Facebook finally stops targeting ads for phone numbers that people enter for 2FA

Last year , information security experts and journalists found that Facebook uses a phone number for targeted advertising, which the user enters for two-factor authentication (2FA). This is another “deceptive practice” in which the largest social network was caught.

How it works. Firstly, Facebook demanded to enter a phone number for any type of 2FA, even if it is carried out through a software authenticator, and not SMS (however, other companies do the same). Secondly, after about a month, this user began to receive targeted advertising from advertisers who became aware of his phone number. Moreover, anyone could find a person by entering their phone number in the search. It turned out that Facebook links the phone number to the profile even if this number is not listed in the profile, but only for 2FA or in the contact book of another user.

Facebook did not heed the numerous calls to stop this practice and did not change anything in the functionality of the site. In the end, the case was submitted to the Federal Trade Commission (FTC). And only then did Facebook do something.

In July, Facebook entered into an agreement with the FTC, which promises to stop some fraudulent practices that violate user rights. Including promises not to use phone numbers entered for any security purpose for targeted advertising, including for 2FA, password recovery, or receiving messages about unauthorized attempts to enter your account.

Along with the sale of contact information for advertisers to users (contrary to their wishes and expectations of the service), Facebook also does other damage by its actions. By such actions, it undermines the trust of users in the two-factor authentication itself. But it has now become a mandatory minimum requirement for any security system. Undermining confidence in two-factor authentication, Facebook harms other companies that have correctly implemented 2FA.

It would seem that the FTC has succeeded, and now confidence in 2FA can be restored. But not so simple.

The Electronic Frontier Foundation draws attention to the specific wording in the text of the Facebook and FTC agreement. She only mentions a ban on the use of numbers for targeted advertising, and nothing more.

In other words, Facebook may continue to use shadow profiles for other purposes. And history shows that if Facebook has such an opportunity and there is no direct ban, then the company will definitely continue to abuse it.

What opportunities did Facebook have for abuse? There are at least two points.

  1. The agreement does not affect shadow profile searches . If you do not enter your number in the profile, but specify it for 2FA, then anyone can find you by this phone number through the basic search function on the site.

    This “hole” has been known since at least 2017 , and Facebook formally closed it , but not completely . There was an opportunity to search for people by their phone numbers by downloading their contacts phone book.
  2. The agreement does not mention the concept of “shadow profiles” at all. This includes the phone numbers of users taken from other people's contact books. They can still be associated with a specific user and sold to advertisers without notifying a person and without his consent. The user still does not have the opportunity to see what information is collected in his “shadow profile”, even among Europeans under the GDPR law.

We can rejoice at the partial success achieved through the agreement of Facebook and FTC. Advertisers will no longer be able to enter a list of phones for targeted advertising and include those who entered a 2FA-only number. But this is a relatively small success compared to other practices that Facebook and other Internet giants allow themselves. It seems that for some of them, users and their information is just the product on which the business is built.

GlobalSign uses digital certificates and tokens for convenient and reliable two-factor authentication. To learn more about GlobalSign solutions for 2FA, visit www.globalsign.com/en-us/authentication/

Source: https://habr.com/ru/post/463303/

All Articles