Brandon Copley, a mobile developer from Dallas, Texas has compiled a database of 2.5 million Facebook users’ personal phone numbers by exclusively exploiting Facebook Graph Search. Even though Facebook agrees with him that the users left the information public, it has slapped him with a cease and desist notice after he continued to scrape the data.
The whole privacy row started when Copley reported a tip to Facebook on March 5 pointing out the security flaw. A Facebook security team member wrote back saying:
I agree with you personally. We do have antiscraping protections (ratelimiting, bad IP blocks, etc.), but it comes down to the people controlling their privacy, we can make the privacy tools available, and we can encourage them to use them, but we could never just switch their privacy settings for them. So there is not much more we can do.
Copley confirmed that these users have their account information set to public but went on to gather 2.5 million users’ phone numbers to show how that could still be a security flaw. Copley explained his actions to TechCrunch in a report:
Facebook is denying its users the right to privacy by allowing our phone numbers to be publicly searchable as the default setting. This means that anyone with my number knows my Facebook contact information. I may have not told my future employer about my Facebook account, but if I called them on my cell phone they can now know how to find me on Facebook.
In retrospection, Copley’s Facebook account was banned several times during March and early April. Facebook’s lawyers have now demanded from Copley to hand back the information he acquired and the method used in acquiring the same. Facebook admitted to a bug that leaked the contact information of 6 million users, but believes that it is unrelated to Copley’s case which Facebook does not believe to be a flaw. Even though Copley is determined to pressurize Facebook on this privacy issue, it is not clear whether Facebook will pursue litigation against him.