A little-known technique called Address Book Importing (ABI) gives social networks the power to access and import members' online address books or even address books stored on desk-top computers. The networks do this by encouraging members to 'invite friends' to join, or through 'friend finder' tools.
If users don't fully understand what ABI is, the result can be disastrous. Social network users often assume that these 'friend finder' tools simply trawl their address book (on Gmail or Yahoo for example) to look for contacts who are also members of the same social network.
In fact, once users enter their login details to the 'friend finder' tool their entire contacts file is imported by the social network. Leading social network Facebook, for example, then uses the file to create 'networks' between people, giving the user no control over the process. Those who use the ABI functions can unwittingly spam everyone in their entire address book with invites to join their social network. Those who want to maintain the trust of confidential sources stored in online or desktop address books can be more at risk than most, as the networks use contacts' file data to create 'friend recommendations' for you and other users that can publicise private connections between people.
The crux of the problem is that the networks' privacy controls are often confusing or obscure, and the default settings mean that users can easily give social networks access to the personal information of professional contacts, colleagues and even confidential sources if their information is stored on the same contacts file.
Concerned about the particular privacy hazards these settings pose for journalists, Journalism.co.uk set up a series of false identities on eight of the most popular social networks. We created several online contacts files and tested the social network 'friend finder' tools and the privacy controls involved.
Given Facebook's reach and command of the social network market, we found its policies to be the most worrying. Up front, users are recommended to 'upload a contact file and we will tell you which of your contacts are on Facebook'.
In fact, Facebook harvests the email addresses in the user's contacts file and uses them to suggest connections to you and other members whether you like it or not. It also links users directly with people in their file when it communicates with other users. Jump to find out what Facebook doesn't tell you.
Media organisations are starting to become aware of the risks, but should urge journalists to be even more cautious. Reuters, for example, warns its journalists of the danger of 'friending' in the latest addition to its advisory handbook: "Be aware that you may reveal your sources to competitors by using 'following' or 'friending' functionality on social networks."
But journalists need to be aware that automatic recommendations using address book data, even when they have not actively followed or befriended someone, could also reveal sensitive information. That is to say, even if separate profiles for work and leisure are set up, the connection via a private email address can still be made. For more on this, and Facebook's response, jump to OUR FINDINGS.
These warnings have come too late for freelance writer and consultant Patti Laubaugh. Last year she won a new contract only to see it cancelled after she accidentally spammed her entire Gmail address book, including all of her professional contacts, when using the Facebook 'friend finder' tool. Not only did she lose the contract but she also lost her business partner and all prospect of further work from that client. Jump to CASE STUDY.
Social networks have a vested interest in creating as many connections between people as possible, but ABI practice may make it impossible for people to keep their professional and personal identities separate even if they use two profiles. Journalists involved in investigative projects who need to protect their own identity or their sources will have to be extremely cautious and never link social network accounts with contact files.
Anne Mitchell, CEO and president of the Institute for Social Internet Public Policy (ISIPP) and professor of Law at Lincoln Law School of San Jose, says some social network's practice is worse than others.
"It's never good - it's never ok - but there are companies whom, while not seeing why it's bad, at least see the potential for evil and try to avoid it." She saves her strongest criticism for those companies that don't adequately warn users about the implications of ABI. We found Facebook and Friendster to be the worst [Jump to findings].
She also condemns the practice as misleading because the vast majority of users aren't aware that social networks download and hold onto address book data.
"It not only breaks every kind of rule of netiquette (such as 'never' ask someone for their password) but it 'desensitises' users to those issues - it 'encourages' users to give a third party their passwords and never give it a second thought," she says.
Mitchell, who also runs the Internet Patrol blog, argues that social networks attempt to camouflage their requests for login details by using the logos of online email clients such as Yahoo, Gmail or Hotmail. Our findings support her concerns.
The screenshots below reveal Facebook's practice. Facebook displays the logos of all the major providers of online email and it also uses those logos next to the 'find friends' button - in this case Gmail.
Worse still, activate the 'find friends' button and Facebook will take you to another window where you are invited to give up your Google Account login details. Again - supported with a Google logo.
It is not at all clear if you are giving your login details to Google or Facebook. "How can you ever really be sure where the password is being entered," says Mitchell.
Mitchell also condemns some social networks, including Facebook, for the way they deploy default settings. For example, once you have uploaded a contacts file Facebook will list all of your contacts who don't have a Facebook account.
All of those contacts will be sent an invite from you to join you on Facebook unless you override the default setting. With some social networks, such as Livejournal, you have to actively choose which contacts should receive an invite.
Internet privacy specialist Gus Hosein, a senior fellow at Privacy International and visiting fellow at the London School of Economics, told Journalism.co.uk that it is an issue about which he has long been concerned.
"You don't know how long they keep this information. How do we know how they decide this person is a friend of mine? They're keeping this data indefinitely and it's invaluable."
Earlier this year, Hosein flagged up privacy concerns raised with the launch of social networking and messaging tool Google Buzz. Users were alarmed to discover that their Gmail contacts were automatically following them on Google Buzz, or vice versa.
Although Google has now altered the way it presents its Buzz settings to alleviate people's concerns, Hosein said the example highlights how address book information can be used.
Internet companies have been storing data for years, he said, "but the Google Buzz case really brings it home". In March, 11 US Congressmen and women wrote to the Federal Trade Commission (FTC) asking for an investigation into Buzz privacy. Of a recent lawsuit claiming a violation of user privacy, filed on 5 April in San Jose, a Google spokesperson said: "We can't comment on the suit until we've had a chance to review it."
Most recently, the UK information commissioner, Christopher Graham, has called upon Google to introduce stricter privacy controls.
The social networks' ABI practices could easily reveal a journalist's source, says Hosein. But the onus should be on the networks, not the users, he argues. "It's difficult to ask a journalist to change their practices, when the system itself is so damn leaky."
Social networks need to grow up, he adds: "It's frightening that Facebook still pretends it's a cuddly organisation helping teenagers talk to each other, when it's becoming a communications system for the world."
Uservision is an internet usability consultancy based in Edinburgh with a range of major clients including the BBC, Amazon and the NHS. It has criticised social networks for failing to give users real privacy control.
Senior consultant Laurene McCafferty told us that Facebook's revamped privacy options introduced in December last year have sparked criticism because the default options encourage people to open up even more data to all Facebook users.
She added: "Given the current lack of granularity within the privacy settings in Facebook, using Address Book Importing is an extremely contentious area – users are not only sharing their own information but the information of others with no clear method of controlling who can access it."
She said the current 'find friends' tool on Facebook allows the social network to import a user's address book without telling that user how the information will be used and how and where it will be stored.
Paul Bradshaw, founder of Help Me Investigate and publisher of the influential Online Journalism Blog told us that social networks should be doing more to inform users about what they are doing with private information.
He adds that journalists need to start being more canny about the risks and opportunities: "I'd recommend creating more than one identity. If you are operating in an area where confidentiality is an issue, then keep that work separate from your 'public' activity.
"Many people have personal and professional accounts, for example, so just extend the principle to a confidential account. Abandoning social networks entirely risks throwing out the baby with the bathwater. You need to make yourself accessible and built trust with a community and social media is terrific for that. But have a process in place if someone wants to talk to you in confidence."
Hosein told us: "Up until now the companies have been acting immaturely, now they know of the risks, they're acting in a belligerent way by not fixing their systems."
Our advice is that professionals who mix their work and personal contacts in contacts databases should avoid automated 'friend finder' tools completely. The best solution is to never mix personal and professional contacts and/or never explore social network friend finder tools.
OUR FINDINGS
We tested a range of social networks. Here are some of our findings.
The way social networks deploy ABI varies dramatically. Some, such as Live Journal, give you clear instructions and the default settings mean you are automatically given the chance to review your contacts file to decide who you want to invite.
Others pre-check all the contacts in the file which means that you can spam your entire address book if you use the default settings. If you don't understand ABI and are unfamiliar with the privacy controls involved, you can far too easily make a career changing mistake with several popular social networks.
Ever received a friend recommendation on Facebook and wondered how on earth Facebook made the connection between you and the recommended person? One reason is that you, or that contact, or someone else entirely gave Facebook access to an online or desktop address book and the network used that information to make recommendations - Facebook's method of creating networks.
The 'Find People you Email' tool deployed by Facebook tells people what most people assume ABI is all about: 'upload a contact file and we will tell you which of your contacts are on Facebook.' This is misleading because Facebook does much more with that file than simply match users to an address book. As a leading social network, Facebook should be clear about what ABI is and it should deploy industry-leading privacy controls. It doesn't.
Click on Facebook's 'friend finder' option and you'll be invited to upload your contacts file - from your desktop computer or on an online email account.
Here's what Facebook doesn't tell you:
- When you have uploaded a contacts file, Facebook allows you to generate 'friend invites' for your contacts who aren't members. These are emails that invite your contacts to join Facebook and become your 'friend'. But this email also includes 'friend recommendations' for your contact - these are people you know on Facebook harvested from your contacts file. You have no control over this.
- Facebook then looks for other Facebook members in your contacts file and, if it finds any, it recommends them to you and you to them. When 'friend recommendations' are generated in this way you have no control over who may be included and who they are sent to. There may be confidential sources in your contacts file or people who are the subject of a report you are writing; people from whom you may want to keep a discreet distance for any number of reasons.
- Worse still, Facebook will use your contacts file to create friend recommendations for other people. What this means is that those people who are in your contacts file and who are already on Facebook may be recommended as friends to other Facebook users. Again you have no control over how this is done.
- If the people in your contacts list aren't on Facebook but end up joining months down the line - Facebook holds on to your contacts file and makes the connections at that time.
This information has to be sought out by clicking the 'learn more' option when you enter your online email client login details. This instructs you to go to yet another page if you want Facebook to stop storing your contacts list for recommendations. It is not entirely clear, however, when this will take effect. The network warns that it 'may take some time before your name will be completely removed' from suggestions.
Nowhere does Facebook explain exactly how it uses address books to generate recommendations and how long it will hold onto the data in your file.
In response to our criticisms, Facebook's spokesperson said they believed the instructions were "clear":
"The information on the help page and in the blog post clearly sets out what the Friend Finder does and how users control how and if their contacts are shared. You can also read other users' questions and answers on the Friend Finder FAQ page and feedback specific questions on your Facebook experience on the Feedback Page.
"At Facebook we are committed to an open and transparent system of governance which means we post all proposed changes to our governing documents before they go into effect and solicit feedback on these proposals from the people who use Facebook. We encourage feedback on these changes on the Facebook Site Governance Page.
"We are constantly innovating and developing new products to maximise user enjoyment. At the same time, we encourage suggestions and feedback to improve user experience and comment on our developments. User control over privacy remains essential to our innovation process and we'll continue to develop new tools to help you control the things you share on Facebook."
However, our personal experience as a user, when making a complaint about the 'Friend Suggestions' in 2009, was that it was not easy to find the right information in the Help pages. Our questions elicited no response or explanation from Facebook until we made enquiries in our role as journalists.
Friendster
Of all the ABI practices we looked at – Friendster's is the most potentially damaging. Its 'find your friends on Friendster' tool allows you to use a toggle button to choose between various online email accounts such as Yahoo and Gmail.
Once you've entered your login details you might expect to be taken to a page where you write your own invite or you choose your contacts. In fact, if you click on the 'invite' button at this stage you spam your entire contacts file with invites to join Friendster.
The only indication this may happen is a small checkbox under the login window that allows you to 'review invites before sending.'
We put our concerns to Friendster. A spokesperson said: [W]e make every effort to make it as easy as possible for our users to find their friends on Friendster and invite new friends to enjoy our site, using their every day web tools".
"As you point out, the site does allow users to review their invites before sending which seems to be sufficient for our users."
But we also pointed out that not enough information was provided about ABI, to which Friendster provided no explanation.
Worryingly for journalists, Twitter has also jumped onto the bandwagon. Its 'friend finder' tool uses online email client logos just like Facebook, and Twitter similarly invites you to "See if your friends are on Twitter". In fact, what this tool does is give Twitter access to your online email contacts database with Gmail, Yahoo or AOL.
At this point Twitter does tell you that your email addresses will be stored "to help you connect with other Twitter users". To find out more about this you have to click through to another window. This tells you that Twitter is working on 'cool new features' that will allow it to alert you when someone from your contacts list signs up and make recommendations between you and your contacts.
Interestingly, Twitter says that when you upload a contacts file that the storing of contacts is completely optional. It says "just click 'skip this step' if you'd rather us not store your contacts list." We couldn't find this control anywhere - even when we'd uploaded a contacts file we weren't asked whether we wanted that file stored or not.
Twitter, despite our repeated efforts, did not respond to our enquiries.
CASE STUDY - Patti Laubaugh
Patti Laubaugh learned about ABI the hard way. In 2009 she and her business partner won a major writing job from a new non-profit client based in Florida. It was a sensitive project that involved a grant proposal. A lot was riding on the job.
Patti and her partner hoped that a successful outcome would help them win public sector support for the launch of a business they had planned for many months. Near the end of the project Patti went on a mountain-walking holiday. On her return she wanted to share her pictures with her friends and family using her Facebook account. Although she didn't have much experience with social networks, she started to change her privacy settings.
After she gave Facebook access to her Gmail account she clicked on the invite button. Mistakenly, she thought this would help her find her friends who were already on Facebook. She said she had no idea invites would be "blasted" out to all of the people on her contacts list. "I had no clue the addresses from my Gmail account could be exported and spammed out for 'invites' to join the Facebook network," she told us.
All of the people in her Gmail account received an invitation from her to become her friend on Facebook. This included contacts working on her new writing project and colleagues linked to her other projects such as ghost writing jobs and her separate real estate business.
The result was career changing. Not only did she lose the contract, she lost touch with her business partner after their plans for the linked business development dissolved.
Follow this link to read our comment piece: It's time for social networks to tell us how our data is used
Free daily newsletter
If you like our news and feature articles, you can sign up to receive our free daily (Mon-Fri) email newsletter (mobile friendly).
Related articles
- Newsrewired throwback: What you learned at our previous digital journalism conference
- First-party cookies: 'Get legal help to avoid fines'
- Collecting first party data: Why meaningful consent should matter to publishers
- Tip: How to keep your communications secure
- Kevin Donnellan, social media consultant, on the dos and don'ts of social media reporting
