Researchers reveal Face­book is using phone num­bers iden­ti­fied via friends’ con­tact lists and num­bers entered for two-fac­tor authen­ti­ca­tion to tar­get ads.

Face­book has con­firmed it tar­gets ads to users based on phone num­bers they pro­vide for two-fac­tor authen­ti­ca­tion (the process used to pro­tect a user account) and con­tact infor­ma­tion tak­en from friends’ con­tact lists that can be matched to their accounts — even if they haven’t added that infor­ma­tion to their accounts.

The test. Giz­mo­do reporter Kash­mir Hill teamed up with a North­east­ern Uni­ver­si­ty research team to deter­mine if Face­book was col­lect­ing user phone num­bers via indi­rect means to tar­get ads. Hill reports she cre­at­ed an ad cam­paign to dis­play an ad direct­ed at researcher Alan Mis­love based on a land­line num­ber Mis­love had not direct­ly shared with Face­book. Mis­love saw the ad with­in hours.

From the Giz­mo­do report:

They [researchers at North­west­ern] uploaded a list of hun­dreds of land­line num­bers from North­east­ern Uni­ver­si­ty. These are num­bers that peo­ple who work for North­east­ern are unlike­ly to have added to their accounts, though it’s very like­ly that the num­bers would be in the address books of peo­ple who know them and who might have uploaded them to Face­book in order to “find friends.” The researchers found that many of these num­bers could be tar­get­ed with ads, and when they ran an ad cam­paign, the ad turned up in the Face­book news feed of Mis­love, whose land­line had been includ­ed in the file; I con­firmed this with my own test tar­get­ing his land­line num­ber.


Not only could the researchers use Facebook’s Cus­tom Audi­ence tool to tar­get ads based on con­tact infor­ma­tion users did not direct­ly give Face­book per­mis­sion to use, but they were also able to tar­get ads to phone num­bers that had been entered for two-fac­tor authen­ti­ca­tion, a method used to secure a user account with a phone num­ber.

Facebook’s response. A Face­book spokesper­son sent the fol­low­ing state­ment in response to the find­ings (bold­ing added):

Peo­ple own their address books. We under­stand that in some cas­es this may mean that anoth­er per­son may not be able to con­trol the con­tact infor­ma­tion some­one else uploads about them. Of note, when peo­ple vis­it the “Upload­ing and Man­ag­ing Your Con­tacts” screen we let them know that, “Face­book match­es name and con­tact infor­ma­tion you upload with name and con­tact infor­ma­tion oth­ers have uploaded to pro­vide a bet­ter ser­vice and make rec­om­men­da­tions to you and oth­ers.”

With regard to 2-fac specif­i­cal­ly, we’re clear with peo­ple that we use the infor­ma­tion peo­ple pro­vide to offer a more per­son­al­ized expe­ri­ence, includ­ing show­ing more rel­e­vant ads. So when some­one adds a phone num­ber to their account for exam­ple, at sign up, on their pro­file, or dur­ing the two-fac­tor authen­ti­ca­tion signup — we use this infor­ma­tion for the same pur­pos­es.

Mar­ket­ing Land has asked Face­book where on its app users are noti­fied that the num­ber they enter for two-fac­tor authen­ti­ca­tion will be used to show more rel­e­vant ads; we will update here when we get a response.

A con­tin­u­ing pat­tern. Hill said Face­book had told her it was not pos­si­ble to tar­get ads with so-called shad­ow data. Facebook’s cur­rent noti­fi­ca­tion to users who upload their con­tact lists does not explic­it­ly men­tion their friend’s data will be used to tar­get ads to them. The pre­sump­tion of using two-fac­tor data for ad tar­get­ing is also sur­pris­ing in light of the data pro­tec­tion lens Face­book has been under for more than a year.

The report was released on Wednes­day, with lim­it­ed respons­es from users or adver­tis­ers. But in light of the efforts Face­book has tak­en this year to demon­strate how seri­ous­ly it takes user secu­ri­ty and pri­va­cy, the fact that it is using less than upfront meth­ods to tar­get ads belies those efforts.

Ear­li­er this year, Face­book refined the amount of data avail­able to app devel­op­ers — no longer let­ting apps have access to users’ friend lists. This was a direct con­se­quence of Cam­bridge Ana­lyt­i­ca har­vest­ing and exploit­ing user infor­ma­tion. While Face­book has removed the abil­i­ty for apps to scrape users’ con­tact lists, it is using sim­i­lar meth­ods to tar­get ads on its own plat­form.

This lat­est report reveals the com­pa­ny is still putting adver­tis­ers’ needs ahead of user pri­va­cy. Users whose num­bers get uploaded from oth­er users’ con­tact lists have no way of know­ing if, much less who, shared their num­bers — and no means of remov­ing that data.

Face­book report­ed slowed user growth dur­ing its Q2 earn­ings call. Ear­li­er this month, Pew Research Cen­ter report­ed that 42 per­cent of Face­book users have stepped back from dai­ly activ­i­ty and that 26 per­cent have delet­ed the app from their phones.

Why you should care. Face­book has spent the past months devot­ing much of its time and effort extolling the mea­sures it has tak­en to safe­guard user data. CEO Mark Zucker­berg and COO Sheryl Sand­berg have stat­ed repeat­ed­ly that it doesn’t sell user data to adver­tis­ers — only ads — and that users can see how they’re being tar­get­ed with­in their ad pref­er­ence set­tings and have access to pri­va­cy con­trols.

But if a user is being tar­get­ed because a num­ber they didn’t give to Face­book has been iden­ti­fied and then matched to their account via anoth­er user’s con­tact list, then Face­book is not giv­ing users full con­trol of their data.

Facebook’s adver­tis­ers will stick with the plat­form as long as they con­tin­ue to see results; tar­get­ing pre­ci­sion has been Facebook’s recipe for attract­ing adver­tis­ers. The risk for Face­book is that grow­ing user mis­trust and declin­ing engage­ment with the plat­form — and reg­u­la­to­ry pres­sure to fur­ther lim­it the data it makes avail­able — will erode adver­tis­ers’ returns. Mar­keters may reap the ben­e­fits of such tac­tics in the short term, but adver­tis­er rep­u­ta­tions could be neg­a­tive­ly impact­ed if their ads are being served up to users based on con­tact infor­ma­tion iden­ti­fied via anoth­er user’s account.

As the over­all health of social media plat­forms takes cen­ter stage — and brand safe­ty con­tin­ues to be a chal­lenge for both ad plat­forms and adver­tis­ers — ad tar­get­ing prac­tices will like­ly be more close­ly watched by users being tar­get­ed.