Yes Facebook is using your 2FA phone number to target you with ads

Facebook has confirmed it does in fact use phone numbers that users provided it for security purposes to also target them with ads.

Specifically a phone number handed over for two factor authentication (2FA) — a security technique that adds a second layer of authentication to help keep accounts secure.

Facebook’s confession follows a story Gizmodo ran a story yesterday, related to research work carried out by academics at two U.S. universities who ran a study in which they say they were able to demonstrate the company uses pieces of personal information that individuals did not explicitly provide it to, nonetheless, target them with ads.

While it’s been — if not clear, then at least evident — for a number of years that Facebook uses contact details of individuals who never personally provided their information for ad targeting purposes (harvesting people’s personal data by other means, such as other users’ mobile phone contact books which the Facebook app uploads), the revelation that numbers provided to Facebook by users in good faith, for the purpose of 2FA, are also, in its view, fair game for ads has not been so explicitly ‘fessed up to before.

Some months ago Facebook did say that users who were getting spammed with Facebook notifications to the number they provided for 2FA was a bug. “The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications,” Facebook then-CSO Alex Stamos wrote in a blog post at the time.

Apparently not thinking to mention the rather pertinent additional side-detail that it’s nonetheless happy to repurpose the same security feature for ad targeting.

Because $$$s, presumably.

We asked Facebook to confirm this is indeed what it’s doing — to make doubly doubly sure. Because, srsly wtaf. And it sent us a statement confirming that it repurposes digits handed to it by people wanting to secure their accounts to target them with marketing.

Here’s the statement, attributed to a Facebook spokesperson: “We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”

A spokesman also told us that users can opt out of this ad-based repurposing of their security digits by not using phone number based 2FA. (Albeit, the company only added the ability to do non-mobile phone based 2FA back in May, so anyone before then was all outta luck.)

On the ‘shadow profiles’ front — aka Facebook maintaining profiles of non-users based on the data it has been able to scrape about them from users and other data sources — the company has also been less than transparent.

Founder Mark Zuckerberg feigned confusion when questioned about the practice by US lawmakers earlier this year — claiming it only gathers data on non-users for “security purposes”.

Well it seems Facebook is also using the (valid) security concerns of actual users to extend its ability to target individuals with ads — by using numbers provided for 2FA to also carry out ad targeting.

Safe to say criticism of the company has been swift and sharp.

“At this point I consider Facebook a criminal enterprise. Maybe not legally, but morally” https://t.co/BrZ7Yeq5Jw — DHH (@dhh) September 27, 2018

The repurposing by Facebook of phone numbers, provided by users for SMS 2FA, to better target for advertising is utterly disgusting. I’m not easily shocked, but this… https://t.co/qFNgqMDFL1 — Elizatech (@FitzTechLawIE) September 26, 2018

Soon Facebook will also be using behind-the-scenes tech means to target ads at WhatsApp users — despite also providing a robust encrypted security wrapper around their actual messages.

Stamos — now Facebook’s ex-CSO — has also defended its actions on that front.

Related reading…