The unfolding Cambridge Analytica scandal has confirmed something that Business Reporter’s resident U.S. ‘blogger has been concerned about for some time: Facebook’s creepy ability to intuit connections between people that definitely aren’t ‘friends.’
Apologies to Mr. Zuckerberg, but I had severe misgivings about the possible overreach his social media behemoth long before Channel 4 introduced us to the Cambridge Analytica scandal. I’m not trying to paint myself as an ‘I was into hating the thing you hate long before you became aware of it’ hipster. Rather, I want to talk about an early indicator that the platform might have been violating our trust: Facebook’s uncanny ability to identify connections between people without those people’s knowledge, consent, or agreement.
I noticed this early last year when Facebook started making ‘suggestions’ about friends that it said I might want to connect with. I understand why FB does this; its business model needs its product – us – to make as many connections as possible so as to maximize the amount of data it can consume about who we are, what we do, and what we want. It sells that data to advertisers, who in turn use it to pitch us goods and services. It’s in the best interests of everyone that’s making money off of us to encourage us to reconnect with old friends, distant relations, and several thousand casual acquaintances in addition to the usual practice of linking to new friends.
That’s why I was only mildly surprised when I started getting ‘friend suggestions’ for people that my linked friends were connected to. FB’s ‘People You May Know’ (PYMK) algorithm guessed (rather accurately) that since we’d all been active on its platform in the same neighbourhood at the same time during traditional business hours that we’d probably worked at the same company. That was a good guess, given that it tried to link me with a bunch of my former co-workers. Well-played, Facebook.
‘Hey! Remember that time we were all young, generic, and atypically attractive stock photo models?’
At first, the PYMK guesses weren’t bad. Most of its early suggestions were logical based on proximity. I was linked with Mister A, Mister A was online friends with Miss B, therefore, I should be online friends with Miss B as well. The algorithm couldn’t understand nuances like ‘fraternization’ or other workplace-specific reasons why it might be considered improper to have a supervisor ‘friend’ a current or former subordinate, so I ignored most of the site’s suggestions for protocol’s sake. A few of my old employees sent me link requests, some of which I was happy to accept. 
Over time, though, FB’s suggestions started getting inappropriate, then disturbing. First, it showed me a name and picture of a fellow that I’d only ever met a few times and had never worked with (nope!). A few weeks later it sent me a name and picture of a fellow that I’d terminated for cause after some felony-level workplace misconduct (Hell, no!). The last straw was a suggestion to ‘friend’ a former supervisor of mine who was so abusive and unprofessional that he’d earned himself a dedicated chapter in my book about learning from terrible bosses (HA HA HA NOT ONLY NO BUT *#&£ NO!).
To be fair, there wasn’t any social risk to me from ignoring these suggestions; if I didn’t click the ‘friend’ button, these suggested people would never know. So I ignored them … along with the 50 or so friend requests that I’d received from people that I couldn’t place for the life of me.
Over time, though, suggestions for people started getting odd. Some of these people that FB suggested I link with weren’t social media users at all.  Many of them were former workers who had been reviled by their peers, so we wouldn’t have any mutual ‘friends’ in common. There weren’t any obvious ways to draw the conclusion, so how did Facebook’s PYMK algorithm conclude that there was a possible link between us?
Just how deeply has Facebook infiltrated our private lives?
The idea bothered me, but I ignored it for most of 2017 because I didn’t see how it affected me as a casual user. I don’t do much with Facebook beyond linking to these Business Reporter columns, sharing cybersecurity-related news, and reading about a few old classmates. It wasn’t until Gizmodo’s Kashmir Hill published the article How Facebook Figures Out Everyone You’ve Ever Met in November 2017 that the breadth of the threat became clear … and my concern level skyrocketed.
Kashmir wrote that Facebook creates ‘shadow profiles’ on its users that are ‘built from the inboxes and smartphones of other Facebook users.’ FB uses this to map people’s social networks and connections. It intuits connections based on anyone that has any contact data that it recognizes on any other recorded person … whether or not that person is a Facebook user. Per Kashmir, this includes
‘… any person who might at some point have labelled your phone number or email or address in their own contacts. A one-night stand from 2008, a person you got a couch from on Craigslist in 2010, a landlord from 2013: If they ever put you in their phone, or you put them in yours, Facebook could log the connection if either party were to upload their contacts.’
That explained why I was getting suggestions to ‘friend’ former colleagues that I absolutely didn’t consider to be ‘friends.’ My employees and my supervisors all had my personal mobile number stored in their phones, per our organisation’s disaster recovery protocol. If any one of those people had uploaded their contacts list to Facebook when first setting up their accounts, FB’s PYMK algorithm would have triangulated dozens of personal and professional interconnections between all of us who worked at Company X. Or, as Kashmir phrased it:
‘With its vast, hidden black book, Facebook can go beyond simply matching you directly with someone else who has your contact information. The network can do contact chaining – if two different people both have an email address or phone number for you in their contact information, that indicates that they could possibly know each other, too. It doesn’t even have to be an address or phone number that you personally told Facebook about.’
Like the ‘burner phone’ you used to contact a journalist about cover-ups and criminal negligence at the office. Ah, good times. Surely you want that moment displayed as a ‘flashback’ on your home page, right?
This came back into sharp focus for me after the Cambridge Analytica story broke. Marketplace’s technology expert Molly Wood interviewed Kashmir about her article just last week in a short radio piece called Why Facebook thinks you know these random people. In this interview, Kashmir shared this unnerving perspective:
‘I’ve definitely encountered people who are links who aren’t on Facebook. So a man who told me that his current girlfriend was recommended to his ex-wife. Even though he himself is not on Facebook, his contact information is still being used to connect people. And again, there is nothing they can do to prevent that. So I’ve heard from many people that “people you may know” is a good place to discover whether your spouse might be cheating on you because of who ends up coming up in your recommendations.’
I get why this platform is an advertiser’s dream. This contact chaining capability is also a prosecutor’s, private detective’s, and Open-Source Intelligence analyst’s dream for exactly the same reason. Facebook’s PYMK engine alone can be wicked-effective as virtual bloodhound for unearthing clues about connections between subjects that those people went to great lengths to hide. All you need is access to one subject’s Facebook account – either by compromising their password, or just by linking to them in the guise of their ‘friend’ – and you can start tracing friend-of-a-friend-of-a-friend connections.
Add to that it’s encouragements that users ‘check in’ at popular locations and you can follow a subject’s movements and timing to help correlate multiple covert subjects’ possible encounters. No wonder the Trump administration wants visa applicants to turn over all of their social media identities, phone numbers, and email addresses for the previous five years! No wonder, too, that police and counterintelligence agencies all want legal permission to plunder citizens’ social media history without a warrant. Consider how many classic mysteries (both real and fictional) could be solved swiftly by piecing together covert connections that would traditionally only be uncovered by a stubborn and clever detective one isolated and mysterious clue at a time.
I’m curious to see if Facebook’s ‘interests’ algorithm will figure out that I’m a huge fan of noir detective stories by crawling the link to this article and drawing inferences from these stock photos. Stay tuned.
On the other hand, consider how many connections you don’t want the government, or your employer, or your spouse, or your casual acquaintances making about you. Not that most people have criminal secrets; rather, consider it in pedestrian terms. We all probably have disgruntled former co-workers, jealous exes, nosy neighbours, and other people who would take a prurient interest in corners of our lives that we want hidden. Facebook’s PYMK algorithm isn’t just laying our lives bare for faceless advertisers; it’s rapidly exposing us all – often without our knowledge or consent – to the world. That’s a darned good reason to be outraged, disturbed, and angry.
As for where we go from here, I honestly don’t know. For all the talking heads calling on Zuckerberg and company to clean up their act, I think we all realize that’s not likely to happen. Our connections are helping Facebook make a ton of money. Human nature being what it is, the folks running FB aren’t likely to give that revenue up. They’ll promise us the world, but they likely won’t stop exploiting us all until they’re forced to.
 This is proper: junior-to-senior is okay while senior-to-junior almost always isn’t.
 At least, they hadn’t been when I’d worked with them.
Title Allusions: Dashiell Hammett, Red Harvest (1929 Noir mystery novel)
POC is Keil Hubert, firstname.lastname@example.org
Follow him on Twitter at @keilhubert.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.