What happens to the mobile numbers Facebook users add to their accounts to enable SMS two-factor authentication (2FA)?
If you assume the answer is nothing beyond their described purpose, prepare for a bit of a surprise courtesy of a study by researchers from Northeastern University and Princeton University, backed by plenty of dissatisfied commentary from the privacy community and tech press.
Facebook, the researchers found, has been adding these numbers to the other data it uses to target people with advertising.
It is already known that Facebook lets advertisers upload their own data – including email addresses and telephone numbers – which is matched to the same data on user accounts. As the researchers explain:
Facebook then creates an audience consisting of the matched users and allows the advertiser to target this specific audience.
What’s never been clear, however, is which personally identifiable information (PII) from its various services (including Instagram and WhatsApp) are used in ad targeting because it’s not easy to directly relate a specific piece of data from one context to the ads that show up.
The study offers a fascinating methodology for inferring this, in the process discovering that any data will do the trick, including numbers added as part of 2FA (or to receive login security alerts) but not used elsewhere.
An article in Gizmodo – which worked with the researchers – calls this data “shadow contact information,” perhaps deliberately echoing recent controversy surrounding Facebook’s shadow profiles used to gather data on internet users who come into contact with its sites without having accounts.
Facebook doesn’t clearly state that it does this anywhere, but seems to have admitted as much by telling another news site that if users were that bothered they could:
Opt out of this ad-based repurposing of their security digits by not using phone number based 2FA.
It is outrageous that Facebook is asking people to turn off SMS-based 2FA simply because they don’t like the fact that it is using that telephone number to target them with advertising.
Facebook uses advertising to make money from what is a free service – it harvests PII to target advertising and perhaps anyone bothered by this shouldn’t be on Facebook.
However, Facebook should draw the line at using information provided for security reasons in ad targetting, if they’re not going to allow users to specify its use.
Another way
The good news is that however convenient SMS-based authentication might seem, it’s not secure enough anyway and Facebook users would be better migrating to alternatives such as an authentication app, or even the Facebook’s app’s own Code Generator function.
This solution not only bypasses the whole issue of phone numbers being used in ways people aren’t happy with, but improves their security. What’s not to like?
Max
I wonder if that’s even legal here in the EU.
IT Guy
Seriously… is this really a surprise????
Be sure Facebook is and will continue (ab)using every piece of available data for each and every user in any way it can gather it.
Anonymous
Just read an article about Brian Acton (cofounder of WhatsApp) on Forbes website and how Facebook wanted to monitize WhatsApp but faced pushback because of the encryption and privacy methodology of WhatsApp. So they went after the none encrypted data….the phone numbers of the users so that they can eventually target ads in WhatsApp. Using 2FA to validate the phone numbers is just a stepping stone.
j karna
Only idiots use FB.
anthonymaw
You can never really delete your data or your account from Facebook. It is simply “deactivated” or otherwise simply marked hidden but remains lurking out there. For purposes of performance and reliability, virtually all data these days is replicated multiple times and often across different geographic regions. Basically you can assume that anything you type or tap and send will be somewhere out there in the Universe forever whether you know it or like it, or not.
Paul Ducklin
Facebook does, in fact, offer two sorts of deletion. Not only is there a “delete (but you can recall your account by name and with all our old content for at least a year)” option but also a “delete (and you can’t have the account name back and your data will be permanently dumped from all around the Facebook empire over the next couple of weeks so don’t ask for it again)” option. So your data it isn’t inevitably “simply marked hidden”.
If you are suggesting that Facebook deliberately doesn’t honour its “delete and really, actually delete” commitment, you probably need to produce some evidence because that’s a pretty serious claim. If you’re suggesting that Facebook only has a “deactivate” option, then that’s not true – full-and-frank deletion was explicitly offered as an option several years back, IIRC.
IT Guy
So what you are suggesting Paul, is that a company that continually abuses personal data, such as allowing ‘developers’ access, Cambridge Analytica, and now sharing information you provided for the sole purpose of securing your account, is inherently trustworthy????
Suzanne Bradley
I didn’t, because I don’t trust FB with my mobile number.
Chris Hurst
If you install the FB app on your phone for the authenticator piece, it undoubtedly gets the mobile phone number as well as a ton of other information and is worse than the SMS MFA option for privacy. Better off using Google authenticator, authy, or similar…
GGma
What about those oif us who never gave info to FB…they just attached trackers to our computer and ran away with the info, whether we wanted it or not. FB steals your info without knowledge or consent. Thought that was illegal somewhere, but evidently not here in US. Every day I get rid of cookies put on my computer each time I visit Any site that has a FB Like/Hate button. Twitter does this, as do Linkedn (not sure of spelling), and other social sites…then there’s Google and MS who make FB look like a child in sneaky data gathering.
Chuck
But once they have your phone number, there’s no turning back, right? I removed it from my main account. No extra authentication was added. But I created a test account and it (Facebook) insisted that I use my phone number to login. I have since deleted the test account. But other than changing my phone number, is there anything I can do? I do use noscript with Facebook blocked by default (except when I login with my browser (sandboxed) and a new app that supposedly prevents Facebook from following you around. I also use uBlock origin and Canvas Defender.