“Who can look me up” on Facebook?

Old 3 Comments on “Who can look me up” on Facebook? 54

Facebook, apparently, don’t consider “confusing” privacy settings to be a security issue.

I beg to differ. Yes, I may be naive, and yes, I probably failed to delve deep enough into the minutia of the privacy settings (such as they are in their latest incarnation), but nevertheless there must be more like me among the billion plus active users.

So what’s the rub?

I recently discovered – entirely by accident – that setting your email address and phone number to be viewable to “only me” in the Facebook privacy settings does not actually prevent people from associating those “private” details with your Facebook account.

It transpires that anyone plugging your phone number or email address into the Facebook search may be presented with your profile – despite your electing to keep those details “private”.

Considering this to be a potential security issue, I reported my discovery to Facebook. A helpful Facebook support representative fired an email back stating: “I appreciate you sending this our way, but I don’t believe this is a security issue.”

Say what? The ability of strangers to access information I explicitly requested be kept private is not a security issue? How so? Luckily, the helpful chap elaborated thus:

“The ability to look up friends based on email or phone number is adjusted by a setting called “Who can look me up.” Please see the screenshot below: http://i.imgur.com/Gpum6gA.png

Well, that’s a tad confusing, is it not? Or, perhaps I’m just being dumb. Well, no dumber than the average bear, according to the helpful support rep:

“It can be a bit confusing since there’s the ‘Who can look me up’ setting and the visibility of the email itself as a separate privacy setting.”

Well, that boosted my waning self esteem – even the giant brains employed at Facebook towers can see the potential for the privacy settings to confuse us mere users.

Now I’m left pondering how, given that a privacy setting is known by Facebook to be ambiguous and liable to confuse dumb users like myself, this is not a security issue.

If users are opting to protect their phone numbers and email addresses from public availability by setting their visibility to “only me” is it not reasonable for those users to assume that those details would indeed be kept private in the broader sense of the term “visibility”?

I assumed in my lack of wisdom that “visibility” applied both explicitly and implicitly. I believed that the data would be invisible to search engines and Facebook APIs. Little did I know that Facebook’s definition of “visible” applies simply to the ability of eyeballs to view a presentation of the data on the profile page itself.

We live, we learn.


Dan Bright

I'm a 40yr old History graduate, running my own web and software development business (Zaziork Web Solutions). My web development and programming skills are entirely self-taught. I have over a decade of experience in website design, having built and run websites for local non-profit organisations, and have been working in the field professionally since 2011. I'm currently focused on building web applications using Python 3 and the Django framework. I'm also studying Java and Android, with a view to adding Android app development to my services in the near future.

Related Articles


  1. Katy Pillman August 12, 2014 at 3:49 am

    Don’t google this guy’s name. Bad results are shown.

    • Dan Bright August 12, 2014 at 4:24 am

      “Bad results” are shown on Google for whose name? Mine?!
      Take it you’re being funny vis-a-vis the subject of the post?

  2. Dan Bright August 12, 2014 at 6:46 am

    I assure you that if you find ‘bad results’ relating to my name, that’s not the ‘Dan Bright’ you were looking for! (I say that without needing to rely on my mastery of Jedi mind control).

    Check out my profile on here for links to my LinkedIn and business website (don’t want to spam the comments with them here!) – I’ll have you know that I’m a fine, upstanding member of Geekdom (more so since I purchased my “standing desk”!).

    In regard to my post about Facebook privacy and security, I understand why my point may appear ‘paranoid’ on the face of it. However, the implications of this issue may actually have real-world consequences, in terms of criminal cyber scams, and cyber-stalking/bullying, to name but two.

    I can imagine criminal enterprises using algorithms to plug phone numbers and email addresses into Facebook search in order to link these to profiles. Even if the unsuspecting owner of the linked data believed they’d locked down their Facebook account tighter than a camel’s arse in a sandstorm, the evil perpetrator of this cunning plan would now have their name, phone number and/or email, and probably their profile picture, at the very least. That might not seem a lot, but nevertheless it’s all pieces of a ‘profile jigsaw’.

    There are very good reasons why people would not wish these contact details to be publicly accessible, and so by setting these to be viewable by “only me” they’re indicating they wish to keep them private.

    Yes, if they’d clicked on “Privacy shortcuts > See More Settings > Privacy > Who can look me up?” these details could be removed from search. But that’s besides the point (well, my point, anyway).

    My post was attempting to highlight how layers of ambiguous and in some senses contradictory privacy settings can actually pose a threat to a the security of a user’s data.

    Real user’s actual behaviour should be placed at the heart of a good privacy policy, with due regard paid to the apparent intent of the user.

    Personal data should be private by default in my view (although that would appear antithetical to Mr Zuckerberg’s grand vision!), and if granular settings are necessary then potentially contradictory choices should be flagged up to the user.

    By choosing to keep details private at the point where they submit those details, the user is surely implying that they desire those details to remain, well, private.

    I doubt that many expect that some additional setting hidden away in a sub-menu would modify their expressed intention to keep details private, to “Don’t show to my friends but do allow scammers, stalkers, bullies and other miscreants to find me on Facebook.”

Leave a comment

Back to Top