Spooky Facebook requests phone number and recommends friends

At work we have a lot of clients that we "Like" on Facebook to help them with their social media profiles. Some of these clients I'm personally interested in and others not so much. My news feed is becoming very cluttered as a consequence.  A colleague suggested setting up a second Facebook profile that can be used for professional purposes. This appeals to me as I don't particularly want to share my "Child vomited on shoulder" stories with colleagues and business associates. I also want to start messing around with promoting this blog a bit more to further my knowledge within the work environment.

So I set about setting up a new profile, with a more professional photograph, using my work email address.

I was surprised to find that Facebook wanted my mobile phone number in order for me to continue with my registration. Not only that but I was warned that I could only register this number with one account. I was pretty sure that back in 2007 when I first signed up to Facebook this wasn't a requirement so I wasn't concerned that my mobile number was already registered. But I was concerned that I might need to associate this number with my primary account at some time. And of course, I was a bit worried about what they might do with the number once they have it. Concern Number One. I hesitated.

Then the Social Media expert in the office assured me they only wanted it for the creation of the account and that I could change it later. Cool. I continued.

I then received a text message with a code I was required to submit in order to continue my account creation. This I did, then made sure that Facebook wasn't going to send me any SMS messages or give out my number.

The next page blew me away.

I was asked to select friends from a list which included a mixture of good friends, an old uni friend, ex-colleagues, my dad, girls I knew in pregnancy yoga over three years ago, my husband's aunt, and a friend of a friend I haven't seen for years.

It was an eclectic list to say the least. Some of them I am already friends with, using my primary account, others I'm not, although we do have one mutual Facebook friend. I do know all of them. How does Facebook know this? Concern Number Two.

Whilst pondering this aloud the aforementioned Social Media expert (affectionately and hereafter referred to as Salmon) muttered something about Facebook being able to access my iPhone SMS database. Eh what? Say again? Concern Number Three.

"Oh yes," said the all-knowing Salmon. "If you have the Facebook app on your phone, and you have given Facebook your phone number then they can access your message bank. They got into trouble for not disclosing it. Google it."

And how come you didn't think to mention this earlier oh wise Salmon? Anyway I did. Google it.

And I found this. To summarise for those who can't be bothered to click on the link, Facebook login credentials are not encrypted within the mobile apps and as such can be exploited by a rogue app, or anyone with a USB connection to your phone. The developer who discovered this found a Facebook access token inside a game app. He copied the token and using Facebook Query Language managed to pull any information he desired from his Facebook account. I urge you to follow the link and read the article. What happened next almost beggars belief. Concern Number Four.

I also found a link to an article regarding the eavesdropping on text messages. The article only references Android phones and Facebook denied it. But still. By now I'm getting rather concerned. And totally spooked.

How did Facebook know that I knew those people? All I had told it was my work email address, my phone number, my name (minus my married name) and my date of birth. These are not generally people I have emailed from work. I couldn't see any way it could have linked me to my primary account or to any of those people. I started to get concerned that it had read my phone Contacts list but not all of the suggestions were in there. It was like magic! A dark and scary magic.

Here's my current theory. We use GMail for email at work and I have my Google accounts set up so that I can log in to both my work and personal accounts within the same browser session. (This is an excellent feature which is really useful for GMail but then falls apart when you want to use some Google apps, such as Documents.) So Google knows both my work email address and my personal email address and that they both belong to the same person. As we've already established Facebook knows my work email address. Well, my primary Facebook account has my personal GMail account as a secondary email. Could this be how Facebook knows I probably know those people? Could it be looking at my personal GMail contacts and then seeing if any of them are on Facebook, and then suggesting either them, or their friends? Or could it be that because I have emailed myself from work it is suggesting my own primary Facebook account's friends and their friends? It seems convoluted but I'm otherwise stuck for an explanation. Let me know in the comments if you have any ideas.

Meanwhile, I think I will sack the whole idea of a second account and I'm rethinking heavily how I use my primary one.