Facebook did not have a good week last week and details are still coming. At the start of the week, Facebook users found that Facebook uses “shadow contact information” from 2-factor authentication and friends phonebooks to target advertisements to users. Later in the week, Facebook announced that at least 50 million users accounts were compromised through a series of vulnerabilities. To top it off a user was going to exploit a bug that would allow him to delete a user’s account such as Mark Zuckerberg Facebook account. He has since backed off from showing this though.
In these big headlines about Facebook some details have been missed. The Northeastern University research paper that exposed Facebook for using 2-factor authentication phone numbers and friends phone books addresses for ads has more information in the paper on what Facebook uses. They tested 7 different ways that Facebook might obtain your PPI (personally identifying information).
- PII added directly to a user’s Facebook profile
- PII provided to the Facebook Messenger app
- PII provided to WhatsApp
- PII shared with Facebook when sharing a phone’s contacts
- PII uploaded by advertisers to target customers via custom audiences
- PII added to user accounts for 2FA
- PII added for login alerts
Some are obvious like adding information to your Facebook profile directly. One that was missed in most articles online was login alert information. Login alert information helps to notify you if a new device logs into your Facebook account. Like 2FA, one would expect that this information would be secure and not given out to advertisers. Yet researchers found login alert information like your email address and your phone number given for login alerts were used for targeted advertisement. It is unlikely that this information ever goes away. Once Facebook has it they don’t remove it even at the request of the user. Facebook privacy policy says they delete your information, but it isn’t clear what they consider your information vs. other information they have on you. Facebook won’t even disclose the information they have on you according the researchers.
Researchers may have found a silver lining. WhatsApp data and data uploaded by advertisers were not used later for tagged ads, suggesting that Facebook doesn’t keep this information. At least in the same place.
If you want to learn more about Facebook’s use of shadow contact information, check out this week’s episode of The 443 Podcast where Marc and Corey discuss the topic.