's a name from the past!

      Norton... last client purchases ended when they introduced that damn license portal - took two months (no chit mang) to renew a site license for a client. Was the last time/last use of Symantec with any of my clients.

  10. RISC OS
    Devil

    Hmm...

    "...they did not use or process the phone numbers and have deleted them from their servers..."

    Was this before or after prism had access to the data?

  11. dalekette
    Devil

    Not saying this is right

    But if you use a Google Phone, Facebook slurping should not be your top concern.

  12. StampedChipmunk

    No new

    I noticed this about two years ago. If you install the Facebook app on your smartphone it slurps your phone number and adds it to the 'contact information' on the facebook site - along with anything else you have in your phone - email etc.

    All you can do to stop it is block your contact information from being shared with anyone else in the privacy settings. Facebook still have access to it on their servers. AFAIK there is no way to stop the app from slurping your number.

    In the recent update it now wants the ability to phone premium rate numbers on your device. I'm waiting for the first rogue dialer smartphone app to be seen in the wild. FB are FCKS...

    1. dssf

      Re: No new, Maybe not...

      I think all you needed to do was just have an Android phone, if you didn't use Apple, Blackberry, etc.

      See, one day, in or around 2010, I bought an HTC Evo 3G, from BBuy. I updated my info to the phone. Then, on my way out of the store, and at the bust stop, realized the phone was acting up. Then, the screen would stay black for a long time or very dimmed whether or not shooting pics.

      Immediately, I returned to the store rep who sold me the device. He got authorization to remove another from stock, then did some keystrok magic, then handed me a new handset. I logged in, and just as with the first, that handset had all my google info, book marks, and phone contacts.

      Even "do not be evil" apparently had not had and still has no systems to allow the device owners to be presented a list to exclude from update to the new device.

      I sometimes put personal notes on the contacts for whom I do not have phone numbers because, evil or not, none of my android phones had native note takers/apps. Hence, hundreds of millions of us are FORCED (if we opt not to use pencil and paper) to download some third-party app. Hell, i still wonder whether any of the note applications slurp data without permission.

      This is why for the past two or so years I been bitching up a storm that google should/must provide users with tools to know who is sucking on our phones and what data is being slurped. Governments should obtain their data theft of the public at some demarc, not via some dodgy, surreptitious, clandestine app plopped into the Play Store or AppStore or whatever.

      At what point does this become baiting or entrapment, when intel and police agencies litter the stores with apps having the sole purpose of building a global dragnet. I would not be surprised if that is the next thing to pop up in this NSA scandal: "CIA, DIA, DIS, NIS, NSA, et al, develop, deliver, and defensively hide data-slurping tools globally. Probably Hauwei, LG, Samsung, Sony, Blackberry, etc all do it for testing purposes, as they'll claim, but then all that complexity enables governments and criminals alike to with impunity suck from our devices and sometimes damage them in the process.

      I wonder what will happen people in the hundreds of millions start trying to sanitize their phones, and if they just spuriously and randomly change their behavior. Not that it will severely affect law enforcement agents who stick to monitoring baddies. But, it will royally screw over marketing companies and maybe only slightly annoy some criminals. Enough dumb people will keep crims in business, but marketing slurpers under performance and due-diligence/data integrity contracts would go apoplectic if forced to repay hundreds of millions of dollars due to sloppy or questionable data transfer.

  13. Tree
    Windows

    Facebutt, give me my number back

    Just like Gurgle kept the stuff found by their war driving, also facebook needs to keep our numbers and sell your privacy to be able to get Suckerberg enough to live on. Phone numbers are sometimes unlisted, except by them. Please give me back my number.

This topic is closed for new posts.

Other stories you might like