Facebook confirmed on Thursday that the phone numbers that its users provide for enhanced security are being used to target them with ads.
Gizmodo released a study by two U.S. universities that found the phone numbers given to Facebook for their two-factor authentication(2FA) were being handed right over to advertisers.
Two-factor authentication is put in place to enhance security by requiring a second step, such as entering codes sent via text messages, as well as passwords to get into your account.
“These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings,” researchers said in the study. The study looked at ways advertisers can get personally identifying information (PII) from Facebook or its WhatsApp and Messenger services.
Contact lists uploaded to Facebook platforms could also be mined for personal information, unintentionally helping advertisers to target your friends.
“Most worrisome, we found that phone numbers uploaded as part of syncing contacts — that were never owned by a user and never listed on their account – were in fact used to enable PII-based advertising,” researchers said in the study.
A Facebook spokesperson was quoted by TechCrunch on Thursday saying: “We use the information people provide to offer a better, more personalized experience on Facebook, including ads.”
The study suggests that Facebook is using “shadow contact information” to make money through advertising without outright stating that’s how the information is being used.
“We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time,” the Facebook spokesperson said.
Earlier this year Facebook said that users who had been getting spammed with Facebook notifications to the number they provided for 2FA was simply a bug.
“The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications,” Facebook then-CSO Alex Stamos wrote in a blog post at the time.
Twitter user Elizatech (@FitzTechLawIE) tweeted how disgusted she was with the new findings: “The repurposing by Facebook of phone numbers, provided by users for SMS 2FA, to better target for advertising is utterly disgusting. I’m not easily shocked, but this…”
The repurposing by Facebook of phone numbers, provided by users for SMS 2FA, to better target for advertising is utterly disgusting. I’m not easily shocked, but this… https://t.co/qFNgqMDFL1
— Elizatech (@FitzTechLawIE) September 26, 2018
Twitter user DHH (@dhh) tweeted: ““At this point I consider Facebook a criminal enterprise. Maybe not legally, but morally,” and linked an article by daringfireball.net
“At this point I consider Facebook a criminal enterprise. Maybe not legally, but morally” https://t.co/BrZ7Yeq5Jw
— DHH (@dhh) September 27, 2018
Just last year, Facebook began giving users more and more 2FA alternatives other than just having a code sent to your phone, including USB key support, as well as the ability to use third-party authenticator apps in May. If users had been aware of their information being used in this way, perhaps they would have opted for these choices rather than giving their phone numbers and contact lists for 2FA.
Join the conversation!
We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. Thank you for partnering with us to maintain fruitful conversation.