How does Facebook do this?

[benali72]

I got an email from Facebook.  It pretends to be sent by a person you know who is on Facebook, but is actually a machine generated email.  The email asks me to join FB on behalf ot the person who "sent" it.

The email lists several other people I know who are also already on Facebook, apparently to make its case more convincing about all the people I can interact with on FB that I already know.   

Does anyone know how FB knows who to list that I know (among existing FB members)?  All I can figure is that it raids the email In and Out boxes of people, going from one to the next, scanning for emails to/from me. In other words, it follows email linkages between FB members and the target non-member.

Anyone know?

(BTW, talk about huge privacy violation...  by scanning emails it violates MY privacy even tho I've never joined FB, just by virtue of my having sent/received email to/from someone who is a FB member).

(Another BTW, how many people here know that FB received early funding from In-Q-Tel, the financial investment arm of the CIA?  Sounds rather like paranoia, doesn't it?  ....except that it's factual and is easily verified by web research.)

Thanks.

[JavaMouse]

I don't know what's going on in your case, but here are some thoughts:
1) the emails you get are spam, not sent from Facebook but some kind of phishing scam.
2) I suppose it's possible that some of your email contacts accepted Facebook's invitation to import their email address books into Facebook, and then Facebook is able to spam you since they now have your address.  If several of your friends are on Facebook and they all imported their address books, then Facebook would know this and can send you a list of people who have you as a contact.  I did not know that Facebook does this, and in fact I am skeptical that they do. I know that it is possible for me to generate an email to any of my contacts inviting them to join Facebook. I assume you've checked with your friends that they did not, in fact, invite you?
3) It's possible that a 3rd party application grabbed your friend's email contacts and used them for this nefarious purpose.  I don't know how well Facebook vets their "apps".

If none of your friends imported their address books knowingly, I see no way for Facebook to have your email address, although perhaps your friends did this unknowingly.

I have a Facebook account, but I rarely use it, and I don't see the appeal.  I have never received an email like you describe from Facebook.  Very rarely, I get a "friend invitation" in my email box from some apparently total stranger on Facebook.  This seems easy enough for anyone to do.  I believe I could prevent it by changing my settings. but I don't want to, so I haven't made an effort to block these. I've only gotten a few so it's not a nuisance.

OTOH if you are *not* a Facebook member I don't see any way to stop these emails from coming to you.  The best advice I can offer is to mark these emails as spam and hope your filter carries them away transparently into your trash.

It does strike me as an invasion of privacy for a legit company to send emails to addresses of non-members.  So blech.  But again I have doubts that they are actually doing this.

The CIA angle is interesting, but I just don't feel concerned, as long as what they're doing is "legal".  They are welcome to look at any of the public stuff on my Facebook page. It will induce a huge yawn.  They probably already know all the private stuff, too.

[The Gorn]

Does anyone know how FB knows who to list that I know (among existing FB members)?  All I can figure is that it raids the email In and Out boxes of people, going from one to the next, scanning for emails to/from me. In other words, it follows email linkages between FB members and the target non-member.

Yes, that's exactly how it works.  I have gotten similar spam in the form of LinkedIn invitations from a few individuals that I am not on speaking terms with. Apparently they used some app that scans their Outlook or Yahoo account and fires off invitations to anyone it finds.

The twist with Facebook is that there is probably some application in it (a third party thing) that the user can give permission to, to mass email everyone that it finds.

If there are several people that you know in this message, then it is probably not phishing, it's probably an aggressive "invitation bot".

Solution, not give anyone your email address.

[John Masterson]

Yes, Facebook has a button that, as a FB user, you click it to let it scan your email folder if you want to "invite your friends".

[benali72]

Thanks for the feedback.  Been doing some further research, and it's confirmed exactly what G0ddard and John say (you guys are good!!)

Guess I should have researched more before I posted this question, because I found the exact same question posted at DSL Reports -- http://www.dslreports.com/forum/r23736708-Facebook-invitation-how-did-they-do-this.

What's unnerving here is that this is an email address I've kept very private and spam-free, and have only used in email to good friends... and here one of them has apparently compromised it to FB on my behalf without asking. 

I found this FB page where you can request your email be deleted from their database of non-FB users -- http://www.facebook.com/help/?faq=15320

But frankly I don't trust these people to delete anything -- their reputation for allowing their users to "delete their information" (in FB's exact words), which then they actually keep while they just inactivate the account, has been widely verified.

(Sorry I don't mean to offend anyone who may be a happy FB user by this blunt negative opinion. If you're happy with FB, cool, I don't mean to offend, this is just my own personal feeling).

[The Gorn]

Offend away. IMO Facebook is a frikkin' cult. 

Ok, KIDDING! Not.

As noted, LinkedIn has tools to do this, too. I think every social networking site has some variation of this. I have been bombarded by something called "Plaxo" because someone I linked to on LinkedIn signed up for Plaxo.

Like you, I have a "very private" email address that I only use when emailing individuals and I never use for signup on web sites. One or more geniuses have, over the years, released this address into the wild.

So what can you do? You have to email people. I see no solution...

[Carrie Cobol]

I use FB to touch bases with friends, but it has glaring issues that bug most people I know:

* If you want to use an app, you MUST click a button to allow it to access the information FB has on you, which includes your all of your FB friends' info.  No click on this, no access app.

*  They periodically add new security settings to the site.  Seems about every 6 months or so.  The offensive thing about this is that the new security "features" are always defaulted to wide open, or whatever benefits FB or it's advertisers more.  You have to either participate on their new features forum to know that these things have been enabled so you can go turn them off, or have friends who post announcements about them so you can go turn them off.  If you don't keep an eye on your profile security settings, you'll be exposed to quite a shocking array of vulnerabilities.  Some of them you have no idea about, either because the checkbox labels are very brief.  I sort of depend on friends to post messages saying things like "you want to turn this OFF because it allows..."

[John Masterson]

I think FB is simply the mirror reflection of human social behavior, carried out by average Joes with NO understanding of the Internet security issues involved.

Humans on Earth will be muddling through this new Information/Networked/iPhone Age in the next decades, and both bad and very much good will come out of it, I am sure.

[benali72]

Here's another nice thing your FB "friends" can do for to you  -- http://redtape.msnbc.com/2010/08/facebook-places-we-are-each-others-big-brothers.html.

For simple infographic to understand FB's privacy settings, here it is -- http://www.nytimes.com/interactive/2010/05/12/business/facebook-privacy.html.   These guys change their privacy settings as often as most people change their underwear.

[Richardk]

What's unnerving here is that this is an email address I've kept very private and spam-free, and have only used in email to good friends... and here one of them has apparently compromised it to FB on my behalf without asking. 

"Very private"? You used it to email your "good friends" and they know that you'd be OK sharing with FB. You're not one of those on the outside, are you?

The short of it is it's an email address and they either wanted to share with you or FB sucked it out of their system so it could inform 'all' that they are on FB now and that you should be too.

It's good to have multiple email addresses but once used, it's only a matter of time before it exceeds it's initial intent.

[benali72]

Right you are, Richard!