Newsletter

Facebook used two-factor authentication numbers to target consumers

Tim Maytom

Facebook has confirmed that is making use of mobile phone numbers provided to the firm for security purposes to target those same consumers with advertising. The confirmation follows research work by two US academics investigating the firm's use of data not explicitly provided for ad targeting.

The research, reported by Gizmodo yesterday, found that phone numbers provided to Facebook for two factor authentication (2FA) were used for ad targeting. 2FA is a security method that means logging into Facebook (or another piece of software) requires a confirmation code delivered via SMS, adding a second layer of security.

Many users and industry analysts have suggested in the past that Facebook uses its powerful and extensive reach to access the contact details of individuals who have not given permission for ad targeting. This admission by Facebook is confirmation that details provided in good faith for other purposes are still used to ad targeting, something it has not explicitly acknowledged before.

Several months ago, Facebook users who complained about repeated notifications to the number they provided for 2FA were told that the messages were a bug, but Facebook failed to mention that the information would still be used for ad targeting.

"The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications," said Alex Stamos, then-chief security officer at Facebook in a blog post written at the time.

A new statement provided by a Facebook spokesperson said, "We use the information people provide to offer a better, more personalised experience on facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you've uploaded at any time."

While the majority of users will doubtless be accessing Facebook via an app on the same phone they use to receive 2FA messages to, the targeting can be far more extensive than that. As part of the study, the researchers were able to target advertising to an account using a non-mobile phone based number (a feature only added by Facebook in May) that had not otherwise associated with the profile anywhere other than through 2FA.

Following the confirmation by Facebook, many industry experts criticised the firm for this breach of trust. Alan Mislove, a computer science professor and associate dean at Northeastern University who was part of the research study, said that Facebook could be far more transparent in the way it approaches customer data, and enable users to understand which personal information was used to target any given ad.