Facebook’s two-factor ad practices give middle finger to infosec

Using our security information for commercial purposes ought to be illegal.

We've all encountered security questions asking where we went to school, our favorite color or food, our first concert, and the ubiquitous "mother's maiden name." Imagine a world where on one screen you carefully chose Stanford, red, spaghetti and so on, and on the next you were shown ads for Italian restaurants, red shoes, and jobs for Stanford grads.

Seems like an insane violation, right? I mean, it stands to reason that we expect that the information we type to secure our online accounts and apps is private and safely guarded.

Not so, we learned this past week, when amid all the chaos of the news cycle we're desperately trying to stay on top of, it came to light that Facebook admitted to handing over people's phone numbers they provided for two-factor security purposes.

In response to the fact that no one knew about this, the company made it seem as though this practice was in a policy somewhere that people could've learned about and avoided but didn't. "We are clear about how we use the information we collect," a Facebook spokesperson said in a statement to press, "including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you've uploaded at any time."

There is no part of Facebook's own Data Use Policy that states the company uses information provided for security purposes under "Information We Collect," nor does security information make an appearance in "How Do We Use This Information?" -- neither does the section on security.

Facebook's Data Use Policy security section only says, "We use the information we have to verify accounts and activity, combat harmful conduct, detect and prevent spam and other bad experiences, maintain the integrity of our Products, and promote safety and security on and off of Facebook Products." That's it.