Facebook targets ads with data users didn’t share with the platform

Facebook has confirmed it targets ads to users based on phone numbers they provide for two-factor authentication (the process used to protect a user account) and contact information taken from friends’ contact lists that can be matched to their accounts — even if they haven’t added that information to their accounts.

The test. Gizmodo reporter Kashmir Hill teamed up with a Northeastern University research team to determine if Facebook was collecting user phone numbers via indirect means to target ads. Hill reports she created an ad campaign to display an ad directed at researcher Alan Mislove based on a landline number Mislove had not directly shared with Facebook. Mislove saw the ad within hours.

From the Gizmodo report:

They [researchers at Northwestern] uploaded a list of hundreds of landline numbers from Northeastern University. These are numbers that people who work for Northeastern are unlikely to have added to their accounts, though it’s very likely that the numbers would be in the address books of people who know them and who might have uploaded them to Facebook in order to “find friends.” The researchers found that many of these numbers could be targeted with ads, and when they ran an ad campaign, the ad turned up in the Facebook news feed of Mislove, whose landline had been included in the file; I confirmed this with my own test targeting his landline number.

Not only could the researchers use Facebook’s Custom Audience tool to target ads based on contact information users did not directly give Facebook permission to use, but they were also able to target ads to phone numbers that had been entered for two-factor authentication, a method used to secure a user account with a phone number.

Facebook’s response. A Facebook spokesperson sent the following statement in response to the findings (bolding added):

People own their address books. We understand that in some cases this may mean that another person may not be able to control the contact information someone else uploads about them. Of note, when people visit the “Uploading and Managing Your Contacts” screen we let them know that, “Facebook matches name and contact information you upload with name and contact information others have uploaded to provide a better service and make recommendations to you and others.”

With regard to 2-fac specifically, we’re clear with people that we use the information people provide to offer a more personalized experience, including showing more relevant ads. So when someone adds a phone number to their account for example, at sign up, on their profile, or during the two-factor authentication signup — we use this information for the same purposes.

Marketing Land has asked Facebook where on its app users are notified that the number they enter for two-factor authentication will be used to show more relevant ads; we will update here when we get a response.

A continuing pattern. Hill said Facebook had told her it was not possible to target ads with so-called shadow data. Facebook’s current notification to users who upload their contact lists does not explicitly mention their friend’s data will be used to target ads to them. The presumption of using two-factor data for ad targeting is also surprising in light of the data protection lens Facebook has been under for more than a year.

The report was released on Wednesday, with limited responses from users or advertisers. But in light of the efforts Facebook has taken this year to demonstrate how seriously it takes user security and privacy, the fact that it is using less than upfront methods to target ads belies those efforts.

Earlier this year, Facebook refined the amount of data available to app developers — no longer letting apps have access to users’ friend lists. This was a direct consequence of Cambridge Analytica harvesting and exploiting user information. While Facebook has removed the ability for apps to scrape users’ contact lists, it is using similar methods to target ads on its own platform.

This latest report reveals the company is still putting advertisers’ needs ahead of user privacy. Users whose numbers get uploaded from other users’ contact lists have no way of knowing if, much less who, shared their numbers — and no means of removing that data.

Facebook reported slowed user growth during its Q2 earnings call. Earlier this month, Pew Research Center reported that 42 percent of Facebook users have stepped back from daily activity and that 26 percent have deleted the app from their phones.

Why you should care. Facebook has spent the past months devoting much of its time and effort extolling the measures it has taken to safeguard user data. CEO Mark Zuckerberg and COO Sheryl Sandberg have stated repeatedly that it doesn’t sell user data to advertisers — only ads — and that users can see how they’re being targeted within their ad preference settings and have access to privacy controls.

But if a user is being targeted because a number they didn’t give to Facebook has been identified and then matched to their account via another user’s contact list, then Facebook is not giving users full control of their data.

Facebook’s advertisers will stick with the platform as long as they continue to see results; targeting precision has been Facebook’s recipe for attracting advertisers. The risk for Facebook is that growing user mistrust and declining engagement with the platform — and regulatory pressure to further limit the data it makes available — will erode advertisers’ returns. Marketers may reap the benefits of such tactics in the short term, but advertiser reputations could be negatively impacted if their ads are being served up to users based on contact information identified via another user’s account.

As the overall health of social media platforms takes center stage — and brand safety continues to be a challenge for both ad platforms and advertisers — ad targeting practices will likely be more closely watched by users being targeted.

See our follow up story: Is Facebook the only platform using 2FA for ad targeting?