I set up a test Facebook account while doing a Facebook app that uses an e-mail address that has never been used for anything else.
Yet it keeps suggesting people I actually know.
The second account also does not have my full name (if it had my full name it'd be less weird, as my name to my knowledge is globally unique - there's only a few hundred people with my last name worldwide)
The account has not been used for anything related to me. I've never searched for anyone from it. Never given my e-mail address there...
The only thing connecting the two is that the "fake" e-mail address is a "real-user-part+something@gmail.com" address, and that I've logged in to them from the same machine.
It took less than a day before that account started getting friend requests from people I know (clearly the "TEST" instead of my surname did nothing to dissuade them)
> The only thing connecting the two is that the "fake" e-mail address is a "real-user-part+something@gmail.com" address, and that I've logged in to them from the same machine.
So, to summarize, a simple regular expression matching emails against /\+[^@]+/ and replacing with '' is some 1984-level creepiness?
The technology to do any of those is little more than a few database joins and some fuzzier matching logic like you are suggesting. What's creepy is just the extent to which they match. In the email contacts theory, for example, it's not hard to remember an email address that was in a user's contacts list and then suggest they connect when that email address is used. It's only creepy because you personally had no control over giving them the information that allows them to make that leap.
If you can't log into Facebook from a public/shared computer without them disclosing your relationships to everyone else who uses that computer, they should make that very very clear.
I'm sure this is the case. They probably keep track of all the accounts that have been logged into from your computer via a cookie, and then suggest friends based on those accounts. Creepy, but understandable.
My guess is that the same machine is a big giveaway. There's a difference between leaving a trace of your presence on a shared computer accessed by many people and a computer accessed by one or two.
However, if people you know found the account, then that's also something that Facebook uses - I've had "do you know X?" suggestions from people with whom I have no traceable connections (not in my address book, don't even know their email addresses) - turns out (when I asked one of them) that he had been looking at my profile (without friend-requesting me) a few days before.
What is worse is that
1. There is no way to actually delete the data. From what I can see, they only disable the account if you ask them to delete.
2. Even if you didn't give any of your data to FB, your friends/family etc can - there is simply no way to prevent this (a friend takes a picture of you at a party, tags it with your name etc)
Yet it keeps suggesting people I actually know.
The second account also does not have my full name (if it had my full name it'd be less weird, as my name to my knowledge is globally unique - there's only a few hundred people with my last name worldwide)
The account has not been used for anything related to me. I've never searched for anyone from it. Never given my e-mail address there...
The only thing connecting the two is that the "fake" e-mail address is a "real-user-part+something@gmail.com" address, and that I've logged in to them from the same machine.
It took less than a day before that account started getting friend requests from people I know (clearly the "TEST" instead of my surname did nothing to dissuade them)