Facebook data scandals are quite like the mob – just when you think you’re finally out, they manage to find a persuasive way to pull you right back in. Once again, to the surprise of no one, Facebook users are being subjected to suspiciously targeted commercials on the controversial social media platform. Thanks to a report from Gizmodo, it appears this is the result of Facebook granting advertisers access to their users hidden “shadow contact information,” even when profiles opt out of this data harvesting process.
Last week, the publication conducted an informal experiment to understand how the website was able to use information collected by advertisers that wasn’t shared on the platform by users themselves. Gizmodo described one of the methods by which Facebook targets ads is through allowing companies to upload phones numbers and email addresses from their customer lists, putting ads in front of accounts that are associated with the contact information from those lists.
They cite several examples of how this works, such as a particular clothing retailer able to place commercials for dresses on the Instagram feeds of women “who brought their product in the past,” how politicians can prioritize ads for those “on their mailing lists,” or casinos can offer deals to “the email addresses of people suspected of gambling addiction.” Facebook reportedly calls this a “custom audience” filter, and it’s easily accessible to businesses here.
Gizmodo’s test subject was Alan Mislove of Northeastern University, currently studying the methods social networks employ to dodge privacy protections. Journalist Kashmir Hill explains how she targeted an ad to Mr. Mislove by directing “the ad to display to a Facebook account connected to the landline number for Alan Mislove’s office, a number Mislove has never provided to Facebook. He saw the ad within hours.”
The report then cites an investigation conducted by Northeastern University’s Mislove, Giridhari Venkatadri and Piotr Sapiezynski, as well as Elena Lucherini of Princeton University, which proves through a number of tests that information uploaded by advertisers is being linked between profiles and their previously undisclosed “shadow profiles.”
This is a clear example of Facebook’s circumvention of data consent, which is to be expected of a reputation-tarnished data-mining company. Instead of Facebook using a voluntary process, where the information users have consented to having on the website, from “contact and basic info” sections, is rightfully appropriated for ads, they’ve opted to play something closer to the role of a cyberstalker-for-hire.
Facebook collects this “shadow contact information,” found by their access of third-party data hives, and are able to connect profiles through the information that was only granted to Facebook for “security purposes,” such as the two factor authentication (2FA) process used to confirm accounts or to receive alerts about new attempted logins to a user’s account.
Essentially, if you’ve previously trusted your information to a company, they’re easily able to exploit that information without your consent by giving it Facebook. This happens regardless of your current data/advertising arrangements with the site, legal promises under the penalty of fraud not to misuse this trusted information for its intended purpose, or whether you even have a Facebook account. It’s a business model that relies on having users kept in the dark.
Facebook, in an attempt to save face, soon admitted to misusing their users’ security information for advertising in a recent statement to TechCrunch.
“We use the information people provide to offer a better, more personalized experience on Facebook, including ads,” a company spokesperson said. “We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”
This would be all well and good if it wasn’t a lie. The spokesperson also states users can avoid this unethical “repurposing” of data by simply not using a phone number for 2FA, when other non-mobile verification methods were only introduced in May, basically saying people who used the only available method for years are just shit outta luck. Currently, there’s no means of accounting for full deletion of this data, meaning they’ll be able to use whatever they have regardless of your say so. These are the people who want to be the gatekeepers of what is and isn’t ‘fake news,’ remember.
Mislove commented on the issue:
“I think that many users don’t fully understand how ad targeting works today: that advertisers can literally specify exactly which users should see their ads by uploading the users’ email addresses, phone numbers, names+dates of birth, etc… In describing this work to colleagues, many computer scientists were surprised by this, and were even more surprised to learn that not only Facebook, but also Google, Pinterest, and Twitter all offer related services. Thus, we think there is a significant need to educate users about how exactly targeted advertising on such platforms works today.”