Slashdot Mirror
Facebook Is Giving Advertisers Access To Your Shadow Contact Information (gizmodo.com)
Kashmir Hill, reporting for Gizmodo: Last week, I ran an ad on Facebook targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways. I was helping him test the theory by targeting him in a way Facebook had previously told me wouldn't work. I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove's office, a number Mislove has never provided to Facebook. He saw the ad within hours.
One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a "custom audience." You might assume that you could go to your Facebook profile and look at your "contact and basic info" page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it's going about it in a less transparent and more invasive way.
[...] Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser. They came up with a novel way to detect whether that information became available to advertisers by looking at the stats provided by Facebook about the size of an audience after contact information is uploaded. They go into this in greater length and technical detail in their paper [PDF]. They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account, that phone number became targetable by an advertiser within a couple of weeks. Officially, Facebook denies the existence of shadow profiles. In a hearing with the House Energy & Commerce Committee earlier this year, when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it.
One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a "custom audience." You might assume that you could go to your Facebook profile and look at your "contact and basic info" page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it's going about it in a less transparent and more invasive way.
[...] Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser. They came up with a novel way to detect whether that information became available to advertisers by looking at the stats provided by Facebook about the size of an audience after contact information is uploaded. They go into this in greater length and technical detail in their paper [PDF]. They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account, that phone number became targetable by an advertiser within a couple of weeks. Officially, Facebook denies the existence of shadow profiles. In a hearing with the House Energy & Commerce Committee earlier this year, when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it.
Younger people don't realize that there used to be these books published, and given to everyone for free known as "phone books", and they listed your name, address and phone number. Anybody could look you up in these free books and know your location and how to call you. There are still "criss-cross directories" available at every public library where you can look up a street and get the phone number of people who live on that street. They're probably a lot less useful now that people are giving up land lines, but still...
How did we even survive the 20th century?
You are welcome on my lawn.
SInce when are businesses/universities desk lines in either the white OR yellow pages?
They're not, and have never been.
I think we're missing the key point of TFA - Facebook knows stuff that it claims not to know.
Here's the scenario they played out:
Alice and Bob have an offline transaction, and as some part of it, Alice gives Bob her landline phone number.
Alice has a Facebook profile, but never links her landline phone number to it.
Bob buys a Facebook ad, targeted to Alice's landline.
Alice sees the ad.
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
Actually, no, "Google Authenticator" is just an app which implements the OATH TOTP protocol (a.k.a. RFC 6238). There are several other implementations out there, and they're pretty much all compatible.
It's possible (although I don't know if Google's app does so) for the generator application to be a purely offline app with no external access whatsoever.
It functions essentially like one of the old RSA SecurID tokens - an offline token generating 6 or 8 digit time-based id numbers.
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
I think we're missing the key point of TFA - Facebook knows stuff that it claims not to know.
They didn't claim not to know contact information of Facebook users. From the /. article linked to as evidence that "Facebook denied doing this":
So, these "shadow profiles" are for people who have never signed up for Facebook. Alan Mislove IS A FACEBOOK USER, and is signed up to that service. The profile that Facebook has on him is not a "shadow profile".
Also, in the previous article, if you read carefully, you'll note that Zuckerberg never denies having information on people who do not have Facebook accounts, he denies knowledge of what "some people" call such profile information. The question is "So, these are called 'shadow profiles' ...?" You are a FOOL if you answer anything but the specific question you were asked when testifying anywhere. Zuck ain't no fool.
Alice has a Facebook profile, but never links her landline phone number to it. Bob buys a Facebook ad, targeted to Alice's landline. Alice sees the ad.
The study being reported on says "They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account". How can you claim the issue is one where the user never gives Facebook the number? They gave it to Facebook but not through the normal settings pages for entering contact information.
What do you think entering a phone number for 2FA means, if not "this number is mine"? How can you possibly imagine that this is not linking that phone number to you?
Yes, it is a problem that your friends are giving your super-secret personal information to Facebook or other data aggregators. It's a problem with your friends. And yes, I've had family members give such people my email addresses and phone number. It's a bitch.