Quick Links
Tech publications are screaming today that giving Facebook your phone number for 2FA allows them to target you for ads. But this misses a bigger point: Facebook is using your phone number to target ads whether you give it to them willingly or not.
In fact, the problem gets much worse. Researchers have been able to prove that Facebook allows personally identifiable information, like your phone number, to be used to target you based on shadow profiles of information that they build—profiles that you cannot see and have no control over.
So yes, if you give your phone number to Facebook to help secure your account, Facebook will also use it to target you for ads. But if you don’t give them your phone number, they will still use your phone number to target you for ads. And there’s nothing you can do (except delete Facebook).
What’s This Now?
Researchers at Northeastern and Princeton universities, working with Gizmodo reporters, just released a troubling report that proves that Facebook is giving advertisers access to use your “shadow contact” information for ad targeting.
What this means is that even if you don’t want Facebook to allow advertisers to target you by your phone number… Facebook is still finding a way to let advertisers target you by your phone number and other personal details. This is even true if you literally don’t give Facebook your phone number. If you gave Facebook a fake email account when you signed up, behind the scenes, they know what your real email account is.
If you gave Facebook your phone number for Two-Factor Authentication, they are using that phone number to allow advertisers to target you. And even if you used app-based two-factor instead of SMS, they still most likely have your real phone number to target ads to you.
So you might think the details you gave Facebook are what they are using to target ads, but that's not the full story. And there's no way to prohibit Facebook from targeting your phone number even if you didn't give it to them.
Hold On, What Does Targeting Ads Even Mean?
When an advertiser wants to buy an ad on Facebook—or anywhere else—they want to only pay to show that ad to the group of people most likely to actually click on that ad, because buying ads is really expensive. So Facebook, Google, Twitter, etc, all provide targeting options that let you try to find the ideal audience for your ads.
So if you’re Nintendo and you want to advertise your SNES Classic, you might use Facebook’s targeting options to only show the ad to people that are the right age to have played the original as children, and then further refine it by people who have shown an interest in SNES. If you were only doing a limited launch, maybe you restrict your ads to just the country, state, or city that you are launching in. Now your ad is shown only to people that are going to be excited about the SNES, and you got the best bang for your buck.
The bigger platforms also provide a way to target customers that you might have gained offline. For instance, if you’re Nintendo, maybe you have a list of your customers that have ordered things from you. So you’ve got their email address, phone number, and other information. Platforms like Facebook (and others) let the advertiser upload a list of personally identifying information and use that to determine whether to show you ads. The thought process is that the advertiser already has your phone number and email address, and they could contact you directly if they chose, so it's allowed for showing ads on Facebook.
Bottom line: if your phone number is in a list at any company—-and based on the frequency of robocalls, you better believe it is—that company can use your phone number to make sure that their ads get in front of your face. Even if you didn’t give it to Facebook.
There’s a couple of big notes here that we need to be crystal clear about because there's a lot of misinformation going around:
- Facebook doesn’t let you target a single person with an ad. They will not approve any ads that target too small a group of people.
- In order for advertisers to target you with ads based on your phone number or other personal information, they must already have your phone number or personal information.
- Facebook is not selling your information to anybody, at all. It's in their best interests to make sure that they are the only company with a complete profile of information about you.
- You can largely opt out of targeted ads around the web---even Facebook lets you limit ads to just targeting information that Facebook tracks.
What we're really talking about here is that we're seeing ads for things that we're more interested in, and a lot of people don't have any problem with that at all. But we should have control over this, and Facebook is not letting us control whether our contact information is being used for targeting.
How Is Facebook Getting My Phone Number and Other Information?
In order to provide their advertisers the most granular possible targeting options, Facebook and everybody else collects data from every single place they can possibly collect data from. That includes everything you’ve ever looked at, liked, clicked on, thought about clicking on, shared on Facebook, or anywhere else.
They are tracking whether Facebook is in the foreground or background on your computer. They are looking at Wi-Fi networks, call logs, bluetooth beacons, and more. For a long time they were collecting all of your call and SMS data if you used the Android app, and if you're using Android you can actually replace the SMS app with Facebook Messenger, which would obviously give them access to your phone number.
But it doesn’t stop there. Facebook is buying data from credit bureaus, third-party data warehouses, your offline purchases, and collecting address books from your friends. How do we know all of this? Facebook lays it all out in their Data Policy that nobody reads, and in their Ad Preferences page (where you can disable showing ads based on partner data but not your contact information) They aren’t even trying to hide it.
Facebook has your phone number whether you added it on Facebook or not. And there’s nothing you can do about it, because they don’t give you any controls over your shadow profile.
The Much Worse News: Everybody is Doing This
This is where it gets worse. The ads that you see trailing you around the internet on every site (including this one sometimes) are all built from crazy data profiles from every huge company sharing data on what you might have ever thought about buying at any point in your life.
Everybody is collecting and sharing information. The credit bureaus are selling your information to everybody they can within the confines of what is legal—-which is pretty broad. Target’s computer system famously knew that a teenager was pregnant before her parents did.
This isn’t just Facebook, this is Google, Twitter, Amazon, and every other massive corporation you’ve ever had any interaction with. If you don't like this, you can opt out of targeted ads, delete Facebook, and try to limit what you're doing online. But no matter what, your data will still be sold by somebody, even offline, until very tight GDPR-style regulation shows up.