How Facebook knows you’re a therapist – and who your clients are

Matthew Henry / Burst / Licensed under Creative Commons ZeroTherapists and counselors have been expressing concern for some time now that Facebook can “out” their clients to other clients, even when the therapist or counselor has not done anything to facilitate the connection. It can happen even when the therapist or counselor doesn’t use Facebook. Thanks to some good reporting by Gizmodo Media, we now have a better understanding of how that happens. We also now know just how little you can do to stop it.

The whole article “How Facebook figures out everyone you’ve ever met” is really worth your time. Here, I’ll just share some of the pieces most relevant to counselors, therapists, and other mental health professionals. For us, if even just a few of your clients use Facebook, the likelihood of keeping all your therapeutic relationships truly confidential is near zero.

Information about you is not yours

Even if you never gave Facebook your work email or phone number, it only takes one person, anywhere, giving it to Facebook for them to be able to associate that information with you. If a single former client had you as a contact in their phone, and shared their contacts with Facebook, the company knows your professional contact information.

What the company collects is not limited to names, phone numbers, and email addresses. They collect (quoting the Gizmodo piece, emphasis mine) “names and any nicknames; contact photo; phone numbers and other contact or related information you may have added like relation or profession; as well as data on your phone about those contacts.” That is, potentially, a ton of information. And again, this is information that is gathered about you, even when it is not gathered from you.

If someone has granted Facebook access to their contacts, including information about you, Facebook views that information as the property of that individual — and not yours. So the only way to have Facebook delete that data about you is to figure out who uploaded your info, and get every person who did so to go through the process of deleting it from Facebook. Given how long the company has been collecting data, and the number of clients you may have had in that time who uploaded their contacts, for most people it would be all but impossible to actually track down all of those people and have your data truly wiped.

That is, of course, the idea. In the words of the Gizmodo article, “That accumulation of [your] contact data from hundreds of people [you have known] means that Facebook probably knows every address you’ve ever lived at, every email address you’ve ever used, every landline and cell phone number you’ve ever been associated with, all of your nicknames, any social network profiles associated with you, all your former instant message accounts, and anything else someone might have added about you to their phone book.” And again, you don’t own this data, so you can’t simply delete it on your own.

Again quoting the article, emphasis mine: “With its vast, hidden black book, Facebook can go beyond simply matching you directly with someone else who has your contact information. The network can do contact chaining — if two different people both have an email address or phone number for you in their contact information, that indicates that they could possibly know each other, too. It doesn’t even have to be an address or phone number that you personally told Facebook about. This is how a psychiatrist’s patients were recommended to one another” on the network’s People You May Know feature.

So if you are a counselor or therapist, Facebook almost certainly knows that. This remains true even if you never shared that information or your work contact information; someone else probably did. And if two or more of your clients both have you as a contact, there is at least some likelihood that they will show up as potential connections for each other.

It should be noted that Facebook isn’t trying to specifically violate client confidentiality. Even if they were, protecting client confidentiality isn’t their job — it’s ours. Facebook also is by no means the only social media company that collects contact data and attempts to use it in this way. (LinkedIn, for example, routinely asks for access to your email inbox to gather contact information.) But when their algorithms know what you do and who contacts you, how can you keep therapeutic relationships truly private?

Protecting confidentiality in the Facebook age

There may not be a lot you can do to protect client confidentiality here, but there are some reasonable steps to take.

  1. Inform clients of the risks. Simply put, many people don’t realize just how much information they are giving away to Facebook — or how much information about them the company already has. Clients may benefit from being informed at the beginning of therapy that social media represents a new limitation to their confidentiality, rather than having it come up as an unpleasant discovery in the middle of treatment.
  2. Inform clients of the limits of your role. In other words, make sure that your clients know that if they show up as “People you may know” on another client’s profile, it isn’t because you shared their data with Facebook. (This assumes, of course, that you truly aren’t sharing client data with Facebook. More on that below.) The company’s algorithms may attempt to connect a client with other clients simply because both of them have you as a contact.
  3. Discourage clients from adding you as a contact in their phone. This can be a challenge when some software automatically creates contacts for people the user calls or emails often. But that setting can typically be changed, and of course, clients can revoke access to their contacts. (Yes, Facebook asks users to grant access to their contacts not just on a one-time basis but on an ongoing basis.)
  4. Don’t allow Facebook access to your own contacts if any clients are included there. Again, contacts may be created automatically for those you call or email regularly. So clients may be included in your contact list even if you didn’t actively create the contact. This is certainly one argument for having a cell phone specific to your practice, that is not connected with any social media applications. If you do have client information in the contacts on your phone, and have granted Facebook access to the contacts on that phone, best to turn that off.

As usual, bear in mind that I’m a clinician, not a lawyer. It would be worth talking this all over with an attorney if you’re concerned that you’ve been accidentally outing clients or otherwise sharing their information. I’m just offering what appears to be some common-sense clinical guidance. Don’t take it as legal or ethical advice.

And do go read the whole Gizmodo article. It’s incredibly informative, and a little terrifying.

[Ed. note, May 2018: Thinking about just abandoning Facebook? It doesn’t appear to do much good. The company will still know who you are and what you do, and still be able to connect clients with each other. We covered that in a more recent post.]