Is Facebook subject to breach notification laws for revealing phone numbers?

Security warning: If you don’t intend to share your phone number on Facebook, ask a friend to check their Phonebookand see if it’s there.  And it’s a good time to check to your privacy settings — my brother Greg has instructions on The Happy Accident.

Update, October 7: See the Twitter discussion in the first comment.

In Is your private phone number on Facebook? Probably. And so are your friends’, Charles Arthur describes an ongoing Facebook security hole: when people use the iPhone or Android Facebook app, all of their contacts’ phone numbers are uploaded to Facebook, and made available in the Phonebook.  What this means is that if you and I are friends on Facebook, I may well be able to see your phone number no matter whether or not you have ever shared it.


Klaus Van Moos first wrote about this in Privacy Fail in February.  Since then, Facebook has revised their privacy policy and more recently introduced a warning in the application.  But it only warns the person uploading the information — not the person whose phone number is being shared without their consent.    And their corporate response when Charles contacted them response is so dismissive it doesn’t even tell people how to prevent this from happening:

Facebook is a free service and something that many people find adds value to their day-to-day lives.  As with any service, users do need to invest some time in order to use it properly and we encourage people to use their privacy settings to do this and to access the Help Centre for support.

From a security perspective, this sure looks like a data breach to me.  Phone numbers are universally regarded as personally identifying information, and Facebook is allowing access to unauthorized users.   There are plenty of good examples in the comments on The Guardian.

From a legal perspective … I don’t know.  California has a mandatory data breach notification law that requires consumers to be notified when their personal information is breached.  Just this week Governor Schwarzenegger once again vetoed legislation that would strengthen it but even so to me as a non-lawyer this seems like the kind of thing the original law’s designed to cover.

Any thoughts from people who know more than I do about the law?


PS: Of course Facebook operates in other countries as well.  How do Germany and Canada, and other countries’ data protection laws treat sharing people’s private phone numbers without their consent?

Facebook graphic from AJC1’s flickr site, licensed under Creative Commons