Two-factor authentication is a must. People use weak passwords, companies fail to properly secure user information, and patient hackers can rely on sophisticated tools to crack many passwords if the proper countermeasures aren't in place. But it turns out Facebook also uses the system for ad targeting.
Northeastern University's Giridhari Venkatadri, Alan Mislove, and Piotr Sapiezynski published a paper in collaboration with Princeton University's Elena Lucherini revealing that Facebook gathers more information than many of its users think. That includes using the phone numbers people use to enable two-factor authentication, which means attempting to secure a Facebook account will actually expose more data to advertisers.
This data sharing isn't disclosed when people enable two-factor authentication on their Facebook accounts. Gizmodo's Kashmir Hill said that a spokesperson denied using this data when she asked if Facebook uses what she calls "shadow contact information" for ad targeting over a year ago. The company didn't merely hide this practice from its users; it also lied to a reporter who suspected everything wasn't on the up-and-up.
Facebook recently told Hill that people who don't want their phone number to be shared with advertisers should use app-based two-factor authentication. But that option was only added four months ago--before then people had to use their phone numbers to secure their accounts. Sharing those phone numbers with advertisers with neither warning nor consent effectively punished those who care most about their security.
That wasn't the only revelation from this paper. The researchers also revealed that Facebook lets advertisers use contact information for ad targeting even if the phone number, email, or what-have-you was collected from someone else's address book. There's no way for affected users to know their information was shared in this way.
There is a reasonable expectation that any information someone decides to share with Facebook will be given to advertisers. By now everyone should understand the company's business model, so filling out the "About" section on a profile or voluntarily sharing contact information obviously exposes that data to other companies. These revelations differ, however, in that Facebook is peddling data nobody voluntarily shared.
Entering a phone number to enable two-factor authentication isn't the same as sharing an address book with Facebook. And having contact information connected to an account simply because someone else who did share their address book has that data penalizes users with active social lives. Forcing people to decide between their privacy or their security and social lives isn't reasonable. It's flat-out bonkers.