Researchers have found that the phone number people provide to Facebook to set up two-factor authentication (2FA) and login alerts is being used by advertisers to target ads.
As reported by Gizmodo, Facebook users who want to add an extra layer of security to their accounts are actually trading off privacy when they use their phone number to set up 2FA to receive an SMS login code.
The same goes when providing a phone number for Facebook login alerts, which notify users via a supplied email or phone number when a new device logs in to an account.
A group of researchers from Northeastern University and Princeton University detail in a new paper that phone numbers shared with Facebook for these security features quickly become part of Facebook's Custom Audience targeted advertising program.
Custom Audience allows advertisers to upload details about their customers, such as phone numbers, email addresses and dates of birth, which Facebook can then match with information it has about users to deliver targeted ads.
But while people would expect that Facebook allows this type of matching via information users provided on their profile page, it's likely most users wouldn't expect the number they provide for security reasons also to be fair game.
As the researchers point out, in response to Facebook's Cambridge Analytica scandal, the company no longer allowed people to find other users by typing the person's phone number. Yet advertisers can still use phone numbers for targeting ads.
The main problem the researchers have with Facebook's approach to using this personally identifiable information (PII) is that it's not clear to users how it intends to use the data when it's collecting it.
For example, when users currently confirm a phone number to enable alerts about unrecognized logins, Facebook says: "Confirming your mobile number helps you reset your password if you ever need to, find friends, get SMS updates and more. Only you will see your number."
In response to Gizmodo's post, Facebook said it uses the information people provide to personalize the experience, including showing more relevant ads.
SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)
Facebook also highlighted that users don't need to provide a phone number for two-factor authentication. However, this option has only been available since May. CNET has a run-down on how to remove a phone number from Facebook's 2FA and login alerts.
In all, the researchers counted seven key sources of PII that Facebook could use for targeted advertising.
These include PII in Facebook profiles added by the user, PII provided to Facebook Messenger, PII provided to WhatsApp, PII in user's phone contacts, PII uploaded by Custom Audience advertisers, PII used to set up 2FA, and PII added for login alerts.
"We find that five of these result in the PII being used for advertising: all except for PII provided to WhatsApp and PII uploaded by advertisers," the researchers note.
Previous and related coverage
Facebook said attackers exploited a vulnerability in its code that let them steal access tokens when users switched over to a public profile view via the "View As" feature.
Canadian firm AggregateIQ, linked to the Facebook & Cambridge Analytica data scandal, is the first to be put on notice.
The exploit took advantage of instability in the server's system.
New CJEU ruling in Facebook case could have "far-reaching effects" for GDPR contracts.
Facebook suspends multiple campaigns that have used ads and fake news to manipulate political discourse.
Facebook data privacy scandal: A cheat sheet TechRepublic
Read about the saga of Facebook's failures in ensuring privacy for user data, including how it relates to Cambridge Analytica, the GDPR, the Brexit campaign, and the 2016 US presidential election.
The service has even been sharing numbers given for security purposes.