Facebook Uses 2FA Contact Info for Targeted Ads

(Image credit: Facebook)

Two-factor authentication is a must. People use weak passwords, companies fail to properly secure user information, and patient hackers can rely on sophisticated tools to crack many passwords if the proper countermeasures aren't in place. But it turns out Facebook also uses the system for ad targeting.

Northeastern University's Giridhari Venkatadri, Alan Mislove, and Piotr Sapiezynski published a paper in collaboration with Princeton University's Elena Lucherini revealing that Facebook gathers more information than many of its users think. That includes using the phone numbers people use to enable two-factor authentication, which means attempting to secure a Facebook account will actually expose more data to advertisers.

This data sharing isn't disclosed when people enable two-factor authentication on their Facebook accounts. Gizmodo's Kashmir Hill said that a spokesperson denied using this data when she asked if Facebook uses what she calls "shadow contact information" for ad targeting over a year ago. The company didn't merely hide this practice from its users; it also lied to a reporter who suspected everything wasn't on the up-and-up.

Facebook recently told Hill that people who don't want their phone number to be shared with advertisers should use app-based two-factor authentication. But that option was only added four months ago--before then people had to use their phone numbers to secure their accounts. Sharing those phone numbers with advertisers with neither warning nor consent effectively punished those who care most about their security.

That wasn't the only revelation from this paper. The researchers also revealed that Facebook lets advertisers use contact information for ad targeting even if the phone number, email, or what-have-you was collected from someone else's address book. There's no way for affected users to know their information was shared in this way.

There is a reasonable expectation that any information someone decides to share with Facebook will be given to advertisers. By now everyone should understand the company's business model, so filling out the "About" section on a profile or voluntarily sharing contact information obviously exposes that data to other companies. These revelations differ, however, in that Facebook is peddling data nobody voluntarily shared.

Entering a phone number to enable two-factor authentication isn't the same as sharing an address book with Facebook. And having contact information connected to an account simply because someone else who did share their address book has that data penalizes users with active social lives. Forcing people to decide between their privacy or their security and social lives isn't reasonable. It's flat-out bonkers.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • derekullo
    Facebook also monitors and tracks a user's soul and assigns each soul a SOULid.

    This is different from the id assigned to the physical body, the PBODYid.

    The benefits of SOULid include;

    1. The ability to continue track a user after the brain has been transplanted into another body (Do note that a new PBODYid will be generated)

    2. The ability to track a user into the afterlife (an "Angel" gave clearance for this)

    3. A SOULid never expires and by definition is impossible to erase.


    Suddenly "Facebook Uses 2FA Contact Info for Targeted Ads" feels less invasive.
    Reply
  • rantoc
    If someone who cares about their privacy and still uses facebook are shocked at this, it might be a great time for a psych eval!
    Reply
  • termathor
    "By now everyone should understand the company's business model"

    Well, it's been years everyone with half a brain could have understood:
    - burning electricity/cooling + buying shittons of systems to run a free service doesn't constiture a valid business model (at least not one which is not goinf into the wall)
    - as a consequence, something has to be put in the revenue column, and apart from users private data + advertising, there's really nothing else in sight

    Then, every time some smart ars is discovering something fishy/scandalous (Cambridge-Analytica, this, the next thing with medical record or bank account access, etc ...), the folks are happily moving in damage control mode, et voila.
    You have your business model !

    I really need to be more cynical in order to just do that and become a billionaire !
    Reply
  • g-unit1111
    And websites wonder why we won't give up our ad blockers. You can have my ad blocker when you pry it from my cold, dead browser. :kaola:
    Reply
  • g-unit1111
    21355860 said:
    Then, every time some smart ars is discovering something fishy/scandalous (Cambridge-Analytica, this, the next thing with medical record or bank account access, etc ...), the folks are happily moving in damage control mode, et voila.
    You have your business model !

    I really need to be more cynical in order to just do that and become a billionaire !

    Yup, they're not in it to protect your privacy, they're in it to sell your data for profit. Reminds me of a Simpsons quote when Krusty tells Bart "Hey kid, it ain't comedy that's in my veins, it's selling out.".
    Reply