Facebook is in dire straits. Ever since the Cambridge Analytica scandal, which happened in March this year, the biggest social network of them all has been getting in all kinds of trouble.
If this isn’t enough, a couple of recent findings discovered that Facebook, “the only company that’s singularly about people. Not about selling devices. Not about delivering goods with less friction. Not about entertaining you. Not about helping you find information.
Just about people,” (according to David Marcus, the former head of Messenger division at Facebook) is using phone numbers used for 2 Factor Authentication as well as “shadow contact information” to serve better ads.
This, of course, serves to increase profit not connect people. And finally, the network suffered a huge hack just days after the discoveries surfaced online regarding 2FA phone numbers and shadow contact data. Yup, Facebook is in some hot water right now, and it will be quite interesting to see just how Mark will get himself and his company out of this mess.
2FA phone numbers used for serving ads
Let’s start with the 2FA phone numbers scandal. And yes, it is a scandal. Facebook is all about people, yet it is using the info users gave them in good faith not only, as they stated, to keep their Facebook accounts secure but as it turns out to give them more ads and of course increase its profit margins.
To add insult to injury, Facebook recently issued a statement claiming it was a bug that had caused users to receive Facebook notifications to numbers they used for 2 Factor Authentication purposes (which, in many cases, isn’t tied to their Facebook profile). And according to Alex Stamos, Facebook’s Chief Security Officer at the time – “It was not our intention to send non-security-related SMS notifications to these phone numbers”.
But it seems that it wasn’t a bug and in fact Facebook is using private phone numbers not solely to secure user accounts but for ad purposes. Facebook is digging its own grave and it’s doing a pretty good job. Every detail of this can be read in the original research by Elena Lucherini of Princeton University and Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University.
Let’s move on.
Shadow contact info used for serving (more) ads
The same research mentioned above also found details regarding the “shadow contact information,” each user of Facebook has. This shadow info relates to data most of us don’t share with Facebook directly, but somehow it finds its way to Facebook’s servers.
For instance, if you share your phone number and email address with a local electronics store for the purpose of creating a loyalty card and that store decides to launch a Facebook ad campaign, they can upload their database of user phone numbers. And even if the phone number you provided them with isn’t tied to your Facebook account you will start getting ads targeted to that phone number.
The second example of this concerns 2FA numbers, which were covered above. And finally, the third example, a user uploading their phonebook to Facebook in order to “find friends.”
Well, all those potential friends will get their phone numbers as well as other info (like email accounts or addresses) used by Facebook for ad purposes even though they didn’t share them with Facebook and even if they don’t even have a Facebook account.
In their study, researchers from the two universities mentioned uploaded a large list containing landline numbers for Northeastern University. The list contained hundreds of unique numbers from people working at Northeastern. They used landline numbers because most of us do not share those with Facebook.
Most of us exclusively use mobile phone numbers with our Facebook accounts. But, landline numbers have a high chance of being inside the phonebooks that many users shared with Facebook in order to use the “find friends” feature.
Researchers used that list as a basis for a Facebook campaign and as it turned out many people from the list started receiving ads in their News Feed even though they never shared those landline numbers with Facebook. They were simply a part of a phonebook uploaded to a Facebook server in order to find friends.
The thing is, Facebook refuses to share shadow contact info with users because, in most cases, that data is part of other people’s phonebooks or a company’s database.
In other words, that data isn’t really owned by people who are affected by it. This may sound illogical but sadly, it’s technically true and because of this, Facebook is allowed to refuse to disclose that data because in so doing the company would endanger user privacy.
So yes, they can use private data, that you didn’t share, but if you ask the company to disclose the “shadow contact info” it has on you they can (and probably will) refuse.
All we can do in order to find out who is using our private data is visit Facebook’s “ad preferences page”. This is accessed through your profile page, scroll to the section called “advertisers you’ve interacted with” and here you will see all the companies who have you on their ad list. Not much of a consolation, but it’s something.
50 million accounts hacked
Just a few days after the two aforementioned stories surfaced, Facebook suffered a massive hacking attack which breached more than 50 million Facebook accounts, including Mark Zuckerberg's. The attack was used to harvest sign-on tokens and while it affected around 50 million accounts. In turn, Facebook revoked access tokens for almost 90 million accounts for security purposes.
Stolen Facebook access tokens can be used to log in and steal Facebook accounts. They are basically digital keys used for simplified logins that skip having to enter a password and email address every time a user wants to login to their Facebook account.
Attackers exploited Facebook’s “View As” feature, a feature allowing people to see what their profile looks like when viewed by other Facebook users. Hackers used a security flaw created back in July 2017, which appeared after “a change we made to our video uploading feature,” affected “View As.”
Facebook notified authorities, fixed the vulnerability, and temporarily turned off the “View As” feature. Yet, Facebook “don't know who’s behind these attacks or where they’re based,” and the company is “working hard to better understand these details — and we will update this post when we have more information, or if the facts change.”
Since the post hasn’t updated yet, it’s safe to say that the perpetrators haven’t been discovered yet either.
So, there you have it, Facebook is in turmoil. From Cambridge Analytica through to last week’s hack that affected 50 million users, Zuckerberg and co. must be worried.
What will the next step be? Surely the decision to start showing ads to WhatsApp users, despite the fact that WhatsApp uses end-to-end decryption can’t be a good one.
Perhaps there is method to his madness. We’ll see.