Facebook connects your clients, even if you don’t use Facebook

Woman using mobile app / Burst via Creative Commons Zero licenseIn testimony to Congress the week before last, Facebook CEO Mark Zuckerberg made a point of emphasizing that if you’re a Facebook user, you own your information. This is meant to reassure users, but it is more than a little misleading. “Your information” is what you personally have uploaded to Facebook. You do not own what other people have uploaded about you. That’s what has privacy advocates so concerned. It’s also why even therapists who don’t use Facebook should be worried about the client confidentiality risks that the company poses.

How Facebook connects people

In response to our earlier post, “How Facebook knows you’re a therapist — and who your clients are,” several commenters online and at workshops I’ve run noted that they had stopped using the platform, that they didn’t use their work phone with the Facebook app, or that they manage their privacy settings carefully. That’s all good, but Facebook will still be able to link your clients with each other anyway. Here’s how.

The company has acknowledged that it maintains “shadow profiles” on users and non-users alike. (They don’t like and don’t use the specific term, but it captures the idea and has been used by others.) These profiles are much more than the data you have shared with Facebook about yourself. Facebook also links your identity with everything other users have shared about you.

So, let’s say that you have two clients who both use the Facebook app. Both gave the app ongoing access to their contact lists, as many users do. If your work number is in both of their contact lists, Facebook may suggest them to each other in their “People You May Know” feature. This is true even if you never shared your work number with Facebook. It’s true even if you don’t use Facebook at all. If they both associated that number with your name, Facebook could use several additional data points — again, data that other people uploaded about you, so you don’t own it and can’t delete it — to connect those clients with other people you know. And it only takes one person who has both your work number and your personal number under your name in their contact list for Facebook to start linking your work clients with people in your personal circle.

If quitting won’t help, what do we do?

On a policy level, there is much to be said for pushing Congress to swiftly enact privacy protections that allow you to control not just the data you have sent to Facebook, but also the data that others have sent about you. This would be a fundamental shift in how privacy is viewed, and it’s not a shift that the company seems likely to make on its own.

In our professional world, thankfully, the answer here is much more simple: Warn your clients about this risk to their confidentiality. You need to have a social media policy even if you don’t use social media yourself. Such policies can (and, we think, should) go beyond “I don’t accept friend requests from clients.” They should also cover the inherent risks that Facebook (or, really, most social media) poses to client confidentiality.