Facebook is using your 2FA phone number to target ads at you

You get additional security on you account; Facebook gets a phone number for its targeted advertising product.
Written by Liam Tung, Contributing Writer

Researchers have found that the phone number people provide to Facebook to set up two-factor authentication (2FA) and login alerts is being used by advertisers to target ads.

As reported by Gizmodo, Facebook users who want to add an extra layer of security to their accounts are actually trading off privacy when they use their phone number to set up 2FA to receive an SMS login code.

The same goes when providing a phone number for Facebook login alerts, which notify users via a supplied email or phone number when a new device logs in to an account.

A group of researchers from Northeastern University and Princeton University detail in a new paper that phone numbers shared with Facebook for these security features quickly become part of Facebook's Custom Audience targeted advertising program.

Custom Audience allows advertisers to upload details about their customers, such as phone numbers, email addresses and dates of birth, which Facebook can then match with information it has about users to deliver targeted ads.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

But while people would expect that Facebook allows this type of matching via information users provided on their profile page, it's likely most users wouldn't expect the number they provide for security reasons also to be fair game.

As the researchers point out, in response to Facebook's Cambridge Analytica scandal, the company no longer allowed people to find other users by typing the person's phone number. Yet advertisers can still use phone numbers for targeting ads.

The main problem the researchers have with Facebook's approach to using this personally identifiable information (PII) is that it's not clear to users how it intends to use the data when it's collecting it.

For example, when users currently confirm a phone number to enable alerts about unrecognized logins, Facebook says: "Confirming your mobile number helps you reset your password if you ever need to, find friends, get SMS updates and more. Only you will see your number."

In response to Gizmodo's post, Facebook said it uses the information people provide to personalize the experience, including showing more relevant ads.

Facebook noted that it explains how it collects and uses data in its data policy. Additionally, it noted that people control their ad experience, including custom audiences, via ad preferences.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

Facebook also highlighted that users don't need to provide a phone number for two-factor authentication. However, this option has only been available since May. CNET has a run-down on how to remove a phone number from Facebook's 2FA and login alerts.

In all, the researchers counted seven key sources of PII that Facebook could use for targeted advertising.

These include PII in Facebook profiles added by the user, PII provided to Facebook Messenger, PII provided to WhatsApp, PII in user's phone contacts, PII uploaded by Custom Audience advertisers, PII used to set up 2FA, and PII added for login alerts.

"We find that five of these result in the PII being used for advertising: all except for PII provided to WhatsApp and PII uploaded by advertisers," the researchers note.

Previous and related coverage

Facebook discloses network breach affecting 50 million user accounts

Facebook said attackers exploited a vulnerability in its code that let them steal access tokens when users switched over to a public profile view via the "View As" feature.

UK issues first-ever GDPR notice in connection to Facebook data scandal

Canadian firm AggregateIQ, linked to the Facebook & Cambridge Analytica data scandal, is the first to be put on notice.

Facebook patches critical server remote code execution vulnerability

The exploit took advantage of instability in the server's system.

Europe's top court has just blown a big hole in Facebook's fan-page terms

New CJEU ruling in Facebook case could have "far-reaching effects" for GDPR contracts.

Facebook kills 650 Russian, Iranian accounts for 'inauthentic behavior'

Facebook suspends multiple campaigns that have used ads and fake news to manipulate political discourse.

Facebook data privacy scandal: A cheat sheet TechRepublic

Read about the saga of Facebook's failures in ensuring privacy for user data, including how it relates to Cambridge Analytica, the GDPR, the Brexit campaign, and the 2016 US presidential election.

How to remove your phone number from Facebook (and prevent targeted ads) CNET

The service has even been sharing numbers given for security purposes.

Editorial standards