Facebook leaves phone numbers visible to all, but boots user who scraped them

Closeup of a businessman dialing his cell phone. Horizontal format over a light to dark gray background. Man is unrecognizable.

A mobile app developer in pursuit of a thief found his suspect, but his dragnet also easily gathered 2.5 million Facebook user phone numbers that were plainly visible to the public. After he alerted Facebook to the "discovery," the social network closed his account.

The developer, Brandon Copley, said he wanted Facebook users all to know what many may not be aware of: If a user lists his/her phone number in the Account Settings area on Facebook, or submits their phone number to get Facebook text alerts, the default setting for that phone number's visibility is available for "everyone" to see. It's up to users to change the setting.

Facebook doesn't dispute this. "By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number," Frederic Wolens of Facebook told NBC News Tuesday. "You can modify these settings at any time from the Privacy Settings page."

But what got Copley kicked off the site was scraping these publicly available numbers. In banning him, Facebook said he violated Facebook's terms of service by "accessing Facebook through automated means and stealing Facebook access tokens in order to scrape data from Facebook’s site without permission."

It all started in the spring, when Copley, who lives in Dallas, attempted to track down a man suspected of stealing his laptop, and selling it on Craigslist.

Copley used reverse-lookup phone information to help locate the man via a phone number, but couldn't find any information. But after trying Facebook's Graph Search feature, and devising a simple script that could throw lots of phone numbers at the system, saving any names that came up as a result, he was able to find a Facebook user tied to the suspected thief's phone number. He turned that information over the the police.

In his search, Copley amassed a collection of 2.5 million Facebook user names and phone numbers. As the ease of the process came as a bit of a shock, Copley thought he should tell someone.

"There is a security invulnerability that allows someone to essentially create a database of phone numbers and Facebook users," he said in an email to Facebook's security team.

The response from Facebook via email: "Facebook has privacy controls around who you can share your phone number with," so there is "no security vulnerability here, even though it does seem like one at first glance."

Copley didn't let up, writing back that "the problem here though is that someone could spam Facebook and create an application that searches through to find everyone's phone number ever on Facebook. That seems dangerous to me."

But Facebook reiterated that it is up to users to choose the settings they want for phone number exposure. Then they booted Copley for writing his scraping software.

Facebook also has banned Copley's wife and business partner from the site, as they used the same computer he did for Facebook access, he told NBC News.

Still, he has no regrets about his actions. "The average person does not know Facebook is doing this," he said.

He says he has no plans to use the Facebook phone numbers he gathered. "I was purely collecting the data to prove to Facebook how this feature is a breach of privacy."

Moral of the story: Make sure your privacy settings are locked up, set at "friends of friends" or "friends" — specifically the one that says "Who can look me up?"

Check out Technology and TODAY Tech on Facebook, and on Twitter, follow Suzanne Choney.