As a security engineer, I cannot overstate just how horrible this is. Phone numbers might not be an ideal 2nd factor for authentication, but to punish users for setting up 2FA by using the provided phone number for ad targetting is incredibly unethical.
What's facebook's boiling point? My guess is they'll respond, they'll no longer use 2FA #'s for ads, the damage will have been done, and 99% of the population won't know any of it occurred. We'll repeat this cycle when a fresh revelation occurs months from now, as facebook continues to test how much they can leverage for more ad revenue.<p>But none of it is actually slowing FB down. Its biggest dip in value came from decelerating growth and spending to make FB more user-friendly, so there's a clear disconnect between shareholder incentives and those of the general populace.<p>On top of that, most people remain unaware that FB owns both WhatsApp and IG, and while the departures of their top brass have made waves in these circles, it's not a concern for most.<p>I don't see FB's dominance relenting any time soon, though I wish it would.
"Give me as much service as you can while keeping me as far off the grid as possible" is a skill that is sorely lacking in this market. I don't have this problem with weed dealers, but I have this problem with information dealers. Internet companies could seriously learn a thing or two from the black market on how you treat your customers.
Another personal observation. I have an Instagram account that I thought was fully incognito. I never connected it to any other social account, I used a separate email for authentication etc. Just days after the Instagram founders left Facebook I started receiving friend suggestion on my IG that were very very relevant. Those were people I knew in real life and mostly connected via Facebook but not only. I shouldn't be surprized as being connected to the Internet by itself is an end to your privacy but still, this was probably the spookiest invasion into my privacy so far. Bye-bye Instagram.
The reason I never give fb my mobile is if you use a pseudonym account, it will suggest your profile as a friend to anyone who has your mobile in their phone contact list (eg ex-partners, stalkers, employers, drug dealers). Found that one out the hard way.<p>I know Zuck wants me to preemptively upload my nudes, but still.
recently interviewed at Facebook (didn't pass the in-person) and one thing I was looking for was a job that WASN'T based on ads. I didn't want to come across negative so I was circumspect in my asking ("Tell me about the positions at Facebook that I as an outsider don't know about - I know ads, messaging, and events"). I wasn't really excited by the answers I got - ads seemed worked into everything they brought up, but the answers weren't super-nefarious either. This was the Seattle office, which apparently has a strong ads-basis. Because they hire people and then (allegedly) let them pick from available team openings (after a "bootcamp" to do onboarding), I simultaneously felt like I'd have a chance to avoid the worst but also couldn't be sure of what I was committing to.
I didn't pass the interview and the few weeks since have tried very hard to make me not regret that by raising issues like this one, despite my natural tendency to give FB the benefit of the doubt and to recognize the difficulty of moderating speech sanely.<p>I've never had such uncertainty about what a job would involve before - the "you find your match" sounded good initially, but in retrospect I'm wondering if I dodged a bullet - so hard to know.
<i>> They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks.</i><p>I have always been suspicious of the aggressive "give us your phone number to secure your account" campaigns that so many sites/apps are running. And I think this is a HUGE disservice to users.<p>At first I was like, cool, companies are being responsible and encouraging good security practices, good on them. But there was something a touch too.. aggressive and "marketing-y" about it. It raised my spidey sense. Maybe the form and frequency and placement of them just was too familiar to previous campaigns to grab your email for "opt in" spam.<p>All of these companies should be shamed to high hell. Getting people to adopt 2FA is so important and here they are <i>shamelessly</i> exploiting it to market to you for undisclosed purposes.. well, buried in the privacy policy, but you know how that goes. The prompt is 100% about securing your account and nothing mentioned there about using it for targeting.<p>Seriously F these companies for breaking user trust.<p>ALSO: Did Zuckerberg lie to Congress?[1]<p>[1] <a href="https://techcrunch.com/2018/04/11/facebook-shadow-profiles-hearing-lujan-zuckerberg/" rel="nofollow">https://techcrunch.com/2018/04/11/facebook-shadow-profiles-h...</a>
I am becoming anxious to see some action out of the DOJ Anti-Trust division against Google, Facebook, and Amazon, etc. These tech behemoths effectively own most of the consumer internet and they use their muscle to either acquire or force out the majority of other players. More regulation is not going to cut it (or else it would have already).<p>In America (and most places), law normally lags quite a bit behind the events of the day. Standard Oil destroyed markets unchecked for several decades in the 1800s. No individual or company could withstand their market power. Then the government divided it into dozens of vertically integrated companies, which allowed for a wave of new market entrants, better deals for consumers, and higher standards of living for more people.<p>We are obviously at that breaking point now with the tech behemoths and their sprawling, impregnable market power. It is time for antitrust action against Facebook and the gang.
I talked with the lead engineers from a company back in 2014, that shall remain nameless, that bought private profile data from Facebook, ran it through a bunch of algorithmic mumbo jumbo, and sold the aggregated data to marketing firms. They acted like this was really cool and awesome, much like the wide-eyed cultists. It was very creepy, and I backed away slowly even though this place was looking for more engineers.<p>This kind of thing has been going on forever, and I've told people this. 99% of people don't actually care, though.
You can personally decide not to use Facebook, which is good. But you can't convince everybody to do that. So if you or your family members do use Facebook, <i>at least</i> install an ad blocker for all of them.<p>Not for privacy, but to deny them revenue. I block Google ads on every single site I visit, period. I don't care if the advertising is non-obtrusive. If it's being run through Google, part of that revenue is going to fuel Google's tracking. I support creators directly instead. And if creators refuse to give me a way to support them, that's not an excuse to expect me to contribute to Google's bottom line.<p>Huge props to the people who are working on blocking trackers and protecting privacy. I'm very glad they exist, and I don't think their efforts are worthless. But, it is <i>currently</i> a losing battle to fight these companies on the privacy front, because the tracking model is so profitable that they will always be pushing more resources into it than we are. Collectively, the people fighting for privacy don't have enough resources to win.<p>But there's an easy, completely legal solution to that problem; the one thing companies haven't figured out how to get around is ad blocking. And a good ad blocker will block even native ads. For a company like Facebook, all of this boils down to getting you to click on ads. If enough people target that chokepoint, then the advertisers will start pulling out of the system, and there'll be less financial incentive for these companies to undermine people's security and privacy.<p>And we have evidence that this works. Even Google, which is the powerhouse for getting their ads to actually show up, is starting to devote more resources into trying to figure out how to stop mainstream people from installing adblockers. That's where all the autoplay stuff came from, that's where the acceptable ads initiative came from. They desperately want your roommate to say, "I'm not going to mess around with these weird Chrome extensions or whatever, that's too complicated. Chrome blocks this stuff itself, anyway."<p>Install adblock on every browser you get access to, tell ordinary people who aren't on HN to use it, and let the advertising industry kill itself. Make it very obvious to companies that buying ads on Facebook is a complete waste of time because even non-technical users just won't see them.
As an FB Marketing API developer, this has been available for several years . The way it works, advertisers can send their phone list to FB for ad targeting. However, phone hashes are sent, not clear ones.<p>Personally, as long as the user has an opt-out and opt-in options, I don’t think ad targeting is necessarily an unethical pattern, the blurring lines of ads and recommendations would be actually a pattern that users might like. Would you rather use Netflix or Spotify without recommendation engine?
All my personal details on Facebook are (and have always been) false. My phone number is the number of a hotel in Monte Carlo. When Facebook nagged me to give them my mobile number for 2fa I ignored them. My friends thought I was crazy. I know it's not exactly gracious of me but feeling very self righteous right about now.
The other really stupid thing, besides generally hurting the adoption of 2FA forever, is that they probably did it for hardly more than scraps, compared to their conventional add targeting capabilities.<p>Maybe I am completely wrong about this, but I'm pretty convinced that almost all of the ad spending for that feature would have reached Facebook's coffers anyways had it not been available.
> A spokesman also told us that users can opt out of this ad-based repurposing of their security digits by not using phone number based 2FA.<p>That's one way to encourage people to use 2FA App, I guess.
Didn't we have this discussion already earlier this year and they told us it was an unfortunate bug and that it has been fixed?<p>Yes. Yes. We did: <a href="https://www.theverge.com/2018/2/16/17022162/facebook-two-factor-authentication-sms-notifications-security-bug" rel="nofollow">https://www.theverge.com/2018/2/16/17022162/facebook-two-fac...</a>
I only use Facebook like every month now but it <i>always</i> asks about my phone number. It also asks me to enable a log-in short-cut every time.<p>This last time, they crossed a line: they <i>pre-filled the field</i> (I do NOT have this set up in the browser), meaning they <i>already figured out my number</i> (probably by scrubbing some friend’s phone) and just want it confirmed. To hell with that. I would <i>not</i> be surprised if every spam call in existence can be traced to Facebook.
Inaccurate headline. Being targetable is different than them "giving access" to the information. The actual information is not shared with anyone.
It should be already well understood that free services aren't free. To me the moral issue of the story is how Facebook isn't upfront about "the cost" of the services they provide.<p>You want to use facebook to get in touch with friends? We all now know that you will be targeted by ads customized with every piece of information that you reveal (and some bits that you are not even aware you are revealing...)<p>Assume that an extra layer of security is also costing you some privacy. Interesting dilemma...
I always imagined they would probably end up doing this, and that's why I've never accepted 2FA anywhere a site has tried to push it on me. They can't spam me if they don't know my number...
Again? Weren't they called out on this about half a year ago already? Did they continue doing this? How irresponsible and total lack of any ethical standard. Its horrible but mostly just sad that users are just a commodity to make profit. So let's trick them to sign up for 2FA to pretend they have more security and then we can send them nice little ads. What a bad company this has become.
People of multiple platforms dislike me for discrediting facebook. Simply talking about facts and what they could expect. They think they know it all. Some corps are good some are evil. People tend to forget that an evil person could also be your most trusted and reliable one. I work as a cyber security engineer and the things i have see flying by are crazy. The fact that information is sold without you4 knowledge is real. Its a dark world out there in disguise.
I had my mobile phone-number appear pre-filled in an add-your-number-to-your-account prompt on Facebook's mobile website while I never provided it in any way to Facebook myself (in the meaning of: neither added it to my account nor mentioned it ever on the website; I never used their apps at all either) . They had farmed it from one of my contacts adressbook obviously.
Not surprising that they'd do that but still a disconcerting feeling to actually see it happen.
I'm in a wired situation, I opened my facebook account with a phone number, not email, my username is phone number I had ~5 years ago. I lost the sim card ~4.5 years ago, so since then I still use the same login. Every time I login facebook asks me to update my phone number because it's no longer valid, so they probably know it's been recycled and someone else owns the number. Another thing... a year ago, I got a new sim card with new phone number again (I change my number every 1-2 years), and since that time I can't use this phone number to setup 2FA because... someone else on Facebook has this number in their profile!
I guess EU users should be fine? GDPR is a masterpiece.<p>I actually assume that they violate GDPR, but GDPR gives users a sliver of chance to fight back.
Wait? Did somebody ever doubt this? I always believed collecting phone numbers for their marketing needs is exactly the reason why do any of the social networks ever introduce SMS auth.
The situation is such that this is what's expected of Facebook. It would be a shocker if Facebook didn't do this. Actually, it's quite surprising that it took so long to do this.<p>Bottom line, Facebook will devalue you as a human and invade your privacy in any manner possible for as long as it can withstand legal pressures and get away with paltry fines. Obviously, all these measures are to provide users with a better experience. That's Facebook's DNA.
You'll notice whenever you get the banner to add a phone number for 2FA, it says "add your phone number for additional security <i>and more</i>"
The only justification I could come up is that Facebook has grown so big that "one hand does not know what the other hand is doing." The security and privacy folks at Facebook agreed to this kind of abuse is somewhat hard to believe and the most likely explanation is that these features never got fully reviewed and vetted. Either way its a big failure.
Don't get me wrong, this is absolutely a scummy thing to do since it's deceptive. That said, I don't understand why everyone thinks this is such a big deal. They already have your phone number from 2FA anyways, and they already show advertisements. What difference does it make that they let advertisers target people based on their number?
I'm not sure I understand what's going on here and the article doesn't really explain. What does it mean that they are "using your 2FA phone number"? It doesn't seem like they are texting ads to people. Are they just using the area code to determine where you live?
And yet in April Mark Zuckerberg told the US Congress that he wasn't "familiar" with shadow profiles[1]:<p>Lujan: Facebook has detailed profiles on people who have never signed up for Facebook, yes or no?<p>Zuckerberg: Congressman, in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to [reverse searches based on public info like phone numbers].<p>Lujan: So these are called shadow profiles, is that what they’ve been referred to by some?<p>Zuckerberg: Congressman, I’m not, I’m not familiar with that.<p>[1] <a href="https://techcrunch.com/2018/04/11/facebook-shadow-profiles-hearing-lujan-zuckerberg/" rel="nofollow">https://techcrunch.com/2018/04/11/facebook-shadow-profiles-h...</a>
This is the kind of thing that is stupidly hard to fight now. Even if you block Facebook’s 80,000 domains at your router, your friend’s address book dump gives lots of goodies to Facebook and 3rd parties and you can’t touch it. Every new thing they try becomes illegal in 2 years “but not yet” so they do it until they can’t.<p>Sometimes it seems like the “Default deny” security concept needs to apply to Internet companies. Instead of having <i>years</i> to screw with data and the Internet until told “no”, how about every idea they have is illegal until it can be proven through thorough review that it might be valuable?
This is probably the reason Jan Koum left Facebook. He knew the betrayal of privacy promised of Whatsapp was completed by Facebook by doing exactly this.<p>This doesn’t surprise me at all. Facebook has been bothering me for YEARS to enter my mobile number for “account recovery” purposes. My email is fine for that.<p>Now Facebook is recommending pages and friends to me who I only am connected with on Instagram. Not to mention Facebook notifications are now integrated into IG.
I wouldn’t be surprised if these were the final nails that made Kevin Systrom leave.
This should have been obvious for anyone who is paying attention.<p>When data collection and advertising companies such as Facebook (and Google) push a feature actually beneficial to users so aggressively – such as 2FA – during the sign-up process; you'd have to be naive to think it's for your benefit.<p>It's not 2007 any more... tech savvy users should know better than to trust such organisations with any scrap of additional personal information than absolutely necessary.
I believe that for us to wait for our governments to have to make regulations around our privacy and data is overly optimistic. Since companies like Google and FB exist on a global market the only way to truly bring about any real changes is to take away the very thing that they're looking for, and that's our use of said services. As someone that works daily with the general public trying to educate them on the safety and use of their technology, I often ask what their feelings are on the subject of companies like FB and Google selling their data to anyone willing to pay for it. The response I get the vast majority of the time is that they aren't doing anything illegal so why would they care? My response to that is "Would you let strangers walk into your house and dig through your personal items?". Every time i get the same response. "Of course not!" Well in my mind this is no different. I've read a lot of suggestions on what we feel government should do to regulate these things but we need face facts here. Society is addicted to many of these services. The simple solution would be to just STOP USING THEIR SERVICES. There are alternatives to both of those services. We now know that the data being collected and sold has the potential of revealing information that could be used maliciously against us, and we complain about what's going on. But then many people turn right around and continue to use the free service. I truly feel that this isn't totally an issue with government regulation as much as it an issue with the vast majority of its users being completely addicted to it. If we want to truly make any kind of impact we need to take personal responsibility for these things. And not only that, but as people that are knowledgeable on these topics we need to educate those non-technical people around us just what it is they're giving up when they click Accept on their EULA's and privacy agreements. As much as I dislike what FB and Google are doing at the end of the day they are counting on the fact that the general public won't spend even 30 seconds reading these agreements. If users care so little about the fact that they're making a legally binding agreement why would FB and Google? Most are so concerned with getting access to whatever service they're attempting to gain access to that they just click the accept button with little or no thought about what it is they're agreeing to. Government can't be expected to do our thinking for us.
Umm, based on the content of the article, no, Facebook did NOT advertiser access to your shadow contact information.<p>Advertisers can specifically say that they want to advertise to a phone number THAT THEY ALREADY HAVE, (READ: THE ADVERTISER ALREADY KNOW WHO YOU ARE). And Facebook will display that ads to the Facebook account that use that phone number in their shadow contact info.<p>At no point does advertiser have access to which Facebook account that is.
We know that social networks are here to stay, and even if people disagree the writing is on the wall for Facebook to have Myspace moment, as soon as an alternate is available.<p>What will it take for some prominent VCs/Investors to just come together and create a fund to fund FB replacement? If done right, they will make a killing (from a returns perspective).
Orwells final warning is chilling and beautiful, in a some kind of perverse metaphorical sense it's strangely relevant to the future of the Brave new world that we are "faced with":<p><a href="https://www.youtube.com/watch?v=SIoAX5bI6S0" rel="nofollow">https://www.youtube.com/watch?v=SIoAX5bI6S0</a><p>edit: typo
The article states that you can give Facebook a list of phone numbers or email addresses and it will put your ad in front of only those people. Does anyone know how small a list you can target? List of one? List of one plus N number of dead email addresses? Therefore a list of one, but more expensive?
It upsets me that the "normal" way to keep in touch with people now seems to be to use some kind of big-brother-esque system.<p>I try and evangelize Signal over WhatsApp and most of my friends won't budge. I deleted my Facebook four years ago, and as a result I have lost contact with a lot of friends.
I work in sysops. Our user base is larger 40+ year olds. It has taken us nearly two years to convince our users to use a phone or email for password resets. We are now moving to 2fa and this sort of stuff only hurts the industry.
The big picture here seems to be alluding people. Let's not get bogged down with Symantec's and logistics. It boils down to self preservation, people need to understand who/ what that " self" is.
>The researchers also found that if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben.<p>Why didn't the author use Alice and Bob?
No surprise. But what can one do? Btw this is definitely not GDPR-compliant, because consent isn’t given for using the phone number this way.<p>I feel helpless, even though GDPR is in place.
At what point are people going to stop being surprised by news like this?<p>That’s their business model, it’s what they do. If you use it, treat all data as public.
Otherwise, don’t.
I really liked it when people downvoted me when I wrote that Google pushing for 2FA phone numbers is doing it to get your phone number. (they don't use it for ads but lately I don't trust them, also 6mo ago I removed my FB)<p>In the end I gave Goog even 2 of my numbers because I am scared as hell to lose access to my account. I got my Gmail account when it was in 'innvite only' so it is my main account for long time. Have to move out of it soon.
cambridge, whatsapp founders, instagram founders, 2FA exploit and so on. What's next for Mark?
And actually what would be the trigger for people to flee away?
It’s a cycle. Facebook has been doing nasty shit and apologizing for it since 2003. I’m starting to think they aren’t actually sorry.<p><a href="https://www.wired.com/story/why-zuckerberg-15-year-apology-tour-hasnt-fixed-facebook/" rel="nofollow">https://www.wired.com/story/why-zuckerberg-15-year-apology-t...</a>
The url should point to the Gizmodo article; not the sensationalizing tweet.<p><a href="https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051" rel="nofollow">https://gizmodo.com/facebook-is-giving-advertisers-access-to...</a><p>The actual story is FB enriching your profile with shadow contact information about you when you <i>or third parties</i> provide it with details it wasn't aware about yet. For instance when a friend of yours has your landline number in their address book and gives FB access to the latter; or when an advertiser provides FB with the same as part of targeting an ad campaign.
I didn’t give facebook my phone, my email has timed out (and facebook knows it, it deactivated my email) and I forgot my password, more or less intentionally. So the only thing tying me to Facebook is my browser cookie. I have to say, I’m surprised I’ve been able to keep this account open for years in this state, it’s almost as if they really wanted me to stay. But it’s possible to keep a facebook account alive with no accurate contact information.
Google has been pushing SMS 2FA a little more aggressively over the past couple of years, too. And I think Apple made it "easier to use SMS 2FA" in iOS 12 for the same reason.<p>I also said before that this is <i>exactly</i> why Facebook wanted to "verify people's faces for security purposes", too. It just seemed so obvious to me that Facebook would use security as an excuse to get people to put their own 100% accurate face scans into Facebook. It's also because Facebook used the same excuse with the shadow tracking (it's for your own good!), which is as ridiculous as Google claiming Analytics is for website visitors' own good.
I'm surprised people didn't know this... this has been happening for at least 4 years through custom audiences. An advertiser can upload a list of mobile numbers or email addresses to target people.
Phone numbers were not a secure 2FA anyway, and I've been using the TOTP alternative since it's been available... but I don't really see a problem with them using whatever to show "more relevant ads", if you don't want ads just use an ad blocker.
I was purging my life of all things Google(Facebook went first), so I was changing my email addresses under all my various accounts. An odd thing happened when I was changing my info for my Microsoft account: they texted my as a security precaution. The only problem is that I NEVER gave Microsoft my phone number. I do not have 2FA set up. In my contact details, there is a blank for my phone number. WTF Microsoft.
I think it's much worse when HTC places ads on your phone via bloatware apps that can't be uninstalled. That's absolutely vicious and hardly ever gets any press time. But, oh, facebook makes a minor little slip up and they even FIX the problem and everyone looses their heads over it.