Facebook is Using Your 2FA Phone Number and Contacts for Advertising

Reading Time: 6 minutes.
Jessica Jones image with Facebook logo over her face, peering through a camera.

Hiding from Facebook is harder than hiding from a super powered P.I.

Two factor authentication, or 2FA, relies on a principle of using two factors to authenticate a user. Specifically, is uses something that you know (your password) and something that you have (your phone). Using 2FA means a hacker would need direct access to your phone and have your password. Strong 2FA, like those that make use of an authentication app like Authy, can protect your account from nearly all remote attacks. If a service you use, such as Gmail, Facebook, Twitter, or your financial accounts allow you to use 2FA for logins, you should absolutely do it. Usually, you have nothing to lose but a slightly longer login process.

But what if you have to give up more than a few seconds to log in? What if you have to give up privacy for security? That’s what Facebook is asking users to do. If you use 2FA on your account with your phone number, Facebook will use your phone number for advertising. Here’s what Facebook is doing and how you can stop them without sacrificing security. In fact, this method will make your security stronger.

Facebook is Taking Advantage of Users

Facebook is in the business of collecting and using personal information. They don’t care how they go about doing that. You might think that data could be safe, because you don’t give Facebook direct access to it, but you’d be wrong. Facebook didn’t become a billion dollar company by only collecting data you provide them willingly, but they’re not foolish enough to ignore anything you do hand over.

Getting Your Number from 2FA

Until last May, all 2FA on Facebook required a phone number. If you wanted to protect your account, you had to give Facebook your phone number. Surely they wouldn’t use a security feature to gather more data on you to aid advertisers in targeting you, right?

Wrong.

Removing your phone number from 2FA on iOS

If you gave Facebook your phone number for 2FA, they started tracking you based on it. If a company wanted to target people based solely on their phone numbers, perhaps from their customer registry, they could do it. Companies also buy phone numbers from each other, sharing them between brands with partners. If you used your phone number to sign up for a store card somewhere, and then bought, say, dog food at that store, they’d share your information with interested dog food companies. Maybe Blue Buffalo will advertise on Facebook that Iambs is awful for your dog and you should get Blue Buffalo instead after seeing you’ve purchased Iambs in the past.

2FA should have only been used to keep you safe. Instead, Facebook saw it as another opportunity to gather data from you.

Getting Your Number from Your Friends

Of course, Facebook likely already has your phone number anyway. They’re kind of like a creepy guy you met once at a party who, through a friend, got your phone number. In fact, that’s exactly what they do. Facebook asks users to upload their contacts so it can find their friends on Facebook and Messenger. What they don’t tell you is that they store all the contact information from those friends, including address and phone number. They’ll store that information without telling your friends they have it, but advertisers will be able to target your friends using it.

Shadow Profiles

Privacy setting for who can look you up by your phone number. The most secure option is friends, and yet advertisers can still see this information.

Advertisers can access Personally Identifiable Information (PII), even if you have security set to “Friends”

These are examples of “Shadow Profiles,” the information Facebook has on you that you didn’t give the company. It’s the information they inferred from your friends, you location, your 2FA contact information, your credit card, and likely much more. Facebook won’t reveal how much information they have on Americans, claiming they need to protect their proprietary algorithms. They might not engage in the same practices in Europe, where companies are required by law to give users all the information they have on them.

Researchers have been able to prove the existence of these “shadow profiles.” Facebook might keep their service as a “black box,” an object that hides its inner workings, but we can still figure out what they’re doing by controlling information flow through it.

Facebook privacy settings. "Only me" selected, but not enough to protect you.

Even with these security options turned on, advertisers can still target you using these means

By creating brand new profiles and uploading contact information, they were able to prove that advertisers can find users based on the contact information uploaded by other users. They were also able to prove that Facebook advertisers can use 2FA phone numbers for targeting users. Potential advertising reach increased, and researchers could target these individuals directly. The researchers proved that advertisers can target you on Facebook using information you’ve never willingly given to Facebook, and they can also use information you’ve set to “Only Me” privacy.

If this sounds shady, it is. In Europe, these practices would be illegal without user consent. But in the United States, consumer protection takes a back seat to corporate interests. While Facebook would not admit to these practices before this study, they’ve since verified it.

How to Enable 2FA Without a Phone Number

At this point, you might be thinking, “Why bother fixing the 2FA settings? They’ve got my number anyway, right?” And you know what? You’re probably right. However, 2FA that does not use a phone number is slightly more secure (and more reliable) than 2FA that uses an app like Authy or Google Authenticator. Although, because of Google’s anti-privacy stance, I recommend Authy. Beyond that, there’s always a chance your friends prevented Facebook from accessing their contacts.

First, download Authy on the App Store or Google Play. Next, log in to Facebook on your computer. Go to Settings, then Security and Login. Scroll down to Two-Factor Authentication. If you already have it set up with your phone number, disable it. You can re-enable it afterwards with your Authy app. Next, go to set it up with an Authentication App. You should see a QR code on the screen.

Now, open Authy on your iPhone or Android device. If you haven’t already, set up an account. When you’re all done, go to Settings > Accounts. Press the “+” button at the top. Tap Scan QR Code, allow camera access, if necessary, and then scan the Facebook QR code.

Now, return to Facebook, tap next, and enter the code that appears in Authy for your Facebook account. Click finish, and you’re done! Now if anyone tries to log in to your Facebook account from a device that you haven’t previously authorized, they won’t be able to, even if they have your password. Unfortunately, this wouldn’t have been enough to protect you against Facebook’s most recent hack, but with any luck, Facebook will have learned their lesson and no longer use authentication tokens for anything but logging in.

Block Facebook from Seeing Your Contacts

As long as you’re improving your Facebook security, you might as well improve your friends’ privacy as well. To do this, we’re going to make sure Facebook doesn’t have access to your address book on iOS and Android.

Block Access on iOS

Start off by going to Settings. Scroll down to (or search for) Privacy. Select Contacts. Make sure Facebook is not on this list, as well as Facebook Messenger. If it is, turn it off.

Block Access on Android

Because Android settings screens can be slightly different between manufacturers, I’m going to recommend the search method. Open Settings. Tap the magnifying glass search icon at the top, and type in “Default apps.” At the top of this page, you’ll find an item called “App permissions.” Tap that. You can also get here through Settings > Apps > Three dot button > Configure Apps > App Permissions.

Next, tap Contacts. Scroll down to Facebook, and make sure this is off.

Why You Need to Do This

If you don’t turn these options off, Facebook will upload your contacts, and be able to find your friends through their contact information. Facebook claims they delete this information every few weeks if you’ve turned this off. So, even if you’ve allowed access in the past, if you disable it now, Facebook will eventually delete the personally identifying information for your friends. Of course, if your other friends have left this on, Facebook will still have this information from other people. The only thing you can do is spread the word and hope your friends disable this “feature.”

If You Use Facebook, You Can’t Escape

It’s unlikely that you’ll be able to convince all of your friends to stop uploading contact information. They likely have your phone number, email address, and potentially even your home address. Don’t want your work email associated with Facebook? If you have a friend who’s also a coworker, they likely have both your private email address and work email address in their contact information for you. If they haven’t blocked Facebook’s access to your contacts, Facebook has this.

Facebook is an advertising platform disguised as a social network. If you use Facebook, you are compromising your privacy and providing far more information to advertisers than you likely want to. There are measures you can take to prevent this access, but Facebook has likely found ways around them already. Even if you remove all data from Facebook except your name, advertisers will likely be able to find you by location, email address, phone number, and other demographic information. Remember, when it comes to online services, if you’re not paying for the product, you are the product.


Sources:

,