Facebook vs. Your Phone Number & Address

By Jacqui Cheng

17 January 2011 - If you you aren't already paranoid enough to remove your address and cell phone number from Facebook, today might be the day. Facebook has decided to give its third-party app developers API access to users' address and phone numbers as they collectively get more involved in the mobile space, but privacy experts are already warning that such a move could put Facebook users at risk.

In its Developer Blog post, Facebook noted that developers will only be able to access an individual user's address and phone number—not the info of his or her friends. Additionally, those who want to be able to use that data will have to be individually approved by the users themselves, and those developers must take special care to adhere to Facebook's Platform Policies, which forbid them from misleading or spamming users.

Despite Facebook's reassurance that users will have the final say in who gets the info and who doesn't, it didn't take long for observers to point out that it will be easy for shady developers to get in on the action. Security research firm Sophos wrote on its blog that rogue Facebook app developers already manage to trick users into giving them access to personal data, and this move will only make things more dangerous.

"You can imagine, for instance, that bad guys could set up a rogue app that collects mobile phone numbers and then uses that information for the purposes of SMS spamming or sells on the data to cold-calling companies," Sophos senior technology consultant Graham Cluley wrote. "The ability to access users' home addresses will also open up more opportunities for identity theft, combined with the other data that can already be extracted from Facebook users' profiles."

Cluley has a point. Just because app developers agree to follow Facebook's terms doesn't mean that they actually do, and many aren't caught until it's too late. We learned that much just a few months ago when a number of top Facebook apps were found to be collecting and selling user data against Facebook's rules. Facebook ended up suspending those developers for six months, but by that time, the deed was already done.

Imagine if your home address and phone number, or those of your friends and family, were included in that data—does it really matter if developers who use it inappropriately are suspended after the fact? All I know is that I got rid of my cell number on Facebook after an old high school friend used it as part of some creepy "business opportunity" ploy (see, you can't even trust the people you trust). And after this latest developer policy change, I definitely won't be adding it back.