Over-friendly
Updated 

Facebook is using your phone’s location to suggest new friends—which could be a privacy disaster

Erendira Mancias/FUSION

Update (June 28): After twice confirming it used location to suggest new friends, Facebook now says it doesn’t currently use “location data, such as device location and location information you add to your profile, to suggest people you may know.” The company says it ran a brief test using location last year. New story here.

Facebook’s ability to discern with creepy accuracy the “people we may know” has surprised, delighted, and horrified its users for years. While the magic sauce behind friend suggestions has always been a bit mysterious, it now includes some potentially unsettling information. Thanks to tracking the location of users’ smartphones, the social network may suggest you friend people you’ve shared a GPS data point with, meaning your friend suggestions could include someone whose face you know, but whose name you didn’t until Facebook offered it up to you.

Last week, I met a man who suspected Facebook had tracked his location to figure out who he was meeting with. He was a dad who had recently attended a gathering for suicidal teens. The next morning, he told me, he opened Facebook to find that one of the anonymous parents at the gathering popped up as a “person you may know.”

The two parents hadn’t exchanged contact information (one way Facebook suggests friends is to look at your phone contacts). The only connection the two appeared to have was being in the same place at the same time, and thus their smartphones being in the same room. The man immediately checked the privacy settings on his phone and saw that Facebook “always” had access to his location. He immediately changed it to “never.” (He also did not want to reveal his identity for this story.)

It turns out his suspicions were correct.

People You May Know are people on Facebook that you might know,” a Facebook spokesperson said. “We show you people based on mutual friends, work and education information, networks you’re part of, contacts you’ve imported and many other factors.”

One of those factors is smartphone location. A Facebook spokesperson said though that shared location alone would not result in a friend suggestion, saying that the two parents must have had something else in common, such as overlapping networks.

“Location information by itself doesn’t indicate that two people might be friends,” said the Facebook spokesperson. “That’s why location is only one of the factors we use to suggest people you may know.”

Facebook has gotten more aggressive in its use of smartphone location data in the last year, tracking which stores you go to in order to tell advertisers if their online ads worked and letting advertisers use your phone’s location to geotarget you with ads. But until now, most people didn’t realize that Facebook was also tracking their phone’s location to suggest friends to them.

The implications of this are far-reaching. There are situations in which this could be incredibly useful. It means you could finally become Facebook friends with “Karen” from yoga class. Or if you meet awesome new people at a party, but forget to exchange numbers, last names, or Snapchat handles, Facebook could make new friendships happen by surfacing those party-goers to you. Great! Those are best case scenarios.

But there are plenty of scenarios in which Facebook casually connecting you with people because your phones were in the same place at the same time could end disastrously. Imagine going to an Alcoholics Anonymous meeting, and then getting “Friend” suggestions the next day for members of the group along with their full names and profile information. Or getting hit on at the bar by a guy that gives you the creeps, giving him the cold shoulder and no information about yourself, but later getting a ‘Friend Request’ from him. Or visiting an abortion clinic and discovering that one of the abortion protestors outside was offered up your identity by Facebook.

Last year, Motherboard asked how Facebook was figuring out who people were going out on Tinder dates with. The report was ultimately inconclusive as experts said that data from Tinder doesn’t flow back to Facebook, but it may well have been location-based.

“Using location data this way is dangerous,” said Woodrow Hartzog, a law professor at Samford University, via email. “People need to keep their visits to places like doctor’s offices, rehab, and support centers discreet. Once Facebook users realize that the ‘People You May Know’ are the ‘People That Go To the Same Places You Do,’ this feature will inevitably start outing people’s intimate information without their knowledge.”

Most Facebook users who have the app on their phone with location access granted likely don’t realize this could happen. It’s not mentioned on Facebook’s help page about how “People You May Know” works.

“This is the kind of thing that people should be given explicit and multiple warnings about,” said Hartzog. “They should also be asked to affirmatively turn on the feature before their whereabouts are used to get them friends. Geolocation data is far more sensitive than most of the kinds of information people probably assume are used to suggest friends, such as alma mater and mutual friends.”

For now, if it’s troubling to you, the way you can prevent it is to turn off Facebook’s access to your location. It’s in your phone’s privacy settings.

The setting if you want to deprive Facebook of the ability to monetize your movements

The setting if you want to deprive Facebook of the ability to track your movements

* Updated to add additional comment from Facebook.