Slashdot Mirror
Facebook Is Giving Advertisers Access To Your Shadow Contact Information (gizmodo.com)
Kashmir Hill, reporting for Gizmodo: Last week, I ran an ad on Facebook targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways. I was helping him test the theory by targeting him in a way Facebook had previously told me wouldn't work. I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove's office, a number Mislove has never provided to Facebook. He saw the ad within hours.
One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a "custom audience." You might assume that you could go to your Facebook profile and look at your "contact and basic info" page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it's going about it in a less transparent and more invasive way.
[...] Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser. They came up with a novel way to detect whether that information became available to advertisers by looking at the stats provided by Facebook about the size of an audience after contact information is uploaded. They go into this in greater length and technical detail in their paper [PDF]. They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account, that phone number became targetable by an advertiser within a couple of weeks. Officially, Facebook denies the existence of shadow profiles. In a hearing with the House Energy & Commerce Committee earlier this year, when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it.
One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a "custom audience." You might assume that you could go to your Facebook profile and look at your "contact and basic info" page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it's going about it in a less transparent and more invasive way.
[...] Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser. They came up with a novel way to detect whether that information became available to advertisers by looking at the stats provided by Facebook about the size of an audience after contact information is uploaded. They go into this in greater length and technical detail in their paper [PDF]. They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account, that phone number became targetable by an advertiser within a couple of weeks. Officially, Facebook denies the existence of shadow profiles. In a hearing with the House Energy & Commerce Committee earlier this year, when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it.
It's interesting to me that you believe they don't already have it. I genuinely believe that they're asking for your number so they can help protect your account... which said data is kept separate and compartmentalized from the data they know about you for advertising purposes.
Which has more power: the hammer, or the anvil?
I haven't had a Facebook account for years... this morning after reading the story about the Founder of WhatsApp, and a few days ago reading the articles from the founders of Instagram, I decided to delete my Instagram and WhatsApp accounts as well. The thing that disturbed me was that Instagram kept prompting me to follow users, claiming they were in my contacts list... but I had NEVER given Instagram permission to my contact list... so how did they know? Too creepy for me. I'm out. Instagram was a giant time suck anyway.
Which has more power: the hammer, or the anvil?
Friends don't let friends facebook.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I guess you didn't read the fucking summary: "I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove's office; a number Mislove has never provided to Facebook. He saw the ad within hours."
So Facebook already had the phone number, even though Mislove didn't provide it..... probably extracted from the white pages (phonebook).
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
which said data is kept separate and compartmentalized from the data they know about you for advertising purposes.
Why would you ever think that any data that they have about you is "compartmentalized" away from the advertising side of the operation? Are you really that naive?
As for TFA claiming that giving Facebook a number you think is private is helping other people you don't want to find you, to find you -- the person who targeted the ad had to GIVE THEM THE NUMBER for it to target the recipient. In other words, Facebook did not help anyone find this elusive professor, the person trying to "find him" already had his private phone number.
Had it been Facebook saying, "I recognize that name, would you like his private phone number?" that would be something different.
FTFA:
The researchers also found that if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later. Ben can’t access his shadow contact information, because that would violate Anna’s privacy, according to Facebook, so he can’t see it or delete it, and he can’t keep advertisers from using it either.
The lead author on the paper, Giridhari Venkatadri, said this was the most surprising finding, that Facebook was targeted ads using information “that was not directly provided by the user, or even revealed to the user.”
So informing me that someone else has revealed a piece of my personal information to Facebook (and particularly one that I've not revealed to Facebook myself) is somehow a violation of the other person's privacy?
Give me a break.
Younger people don't realize that there used to be these books published, and given to everyone for free known as "phone books", and they listed your name, address and phone number. Anybody could look you up in these free books and know your location and how to call you. There are still "criss-cross directories" available at every public library where you can look up a street and get the phone number of people who live on that street. They're probably a lot less useful now that people are giving up land lines, but still...
How did we even survive the 20th century?
You are welcome on my lawn.
That isn't a shadow profile. What they are describing is an existing Facebook account which has a phone number tied to it that the user never provided to Facebook but was presumably attached by other sources.
I see what you mean, but that's probably precisely the kind of word game that allowed Zuckerberg to deny the practice. It's not technically a shadow profile in terms of a profile belonging to a person who has never signed up. However, it is shadow data attached to a voluntary profile, or in other words, hidden data scraped from online shadow profiles but associated with a non-shadow profile so that the claim can be made that it is not, in fact, a shadow profile. But this is mere semantics. Not only can this be understood as a shadow profile hiding underneath a voluntary profile, but it's even possible that the shadow data is actually stored separately and only probatively associated with the voluntary profile, in which case only this loose and volatile association would ground the pretense that it is not a shadow profile.
Incipiamus, fratres, servire Domino Deo, quia hucusque vix vel parum in nullo profecimus.
It's interesting to me that this answer seems to come from someone every time someone else advises not to give Facebook your information. The message always seems to be "well they probably already have it anyway". Maybe they DON'T have it. If I give it to them, then i know they have it. If I don't give it to them there is still a chance they don't.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
SInce when are businesses/universities desk lines in either the white OR yellow pages?
They're not, and have never been.
Except that still doesn't work. I'm pretty sure I've got a fairly comprehensive shadow account. For example, I've never given Facebook my phone numbers or email / real addresses, but I'm pretty sure they have my name attached to them thanks to at least one recruiter who uses Facebook and had those details in their contact lists. One might have a landline, another a mobile, a third an address, etc., but all had my name.
Point being, it isn't necessarily your friends who have inadvertently released the data, it's anybody you've had contact with. Or anyone they've had contact with. Or anybody they've had contact with, because you can be sure that the trifling problem of n degrees of separation and probabilistic determinism that this data record has a common key to that data record was solved years ago.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
I think we're missing the key point of TFA - Facebook knows stuff that it claims not to know.
Here's the scenario they played out:
Alice and Bob have an offline transaction, and as some part of it, Alice gives Bob her landline phone number.
Alice has a Facebook profile, but never links her landline phone number to it.
Bob buys a Facebook ad, targeted to Alice's landline.
Alice sees the ad.
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
Actually, no, "Google Authenticator" is just an app which implements the OATH TOTP protocol (a.k.a. RFC 6238). There are several other implementations out there, and they're pretty much all compatible.
It's possible (although I don't know if Google's app does so) for the generator application to be a purely offline app with no external access whatsoever.
It functions essentially like one of the old RSA SecurID tokens - an offline token generating 6 or 8 digit time-based id numbers.
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
My university published a "white pages" listing every professor's desk phone. It was also published online, so Google/others could easily gain access to it.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
This is my strongest (but not only) objection to 2 factor authentication as it is frequently used. The 2nd factor is usually a phone, and nothing seems to keep the company from selling that very valuable information.
The claims about security are largely bogus as the many social hacks around 2 factor authentication have shown.
Except it is happening on a mass basis with Facebook constructing profiles on all people, as privacy invasive as possible (now probably to skirt investigation, they are contract it out to an off balance sheet company owned by Facebook executives, so Facebook isn't doing oh no, company Facebook owns is doing it, naughty, naughty people that they are, here is a list https://en.wikipedia.org/wiki/..., take your pick of participants in the lie, Facebook ain't doing absolutely not, some company on this list is though). Google paid for credit card purchases information which the credit card issuers in the most corrupt fashion imaginable provided. I'll be Facebook will be chomping at the bit to do the same.
Everyone knows the reality, Facebook, Google, Twitter, M$ have all proved to be bad actors and you should stop using them as much as possible and you should strive to get others to do the same. It is nothing about what power we want and all about how they have abused the power we allowed through insatiable greed.
Chaos - everything, everywhere, everywhen
Actually it won't, unless you live a hermit's life in a cabin in the woods.
Do you ever buy on line? Facebook knows about it. As does Amazon and Google.
Remember the equifax data breach? Does anybody with a brain actually believe that Google, Facebook, the NSA et all hasn't scraped all of that data? Purely for their own protection of course.
Do you have friends? Family? You can bet Facebook has gotten data from them on you. Plenty of recent data.
Burning Facebook's servers to the ground being impossible you're right about that.
As someone who knows history I know that when human populations were smaller and people mostly lived in villages privacy was non-existent. Faster transportation and bigger urban populations gave humans the illusion of privacy for a couple of centuries, but we're pretty much back to the everyone knows your business village now, except it's a global village.
I own a small bit of woodland and have lost the deeds. Can I just ask FB for a copy? That would be really handy.
How did we even survive the 20th century?
We opted out of the public phone book. In fact the phone company used to ask you if you wanted to opt out when you signed up for service.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC