You Gave Facebook Your Phone Number for Security. They Used it for Ads

Even if you never handed over a phone number, Facebook can still get it and monetize it.

By Gennie Gebhart, Associate Director of Research, Electronic Frontier Foundation:

Add “a phone number I never gave Facebook for targeted advertising” to the list of deceptive and invasive ways Facebook makes money off your personal information. Contrary to user expectations and Facebook representatives’ own previous statements, the company has been using contact information that users explicitly provided for security purposes—or that users never provided at all—for targeted advertising.

A group of academic researchers from Northeastern University and Princeton University, along with Gizmodo reporters, have used real-world tests to demonstrate how Facebook’s latest deceptive practice works. They found that Facebook harvests user phone numbers for targeted advertising in two disturbing ways: two-factor authentication (2FA) phone numbers, and “shadow” contact information.

Two-Factor Authentication Is Not The Problem

First, when a user gives Facebook their number for security purposes—to set up 2FA, or to receive alerts about new logins to their account—that phone number can become fair game for advertisers within weeks. (This is not the first time Facebook has misused 2FA phone numbers.)

But the important message for users is: this is not a reason to turn off or avoid 2FA. The problem is not with two-factor authentication. It’s not even a problem with the inherent weaknesses of SMS-based 2FA in particular. Instead, this is a problem with how Facebook has handled users’ information and violated their reasonable security and privacy expectations.

There are many types of 2FA. SMS-based 2FA requires a phone number, so you can receive a text with a “second factor” code when you log in. Other types of 2FA—like authenticator apps and hardware tokens—do not require a phone number to work. However, until just four months ago, Facebook required users to enter a phone number to turn on any type of 2FA, even though it offers its authenticator as a more secure alternative. Other companies—Google notable among them—also still follow that outdated practice.

Even with the welcome move to no longer require phone numbers for 2FA, Facebook still has work to do here. This finding has not only validated users who are suspicious of Facebook’s repeated claims that we have “complete control” over our own information, but has also seriously damaged users’ trust in a foundational security practice.

Until Facebook and other companies do better, users who need privacy and security most—especially those for whom using an authenticator app or hardware key is not feasible—will be forced into a corner.

Shadow Contact Information

Second, Facebook is also grabbing your contact information from your friends. Kash Hill of Gizmodo provides an example:

…if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later.

This means that, even if you never directly handed a particular phone number over to Facebook, advertisers may nevertheless be able to associate it with your account based on your friends’ phone books.

Even worse, none of this is accessible or transparent to users. You can’t find such “shadow” contact information in the “contact and basic info” section of your profile; users in Europe can’t even get their hands on it despite explicit requirements under the GDPR that a company give users a “right to know” what information it has on them.

As Facebook attempts to salvage its reputation among users in the wake of the Cambridge Analytica scandal, it needs to put its money where its mouth is. Wiping 2FA numbers and “shadow” contact data from non-essential use would be a good start. By Gennie Gebhart, Electronic Frontier Foundation

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  35 comments for “You Gave Facebook Your Phone Number for Security. They Used it for Ads

  1. keepcalmeverythingisfine says:

    Facebook is dead money, if you have this stock you might seriously think about getting out now. Facebook collects and sells data, that’s how they make money, and you could say advertising as well. They don’t “share” data, they sell it. Period. There is an ill wind blowing into social media.

  2. Trena L Bristol says:

    I don’t agree with some portions of this article. I have never given facebook my phone number. I have had to do the security routine multiple times and have never been asked for number. I only gave them my email and that is all they have on my account. That is what they ask for and i get in. I recommend not using phone number where you can away with to avoid risk of telemarketing calls. i also have an ad blocker which speeds up my bandwidth 10 to 25 percent.

    • Justme says:

      You missed the point. Facebook tricked people into revealing their phone number under the guise of “security”. Then FB abused the knowledge of the number. Or FB allowed you to enter your phone number as part of your contact info so that your FB friends could look it up to call you. And they abused that knowledge, too. Finally, FB allowed phone numbers to be guesstimated via friends phone books. And then that knowledge was abused as well.

    • Wolf Richter says:

      Check the second half of the article, “Shadow Contact Information”– you may not have GIVEN FB your phone number, but it might obtained it from your friends’ phone books.

  3. Justme says:

    I *hate* 2-factor phone-based authentication with a passion. It is intrusive to my privacy, and many times it does not work because you MUST have a cellphone, and sometimes it does not work with 3d-party cellphone service providers because many of authentication setups disqualify numbers that *appear* to be landlines or VOIP-lines. 2-factor authentication should be BANNED.

    2-factor authentication is a terrible privacy intrusion masquerading as “security”.

    • Justme says:

      The last line should say

      2-factor PHONE-BASED authentication is a terrible privacy intrusion masquerading as “security”.

  4. Wisdom Seeker says:

    Facebook is walking proof of the adage that “two people can keep a secret, but only if one of them is dead”.

    For companies dependent on ad revenue, consumers should simply assume that ANY information they give away, for any reason, WILL be used to micro-target and manipulate you. And then act accordingly.

    Facebook is even worse than freeway billboards.

  5. Justme says:

    Another problem: If you travel outside the US, good luck if you have no international cell (SMS) plan and need to get into your 2FA bank account. You are screwed. The whole system is so idiotic you could tear your hair out. Idiotic and evil, rather.

  6. IdahoPotato says:

    75% of Indians use WhatsApp, owned by FB. The whole way to communicate through WhatsApp is through your phone. Ditto with people in other parts of the world.

  7. rj says:

    I wouln’t give zuckerberg the time of day.

  8. IdahoPotato says:

    WhatsApp has 1 billion users EVERY DAY. FB uses all those numbers to sell ads. My relatives in India will only communicate through WhatsApp ‘cos it’s free. Let that sink in. 1 billion users EVERY DAY.

    Ditto with people in South and Central America. My contractor from Guatemala communicates with his family back there exclusively through WhatsApp.

    Some like us who don’t want to be on it cannot communicate with our relatives and friends in other countries any other way.

  9. MCH says:

    Is this just coincidence… cause FB announced this morning 50 million user data got compromised by some type of hack.

    I am starting to think the internet might not be such a good thing. Never mind that social media is just utter crap.

    But I think unless FB start seeing its DAU and MAU counts go down significantly, the advertisers will still pay out the nose for their brand of targeting.

  10. Mean Chicken says:

    FB is very greasy IMO, hopefully it’s just another tech fad that dries up and blows away, similar to 70’s CB radios and plaid polyester.

    • Maximus Minimus says:

      FB might do just that, but your data will be sold and will live on. You won’t die until LinkedIn or FB says so: your name will come up in searches, and notifications. A perverse kind of immortality.

  11. Petunia says:

    In most of the third world fb already has the numbers because the smartphones come with the fb app factory installed. This is why they are used by billions of people daily. Just remember it is not just fb and google, everything you do on a phone is traceable and trackable.

  12. safe as milk says:

    i route my calls through the callcentric voip service. they have a whitelist feature. if you are not in my phonebook, you go straight to voicemail.

  13. raxadian says:

    It gets worse, Scambookie was hacked AGAIN.

    Yes, your data is not safe.

    Sleep well!

    • MCH says:

      Sleeping soundly like a baby, knowing that even though I don’t have a Facebook account, those guys probably already knows too much about me because somewhere, I’m sure there are pictures and numbers, due to the treasure trove of data there. But oh well, that’s just life, and advertising.

      I wonder what would happen if some how Facebook’s data centers went kaput…. that would be a kick to the stock price, huh.

  14. Ted Freeman says:

    Even if FB somehow gets my number, how would they serve up ads to me if I don’t have a FB account? SMS or robocalls? Google ads?

    • MC01 says:

      From what we know until now if you have no FaceBook (FB) account, you are safe. This issue concerns so far only FB users who didn’t hand the company their phone numbers but whose phone contact was shared with FB by other people.
      How does FB target these poor saps? By sending targeted ads to their phone numbers when they are using FB-created apps or websites on their smartphones.

      In short the FB “ecosystem” strikes yet again and make Apple look like a bastion of integrity by comparison, not exactly an easy feat.

      • Crysangle says:

        “…until now….”

        Truth is that we do not fully know what data is shared with who. Once online and captured it can be sold and aggregated with other data from other platforms and used by yet other platforms to personally target someone in various ways, or to target a segment of society by using knowledge of the sentiment or activity of that segment.

        This is very odd in practice because you end up with comfortable presentation that seems somehow familiar with you, but at the same time know its motive is not based on benefiting you, but for another to profit from you. There is not even a thin line between improving service and sales, because you know the whole point is to serve you your choice before you have chosen it.

        I think this is fraud, because you are giving a false impression of choice. As consumer you do have that choice always – except when you are led to believe that you are looking at the choices when in reality you are not.

        So this tech is very invasive because it purposefully sets out to meddle with your perceptions to the greatest degree possible.

    • Maximus Minimus says:

      You will get your FB browser cookie by visiting sites which are paid by FB to distribute them. You may even find a FB cookie pre-installed in your “free” browser, such as Chrome.

  15. ZeroBrain says:

    Wolf, thank you for giving EFF your platform. More people should be concerned with privacy and ubiquitous surveillance, both on and offline. The ability to organize anonymously is important to maintaining a balance of power between the people and government.

    • Robert says:

      Not just Facebook but government has done everything in their power to make that impossible. With facial recognition they even strive to know exactly where you are at all times as well ( and a footnote to that:
      of the thousands of internet gangs out to steal from your bank accounts, how many are now out there looking to steal from your very homes based on whether you are home or not)
      It’s way past high times to hold your elected representatives to account for all this. Anyone who voted for the Patriot Act, for example is on my sh*tlist (FB- you can share that as you like)

  16. xear says:

    I once checked out my landlords wives fb page. Next day I get a friend request from her. Seemed rude to turn down a friend request. So I said ok. Later I asked in person if she sent a friend request. No. My ok was sending her one though. Deceitful, dirty, underhanded, shady, crooked, dodgy.

    Deleted the whole corrupt mess.

  17. L Lavery says:

    The best way to protect your identity on line is to do as the hackers do, be anonymous. At present we have mainly centralised social media, where everyone connects through a central hub which makes its margin selling your data (knowledge about you). Coming soon (for some definition of soon) are “decentralised social media” (duckDuckGo the term), which are peer to peer, some more so than others AISI.

    Question is, how do these decentralised systems make their margin? I mean, in a purely decentralised system there’s no center (hub) to which value can accrue! I think we can only guess how it will work, and there may well be more than one answer[1]. But there’s no doubt it will involve crypto-currency.


    • Ambrose Bierce says:

      You’re getting at the problem with the neoliberal policy under which the internet was allowed to develop. Can you roll that back? Would government be the gate keeper and provide the bandwidth (since connectivity is a necessary component of Democracy, and provides for those articles about domestic tranquility in the Constitution. (Government would have nationalized the newspapers but that would have put it in control of content, and it seems that owning the internet has no real effect on content.) Some believe government already owns FB (CIA) and at issue here is what constitutes a MEDIA company, and those fall under different rules (FCC) FCC requires news footage to black out any image that constitutes advertising, usually ball cap logos, but they give the president a blank check to speak whenever he pleases about anything without charging him campaign advertising fees, or collecting the tax on those fees as it were. The media is the reason incumbents usually win. The socalled Liberal media is promoting the presidents 2020 run right now, gratis.

      • Robert says:

        They did their damnedest in the 2016 election to defeat Trump- including, I might add, every single late night comedian- and yet he somehow triumphed- it was amazing. Apparently a combination of disgust over the Dem’s choice with disgust for the MSM- and the latter has not improved in any case since the last election. On the other hand, if the public finally tires of the MIC , Trump may be in danger if an honest pacifist appears on the scene

  18. Dejavu says:

    All the more reason not to give your phone number to Facebook.

  19. Laughing Eagle says:

    I am not on FB, but I constantly receive messages to join because some friend of mine is asking to be his/her friend.
    I simply delete. No way am I ever going be be on FB.
    Even if FB would pay for my info of any kind, money would never sway me.

Comments are closed.