What happens to the mobile numbers Facebook users add to their accounts to enable SMS two-factor authentication (2FA)?
If you assume the answer is nothing beyond their described purpose, prepare for a bit of a surprise courtesy of a study by researchers from Northeastern University and Princeton University, backed by plenty of dissatisfied commentary from the privacy community and tech press.
Facebook, the researchers found, has been adding these numbers to the other data it uses to target people with advertising.
It is already known that Facebook lets advertisers upload their own data – including email addresses and telephone numbers – which is matched to the same data on user accounts. As the researchers explain:
Facebook then creates an audience consisting of the matched users and allows the advertiser to target this specific audience.
What’s never been clear, however, is which personally identifiable information (PII) from its various services (including Instagram and WhatsApp) are used in ad targeting because it’s not easy to directly relate a specific piece of data from one context to the ads that show up.
The study offers a fascinating methodology for inferring this, in the process discovering that any data will do the trick, including numbers added as part of 2FA (or to receive login security alerts) but not used elsewhere.
An article in Gizmodo – which worked with the researchers – calls this data “shadow contact information,” perhaps deliberately echoing recent controversy surrounding Facebook’s shadow profiles used to gather data on internet users who come into contact with its sites without having accounts.
Facebook doesn’t clearly state that it does this anywhere, but seems to have admitted as much by telling another news site that if users were that bothered they could:
Opt out of this ad-based repurposing of their security digits by not using phone number based 2FA.
It is outrageous that Facebook is asking people to turn off SMS-based 2FA simply because they don’t like the fact that it is using that telephone number to target them with advertising.
Facebook uses advertising to make money from what is a free service – it harvests PII to target advertising and perhaps anyone bothered by this shouldn’t be on Facebook.
However, Facebook should draw the line at using information provided for security reasons in ad targetting, if they’re not going to allow users to specify its use.
The good news is that however convenient SMS-based authentication might seem, it’s not secure enough anyway and Facebook users would be better migrating to alternatives such as an authentication app, or even the Facebook’s app’s own Code Generator function.
This solution not only bypasses the whole issue of phone numbers being used in ways people aren’t happy with, but improves their security. What’s not to like?