Study Shows Facebook's Still Miles Away From Taking Privacy, Transparency Seriously

from the ill-communication dept

If the entire Cambridge Analytica scandal didn't make that clear enough, Facebook keeps doubling down on behaviors that highlight how security and privacy routinely play second fiddle to user data monetization. Like the VPN service Facebook pitches users as a privacy and security solution, but is actually used to track online user behavior when they wander away from Facebook to other platforms. Or that time Facebook implemented two-factor authentication, only to use your provided (and purportedly private) number to spam users (a problem Facebook stated was an inadvertent bug).

This week, a new report highlighted how Facebook is letting advertisers market to Facebook users by using contact information collected in surprising ways that aren't entirely clear to the end user, and, according to Facebook, aren't supposed to work. That includes not only private two-factor authentication contact info users assume to be private, but data harvested from other users about you (like secondary e-mail addresses and phone numbers not directly provided to Facebook). The findings come via a new report (pdf) by Northeastern University's Giridhari Venkatadri, Alan Mislove, and Piotr Sapiezynski and Princeton University's Elena Lucherini.

In it, the researchers highlight how much of the personally identifying information (PII) data collected by Facebook still isn't really explained by Facebook outside of painfully generic statements. This data in turn can be used to target you specifically with ads, and there's virtually no transparency on Facebook's part in terms of letting users see how this data is being used, or providing fully operational opt out systems:

"Worse, we found no privacy settings that directly let a user view or control which PII is used for advertising; indeed, we found that Facebook was using the above PII for advertising even if our control account user had set the existing PII-related privacy settings on to their most private configurations. Finally, some of these phone numbers that were usable to target users with did not even appear in Facebook’s “Access Your Data” feature that allows users to download a copy of all of their Facebook data as a ZIP file.

Again, this includes the use of two-factor authentication (2FA) credentials that Facebook has previously stated aren't supposed to be used for marketing purposes. It's something that Facebook has repeatedly claimed doesn't happen:

"Facebook is not upfront about this practice. In fact, when I asked its PR team last year whether it was using shadow contact information for ads, they denied it.

User efforts to glean more transparency from Facebook haven't fared well either, even in the UK where the GDPR was supposed to have put an end to this kind of cavalier treatment of user data:

"I’ve been trying to get Facebook to disclose shadow contact information to users for almost a year now. But it has even refused to disclose these shadow details to users in Europe, where privacy law is stronger and explicitly requires companies to tell users what data it has on them. A UK resident named Rob Blackie has been asking Facebook to hand over his shadow contact information for months, but Facebook told him it’s part of “confidential” algorithms, and “we are not in a position to provide you the precise details of our algorithms."

And again, this is a company in the wake of several major privacy scandals, attempting to avoid heavy-handed privacy regulations on both the state and federal level, making you wonder what it looks like when Facebook truly doesn't give a damn.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ad targeting, privacy, targeting, transparency, two factor authentication
Companies: facebook


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. This comment has been flagged by the community. Click here to show it
    identicon
    Watts Aldis-Den, 28 Sep 2018 @ 6:53am

    Techdirt's usual whining, not even token call to BREAK IT UP.

    Because part of the surveillance / propaganda state, as is GOOGLE, which Fascism masnicks promote, Facebook will NEVER face anti-trust.

    Facebook's New Propaganda Partners https://fair.org/home/facebooks-new-propaganda-partners/

    Oh, I know: it's not a "monopoly" so don't worry about it! Sheesh! But what's even the basis of this piece if not that any ordinary person believes Facebook has too much power and is indifferent to the wishes of users?

    If don't call for curative action, then don't bother to complain. -- And we KNOW after 20 years of shilling that Techdirt is NOT going to advocate any measures that'd reduce corporate profits or power. This piece is more "proof" that Techdirt criticizes corporations, but since NEVER has any hint of action, is mere clickbait.

    link to this | view in thread ]

  2. icon
    Gary (profile), 28 Sep 2018 @ 7:08am

    Re: Techdirt's usual high quality work

    The article was on point and well written.
    And I don't see you actually disputing the content of the article - only lamenting the lack of your own agenda being included.

    Please point us to your website so we can see your articles on this topic.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 28 Sep 2018 @ 8:01am

    Homework: Substantiate your claims

    Because part of the surveillance / propaganda state, as is GOOGLE, which Fascism masnicks promote, Facebook will NEVER face anti-trust.

    Please define Fascist as you are using it. Please note any differences between your definition and the dictionary definition, for clarity.

    Please then provide links/evidence that support Masnick promoting this. Be specific, there no points for partial answers.

    Facebook's New Propaganda Partners https://fair.org/home/facebooks-new-propaganda-partners/

    There is a "Submit a Story" link on every Techdirt page. If you feel its newsworthy, you can use that link to bring it to TechDirt's attention.

    _Oh, I know: it's not a "monopoly" so don't worry about it! Sheesh! But what's even the basis of this piece if not that any ordinary person believes Facebook has too much power and is indifferent to the wishes of users?

    If don't call for curative action, then don't bother to complain. -- And we KNOW after 20 years of shilling that Techdirt is NOT going to advocate any measures that'd reduce corporate profits or power. This piece is more "proof" that Techdirt criticizes corporations, but since NEVER has any hint of action, is mere clickbait._

    Please provide positive support that anti-trust actions against Facebook would A) be legally viable under existing anti-trust law, and B) actually solve the issue of potential privacy violations.

    Please additionally advise how pointing out the behavior and heavily implying this is problematic and that Facebook should not be doing this in light of recent privacy scandals is not a form of calling for curative action.

    If the idea is that the article has a lack of proffered solution, please advise why you do not also apply the same criteria to the fair.org article linked. Charitably speaking, that article suggests bad behavior, warns people to wary, and suggests they oppose it, but does not proffer any actual solution to the perceived problem.

    Again, there is no credit for partial answers.

    I look forward to your well-thought, considered, and above all courteous reply.

    link to this | view in thread ]

  4. identicon
    Christenson, 28 Sep 2018 @ 8:32am

    2FA info is a *confidential* secret

    Dear Facebook:
    Since you've made most of our lives an open book, don't you think that revealing my 2FA information to third parties facilitates identity theft???

    If you want it secret, don't tell Facebook!

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 28 Sep 2018 @ 8:58am

    Re: 2FA info is a *confidential* secret

    It's pretty unconscionable. If it can be accessed by people other than facebook, than someone looking to steal your facebook identity knows what number to target for SIM hijacking.

    Boom - you no longer own your own facebook account. And then whoever hijacked it can download all your data.

    link to this | view in thread ]

  6. identicon
    OnThoseThatParticipate, 28 Sep 2018 @ 9:14am

    ItsOnTheUsers

    Friends don't let friends use Facebook.

    That's the simple solution.

    link to this | view in thread ]

  7. identicon
    Pixelation, 28 Sep 2018 @ 10:11am

    They do take it seriously.

    They have no intention of giving it back.

    link to this | view in thread ]

  8. icon
    Gary (profile), 28 Sep 2018 @ 10:16am

    Re: They do take it seriously.

    Wrong again! They just gave away some 50 million user account details in the latest hack. See, they are always giving back to the community!

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 28 Sep 2018 @ 10:20am

    Re: Re: 2FA info is a *confidential* secret

    Not if you give then the phone number to pizza hut

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 28 Sep 2018 @ 11:16am

    Re: Re: Re: 2FA info is a *confidential* secret

    Then you cannot get the text that allows you to login.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 28 Sep 2018 @ 12:32pm

    Re: Re: Re: Re: 2FA info is a *confidential* secret

    huh ... bah bye

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 28 Sep 2018 @ 3:13pm

    Re: Techdirt's usual whining, not even token call to BREAK IT UP.

    What would you "break up" Facebook into?

    link to this | view in thread ]

  13. identicon
    homerlovesflanders, 28 Sep 2018 @ 4:45pm

    Srly, why would anyone use Facebook's VPN over ExpressVPN or Cyberghost?

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 28 Sep 2018 @ 11:43pm

    fuck facebük

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 28 Sep 2018 @ 11:46pm

    Re: Re: Techdirt's usual whining, not even token call to BREAK IT UP.

    Oblivian.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 28 Sep 2018 @ 11:52pm

    Re: Homework: Substantiate your claims

    Potential privacy problems?? You. seem too pissed to be joking.. Here's a solution.. dissolve the terrible corporation.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 30 Sep 2018 @ 1:53am

    Re: Re: They do take it seriously.

    Yeah? 50 million? Which community did they it to?

    link to this | view in thread ]

  18. icon
    The Wanderer (profile), 30 Sep 2018 @ 10:06am

    Re: Re: Re: Re: 2FA info is a *confidential* secret

    Easy solution: just maintain two phone numbers, and use one of them only for sign-up texts like that, never for anything else!

    ...of course, that means paying for the additional phone and number, which not everyone will be able to afford to do... and it's likely that whoever you give the number to for a sign-up text will also store it in case they need to contact you later... but who ever said the solution was perfect?

    link to this | view in thread ]

  19. icon
    Blaine (profile), 30 Sep 2018 @ 10:39am

    Oh that's easy

    "making you wonder what it looks like when Facebook truly doesn't give a damn."

    Just go to facebook.com.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 30 Sep 2018 @ 10:44am

    At what point does the act of collecting, storing and then willingly or unwillingly transferring a complete profile of a person's life, relationships, political views, pictures, friends and family ties, location and personal data infringe on federal law -- perhaps privacy laws, 4th Amendment laws, identity theft laws, etc? I'm sure there are others laws that would apply.

    link to this | view in thread ]

  21. icon
    R.H. (profile), 30 Sep 2018 @ 8:57pm

    Re: Re: Homework: Substantiate your claims

    Would that be legal under existing antitrust law? I don't think that American antitrust law has any provisions for the dissolution of a corporate charter for much short of defrauding its shareholders or egregious lies in SEC filings. I'm only a broker (by licensing though I don't do it full time), not a corporate lawyer so, I might be missing something.

    link to this | view in thread ]

  22. icon
    R.H. (profile), 30 Sep 2018 @ 9:23pm

    Re:

    In the United States? Probably never. Have a look at Facebooks Terms of Service. If you use the service, you give them a license to use the information you provide for pursuant to the privacy settings that you set. That handles privacy laws.

    Concerning identity theft laws, as long as Facebook doesn't try to act as you (in a way that you didn't authorize in the ToS, for example, FB showing one of your friends your picture with an ad for a product whose page you "Liked") and as long as they try to keep your data out of the hands of unauthorized persons then Facebook isn't committing identity theft either.

    I saved the easiest one for last. The 4th Amendment's provision against illegal search and seizure only applies to the government. Facebook couldn't break it if they tried. Choosing to comply with a government request isn't a violation on their behalf, if anything, (and that's a big if) it would be a violation by the government agency that made the request.

    In the EU on the other hand...I don't know as much about the law there but, I have the feeling that the EU is currently in the middle of swinging the pendulum so far towards personal privacy that non-EU public governmental knowledgebases are already being harmed. In that case, Facebook may be in for a bit of a rough time over there.

    link to this | view in thread ]

  23. identicon
    Wendy Cockcroft, 1 Oct 2018 @ 2:31am

    Re: Re:

    Indeed. But the best way to protect your privacy is to assume that everything you put online will eventually be made public, even on the strongest privacy settings.

    Be very careful about what information about yourself or your family you post online.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 3 Oct 2018 @ 4:39pm

    If Facebook took privacy and transparency seriously, especially the former, they wouldn't exist in the first place.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.