You Gave Facebook Your Number For Security. They Used It For Ads.

[steven36]

Add “a phone number I never gave Facebook for targeted advertising” to the list of deceptive and invasive ways Facebook makes money off your personal information. Contrary to user expectations and Facebook representatives’ own previous statements, the company has been using contact information that users explicitly provided for security purposes—or that users never provided at all—for targeted advertising.

 

 

A group of academic researchers from Northeastern University and Princeton University, along with Gizmodo reporters, have used real-world tests to demonstrate how Facebook’s latest deceptive practice works. They found that Facebook harvests user phone numbers for targeted advertising in two disturbing ways: two-factor authentication (2FA) phone numbers, and “shadow” contact information.

Two-Factor Authentication Is Not The Problem

First, when a user gives Facebook their number for security purposes—to set up 2FA, or to receive alerts about new logins to their account—that phone number can become fair game for advertisers within weeks. (This is not the first time Facebook has misused 2FA phone numbers.)

 

But the important message for users is: this is not a reason to turn off or avoid 2FA. The problem is not with two-factor authentication. It’s not even a problem with the inherent weaknesses of SMS-based 2FA in particular. Instead, this is a problem with how Facebook has handled users’ information and violated their reasonable security and privacy expectations.

 

There are many types of 2FA. SMS-based 2FA requires a phone number, so you can receive a text with a “second factor” code when you log in. Other types of 2FA—like authenticator apps and hardware tokens—do not require a phone number to work. However, until just four months ago, Facebook required users to enter a phone number to turn on any type of 2FA, even though it offers its authenticator as a more secure alternative. Other companies—Google notable among them—also still follow that outdated practice.

 

Even with the welcome move to no longer require phone numbers for 2FA, Facebook still has work to do here. This finding has not only validated users who are suspicious of Facebook's repeated claims that we have “complete control” over our own information, but has also seriously damaged users’ trust in a foundational security practice.

 

Until Facebook and other companies do better, users who need privacy and security most—especially those for whom using an authenticator app or hardware key is not feasible—will be forced into a corner.

Shadow Contact Information

Second, Facebook is also grabbing your contact information from your friends. Kash Hill of Gizmodo provides an example:

...if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later.

This means that, even if you never directly handed a particular phone number over to Facebook, advertisers may nevertheless be able to associate it with your account based on your friends’ phone books.

 

Even worse, none of this is accessible or transparent to users. You can’t find such “shadow” contact information in the “contact and basic info” section of your profile; users in Europe can’t even get their hands on it despite explicit requirements under the GDPR that a company give users a “right to know” what information it has on them.

 

As Facebook attempts to salvage its reputation among users in the wake of the Cambridge Analytica scandal, it needs to put its money where its mouth is. Wiping 2FA numbers and “shadow” contact data from non-essential use would be a good start.

 

Source: EFF

[Cruzan]

never give out ur number, not to anyone, especially some who run discord

[steven36]

27 minutes ago, Cruzan said:

never give out ur number, not to anyone, especially some who run discord

I dont use programs or services  who ask for phone numbers but i was just posting this info for those that do..  Telling people not to do it after they done did it it;s too late .  There are some apps on andorid that let you make a real fake phone number that will work , but chances if you use Android, Google already have your Geo location and knows everything about you already .   Some places will sell you a fake phone number that will work but unless you used bitcoin to pay for it  that leaves a data trial  as well. So the best option for me is don't use it if it ask for a phone number ,  social media sites like reddit don't ask for a phone number,  so why should others?

[dhjohns]

40 minutes ago, steven36 said:

Instead, this is a problem with how Facebook has handled users’ information and violated their reasonable security and privacy expectations.

I have no privacy or security expectations with facebook!  LOL  I am the product.  Anyway, I use FBP so I have no ads.

[steven36]

7 minutes ago, dhjohns said:

I have no privacy or security expectations with facebook!  LOL  I am the product.  Anyway, I use FBP so I have no ads.

That's because you are the ad ,  fact   is most everyone uses adblocker and they don't make that much money from ads you can see but they sell your data to those who make ads .. If they got your phone number  they can just call you and bug you that way. how do you think you get spam email  you give some company your email and  they sell emails to data collectors . They sell phone numbers too  and  collectors do Robo calls.

[dhjohns]

Well, I don't give them my phone number, or any other info.  So only the info people choose to put in fb can be shared.  Like you said when you use a free service you are the product.  This applies to every free service out there including VPNs.

[steven36]

23 minutes ago, dhjohns said:

Well, I don't give them my phone number, or any other info.  So only the info people choose to put in fb can be shared.  Like you said when you use a free service you are the product.  This applies to every free service out there including VPNs.

Id much rather see a ad than give  the vendors that pay for the ads that Facebook  has, than give them my phone number so they can call me and try too sell me something, even if they did , if i dont know the number i want answer it  , never no vpn i ever used asked for my phone number or anything , i dont use freebies   i just pay for it with bitcoin and they send the code  to one of my emails i made up with fake info that use encryption. I sometimes use giveaways as long as they dont ask for and phone number  or a Facebook account i dont have i just send those to disposable emails so they don't spam my real email or sell my email.

 

If Facebook catches you making up and account with fake info they will ban it because its against there  Terms of service , I  know cops and others do it, but if they catch you , you will be banned. 

 

[Appline]

On 9/28/2018 at 8:09 PM, dhjohns said:

Well, I don't give them my phone number, or any other info.  So only the info people choose to put in fb can be shared.  Like you said when you use a free service you are the product.  This applies to every free service out there including VPNs.

True that. If the ride is free then you are the fuel. I don't get how people tend to use free VPNs, it is mind-boggling. I personally like services like NordVPn where you can pay with cryptocurrency and use one email just for that. No more info needed.