As if Facebook needed another mountain in user trust to climb this year, evidence has now emerged of it using phone numbers provided for security purposes to target unsuspecting users with ads.
The activity was uncovered by researchers from Northeastern University and Princeton, along with the tech publisher Gizmodo, following controlled trials where an ad was successfully targeted using phone numbers that had been provided for account security and, in one case, had never been explicitly provided to the social network at all.
Facebook regularly prompts users to add their phone numbers as part of an account security process known as two-factor authentication (2FA) or in order to receive alerts about new logins to a user’s account.
The researchers found that these phone numbers became targetable by advertisers “within a couple of weeks” after being entered.
It’s long been suspected that Facebook has been using this data for advertising, however, Facebook has previously said that any relationship between that data and ad targeting has been a result of software errors.
According to BBC News, however, the company is now saying the information is used to help “personalise” the platform.
The revelation has prompted digital rights campaigner Electronic Frontier Foundation (EFF) to call the social network “deceptive and invasive”.
“But the important message for users is: this is not a reason to turn off or avoid 2FA,” read the EFF blog post. “The problem is not with two-factor authentication. It’s not even a problem with the inherent weaknesses of SMS-based 2FA in particular.
“Instead, this is a problem with how Facebook has handled users’ information and violated their reasonable security and privacy expectations.”
However, some of the information Facebook has been using to target ads has not been provided to the site at all, explicitly or otherwise. This has been dubbed “shadow information”, and includes contact details shared with the platform by another user, such as those provided for the “find friends” function.
A user whose information is being used in such a way would be powerless to control or even check its existence on the site because access to it would be in violation of the privacy of the account that had originally presented it.
"We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts," Facebook told the BBC, adding that it makes it clear that any phone numbers provided to the site could be used to drive the adverts people see.
Facebook said all users had the option to manage and delete any shared contact information but didn’t comment on how this could affect existing verification preferences.
As Gizmodo concluded, while there are “creepier” practices at large in the ad industry, the nature of this approach is particularly troubling owed to the fact the contact details being used are those being provided by security-conscious users seeking to protect their privacy.
Interested in hearing leading global brands discuss subjects like this in person?
Find out more about Digital Marketing World Forum (#DMWF) Europe, London, North America, and Singapore.
