Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Facebook Privacy Social Networks Technology

Facebook Is Giving Advertisers Access To Your Shadow Contact Information (gizmodo.com) 130

Kashmir Hill, reporting for Gizmodo: Last week, I ran an ad on Facebook targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways. I was helping him test the theory by targeting him in a way Facebook had previously told me wouldn't work. I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove's office, a number Mislove has never provided to Facebook. He saw the ad within hours.

One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a "custom audience." You might assume that you could go to your Facebook profile and look at your "contact and basic info" page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it's going about it in a less transparent and more invasive way.

[...] Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser. They came up with a novel way to detect whether that information became available to advertisers by looking at the stats provided by Facebook about the size of an audience after contact information is uploaded. They go into this in greater length and technical detail in their paper [PDF]. They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account, that phone number became targetable by an advertiser within a couple of weeks.
Officially, Facebook denies the existence of shadow profiles. In a hearing with the House Energy & Commerce Committee earlier this year, when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it.
This discussion has been archived. No new comments can be posted.

Facebook Is Giving Advertisers Access To Your Shadow Contact Information

Comments Filter:
  • Come on, people, it's time to delete yourself from Facebook, wean your actual friends off it, and set your adblockers and NoScript to prevent Facebook from tracking you even if you aren't on Facebook anymore. Do yourself a favor, do it today.
    • I haven't had a Facebook account for years... this morning after reading the story about the Founder of WhatsApp, and a few days ago reading the articles from the founders of Instagram, I decided to delete my Instagram and WhatsApp accounts as well. The thing that disturbed me was that Instagram kept prompting me to follow users, claiming they were in my contacts list... but I had NEVER given Instagram permission to my contact list... so how did they know? Too creepy for me. I'm out. Instagram was a gia

    • by Opportunist ( 166417 ) on Wednesday September 26, 2018 @03:43PM (#57381028)

      Friends don't let friends facebook.

  • by Anonymous Coward

    when New Mexico Representative Ben Lujan asked Facebook CEO Mark Zuckerberg if he was aware of the so-called practice of building "shadow profiles", Zuckerberg denied knowledge of it

    The answer to this is Mark Zuckerberg is a greedy, lying sack of shit, who has now apparently lied to Congressional comittees.

    This is precisely why my ad blockers block everything related to Facebook, and any other ad/analytics company I can.

    I don't trust their "privacy policies", so I have my own .. which boils down to "most th

    • Comment removed based on user account deletion
      • Sure, but then he'll play the clueless card "Oh, I didn't know" or "I meant 'didn't' not 'did'" or somesuch.

        Besides, I always thought the shadow profiles were what they built to track those people who are not part of Facebook.

  • Umm... FB didn't give the "advertiser" the number or access to it. The advertiser said "target this phone number". Wonder what would happen if you were to do similar for all of the area code combos (other than toll/toll free numbers) and 867-5309 ?

    Heck, almost wish I didn't have to worry about money just so I could do it, and run an ad asking for Jenny...

  • by SlaveToTheGrind ( 546262 ) on Wednesday September 26, 2018 @04:08PM (#57381152)

    FTFA:

    The researchers also found that if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later. Ben can’t access his shadow contact information, because that would violate Anna’s privacy, according to Facebook, so he can’t see it or delete it, and he can’t keep advertisers from using it either.

    The lead author on the paper, Giridhari Venkatadri, said this was the most surprising finding, that Facebook was targeted ads using information “that was not directly provided by the user, or even revealed to the user.”

    So informing me that someone else has revealed a piece of my personal information to Facebook (and particularly one that I've not revealed to Facebook myself) is somehow a violation of the other person's privacy?

    Give me a break.

    • by AmiMoJo ( 196126 )

      This is clearly illegal in the EU. I hope they get the maximum fine, currently 4% of global turnover if I'm not mistaken.

      • I hope they get the maximum fine, currently 4% of global turnover if I'm not mistaken.

        Yes, and the world has been waiting for a good test case to see how that theoretical penalty plays out in the real world. This would be a doozy.

  • That isn't a shadow profile. What they are describing is an existing Facebook account which has a phone number tied to it that the user never provided to Facebook but was presumably attached by other sources. It seems amazing to me that people think that Facebook (and other companies) aren't attaching tons of data about you from multiple data sources and partners. There are entire companies devoted to building profiles of you and have been for many decades.
    • by azcoyote ( 1101073 ) on Wednesday September 26, 2018 @04:31PM (#57381278)

      That isn't a shadow profile. What they are describing is an existing Facebook account which has a phone number tied to it that the user never provided to Facebook but was presumably attached by other sources.

      I see what you mean, but that's probably precisely the kind of word game that allowed Zuckerberg to deny the practice. It's not technically a shadow profile in terms of a profile belonging to a person who has never signed up. However, it is shadow data attached to a voluntary profile, or in other words, hidden data scraped from online shadow profiles but associated with a non-shadow profile so that the claim can be made that it is not, in fact, a shadow profile. But this is mere semantics. Not only can this be understood as a shadow profile hiding underneath a voluntary profile, but it's even possible that the shadow data is actually stored separately and only probatively associated with the voluntary profile, in which case only this loose and volatile association would ground the pretense that it is not a shadow profile.

    • That isn't a shadow profile. ... the user never provided to Facebook but was presumably attached by other sources.

      So, you're saying it is not a True Shadow Account, because it is only a Shadow Data Related To An Account.

      That seems to submarine your blathering, without even getting to the part where you say, "Golly, somebody else might be doing it too, so it can't be wrong. Bad things can only happen once."

  • by Anonymous Coward

    That giant social media doesn't already know exactly who you are, who you associate with and what your habits are... I have a lovely bridge for sale.

    Even if you don't have an account, your friends do, your spouse does, your organization/company does. They may not necessarily know your name definitively, but you can be damn sure they have, thru data scraping and aggregation (including combing thru other users uploaded contact lists, their posts, their pictures, their location history, etc...), have compile

  • Granted I don't know the number called, but the Facebook system may have just asked Google and parsed the results, nothing shadow about it..

    I mean I asked Google and one of the many pages I received was https://www.ccis.northeastern.edu/people/alan-mislove/ which contains a phone number...

  • by joe_frisch ( 1366229 ) on Wednesday September 26, 2018 @09:44PM (#57382314)

    This is my strongest (but not only) objection to 2 factor authentication as it is frequently used. The 2nd factor is usually a phone, and nothing seems to keep the company from selling that very valuable information.

    The claims about security are largely bogus as the many social hacks around 2 factor authentication have shown.

    • by AmiMoJo ( 196126 )

      Text message is just the worst form of 2 factor auth. Using time based codes with an app or a security token is pretty secure.

  • All the big internet companies operate illegally. Facebook keeps lying to us, Slashdot keeps harassing me for "consent" to monetise my data, everybody is in on it, everybody does it. I nearly prefer the sites that just do not give you access if they cannot set cookies, or you have an ad blocker. At least that is honest (or I am too optimistic there, too?).

You know you've landed gear-up when it takes full power to taxi.

Working...