When Wake Forest grad student Kristal McKenzie, 33, was pregnant a few years ago, she decided it was time to abandon Facebook. “I’m concerned about online privacy, and was tired of keeping up with Facebook’s privacy settings changes,” she says. “And with a baby coming, I wanted to focus on the people in my real life.” However, last summer, she got an email welcoming her back to Facebook. There were two strange things about it: it was in Spanish and it was addressed to Katya.
Obviously someone had signed up for Facebook with the wrong email address. McKenzie installed a Google Chrome translation add-on so she could read the email. “I clicked the option in the welcome email to say it was not mine and Facebook’s website said I would be disassociated from it. Great!” she says. But that’s not what happened. Instead, she started getting regular Facebook messages intended for Katya, who appeared to be a teen girl living in Mexico. She got updates when Katya’s friends massacred baby cows in Farmville, every time Katya got poked, and whenever Katya had friend requests. Most disturbingly from a privacy perspective, she got copies of private messages sent to Katya through Facebook. “Love and miss you. I want to give this hug :33,” reads one. Over 9 months, McKenzie received over 14,000 messages intended for the teen girl.
“Each message has an option to unsubscribe from those notifications, but since Facebook thinks I’m not on the account, it won’t let me unsubscribe from those,” she says. McKenzie tried to create a new Facebook account with her email address hoping that would work, but then she just wound up getting notifications for both accounts. She was unable to sign into Katya’s account; her email address did appear to be disassociated from it though she was still receiving messages for it. She contacted Facebook’s abuse and PR departments by email but got nothing back. She saw at least one other person complaining about the same problem on a Facebook help forum, but when she tried to post about it, her post was marked “abusive.” She reached out to the FCC and to a kids’ privacy organization that works with Facebook; the latter told her they would pass the message along to Facebook. Still nothing.
As for Katya herself, she has taken privacy measures around her account: you can’t write on her wall or send her a private message unless you’re friends with her. McKenzie and I both tried to reach her through a friend but failed. She has also mistakenly signed up for other accounts with McKenzie’s email address, such as Skype and AskFm; McKenzie was able to unsubscribe from those accounts.
Luckily, Facebook does pay attention to my emails to them. A Facebook spokesperson told me their security team stopped the emails being sent to McKenzie.
“When we looked at what happened, we found that in extremely rare circumstances, the link at the bottom of emails that people use to report messages that aren’t addressed to them wasn’t working correctly,” says a Facebook spokesperson. “This could have occurred only in the situation where someone registered their Facebook account with a mistyped email address, didn’t confirm it, and then successfully confirmed a contact phone number. We are fixing this to ensure it can’t happen again.”
It sounds like a very weird and unusual fluke. What still bothers McKenzie is how hard it was to tell Facebook it happened.
“The tech companies assure us they’re concerned about privacy yet there was no way for me to notify Facebook about this,” says McKenzie. “She’s a teenager. I didn’t want to be privy to what’s going on in her life.”