A study by US researchers reports that Facebook uses phone numbers to target advertisements, even though the users did not provide them or when provided only for security verification purposes. Facebook has confirmed the second accusation.

Facebook, and its subsidiary Instagram, allow advertisers to use their own lists of email addresses and phone numbers (collected through, for instance, mailing lists) to target ads towards users associated with those details: a ‘custom audience’. However, this new report describes how Facebook also contact details collected from other people’s contact lists (“shadow contact information”). A Gizmodo report claims that when Facebook was questioned about this practice in 2017, it denied it.

The researchers – based at Northeastern University and Princeton University – performed a series of tests which demonstrated that approximately a month after a user shares their contact details with Facebook, advertisers can use that user’s contact details to target ads at them. They found that if a user shares their contacts with Facebook, advertisers will be able to target that user’s contacts with ads even if they have not consented to have their contact details used: these users are unable to even see their shadow contact information.

They confirmed their findings by successfully targeting an advert at a user (one of the researchers) with his phone number, which he had not provided to Facebook.

Facebook has refused to disclose “shadow contact information” on request, arguing that it would violate other users’ privacy. The company has even kept this information secret within the EU, where companies are bound by the General Data Protection Regulation, which prevents companies from processing personal data without the clear, ongoing consent of the user.

A Facebook spokesperson told Gizmodo that: “People own their address books. We understand that in some cases this may mean that another person may not be able to control the contact information that someone else uploads about them.”

The researchers also found during their study that Facebook uses phone numbers provided for two-factor authentication (a two-layer security technique intended to enhance security) in order to target ads towards users. Facebook has since confirmed this accusation.

"The problem is not with two-factor authentication [...] Instead, this is a problem with how Facebook has handled users’ information and violated their reasonable security and privacy expectations," a blog post by the Electronic Frontier Foundation said.

“I think many users don’t fully understand how ad targeting works today: that advertisers can literally specify exactly which users should see their ads by uploading the users’ email addresses, phone numbers, names+dates of birth, etc,” said Professor Alan Mislove, who was involved with the research.

“In describing this work to colleagues, many computer scientists were surprised by this and were even more surprised to learn that not only Facebook, but also Google, Pinterest and Twitter all offer related services. Thus, we think there is a significant need to educate users about how exactly targeted advertising on such platforms works today.”

In a statement, Facebook said: “We use the information people provide to offer a better, more personalised experience on Facebook, including ads. We are clear about how we use the information that we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”