
Facebook Is Giving Advertisers Access To Your Shadow Contact Information - dhotson
https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051
======
ummonk
As a security engineer, I cannot overstate just how horrible this is. Phone
numbers might not be an ideal 2nd factor for authentication, but to punish
users for setting up 2FA by using the provided phone number for ad targetting
is incredibly unethical.

~~~
cmroanirgo
I agree with your sentiment.

But, as someone who understands that not all people and companies use the same
moral set as myself, this is why I've never set up 2fa using a phone.

Why should I give some company my phone number? Increasingly it's become a
single point of metadata to uniquely describe myself (just as my email
addresses have).

~~~
jsjohnst
> just as my email addresses have

That doesn’t need to be the case though with just a little bit of effort and
minimal cost. Use your own domain for email and set your account to be a
catchall. Then use facebook.com@yourdomain.tld and your email address is no
longer a cross site unique identifier.

~~~
barkingcat
Isn't this it though, the engineers designing the ad targeting system at
Facebook is linking the random emails you use as "catch all" to your main
identity so you can be targeted specifically even though neither party has
full knowledge of the linkage between your catchall email and your main
identity email. This is facilitated by information that is not under your
control.

If facebook was able to design and build this system, you can bet that other
companies are doing this too.

~~~
jsjohnst
Check the TOS and/or implementations for many of the tracking providers and
you’ll see they use hashed emails. Show me a way to extract the common domain
name from the below:

9425ca8eb02d022309ec175a7067b1567a5f741ec7010cc1b5034287f9db6e2f

4d1c86b9f418c713e784760fea809e34418c2f13e993d907783572ecc2c9bb6e

~~~
tener
If the hashing algorithm is known (and my guess is it is at least possible to
reverse engineer it, if it isn't documrnted) then cracking a hash with a GPU
may be quite feasible.

~~~
jsjohnst
The hashing algorithm is well known, it’s unsalted md5/sha1/sha256. That
doesn’t make it necessarily _possible_ (sure, some cases yes, but not even
most), let alone feasible, to rainbow table them.

------
adpirz
What's facebook's boiling point? My guess is they'll respond, they'll no
longer use 2FA #'s for ads, the damage will have been done, and 99% of the
population won't know any of it occurred. We'll repeat this cycle when a fresh
revelation occurs months from now, as facebook continues to test how much they
can leverage for more ad revenue.

But none of it is actually slowing FB down. Its biggest dip in value came from
decelerating growth and spending to make FB more user-friendly, so there's a
clear disconnect between shareholder incentives and those of the general
populace.

On top of that, most people remain unaware that FB owns both WhatsApp and IG,
and while the departures of their top brass have made waves in these circles,
it's not a concern for most.

I don't see FB's dominance relenting any time soon, though I wish it would.

~~~
secfirstmd
As someone who has occasionally runs experiments with FB adverts for various
types of business. I feel it's boiling point will be when people and
organisations advertising on the platform really start to look deeply into the
value for money they are getting on it. I can't tell you the amount of times
I've seen organisations throw money at it in return for dubious clicks from
markets they never targeted, bot like users and poor really ROI after
advertising with it.

~~~
NiekvdMaas
Are you hinting that FB advertisers are throwing 50 billion (expected 2018
revenue) at ads that are poorly performing? Obviously that is not correct, the
result of all this detailed targeting is campaigns that are performing very
well for experienced marketeers.

~~~
Eric_WVGG
okay so…

\- not all people buying FB ads are experienced marketers

\- companies throw tons of money at ineffective ads, that should be obvious…

\- we have no idea what the ratio of "successful" to unsuccessful campaigns is

\- even if that ratio is negative, Facebook is still one of the only remaining
"games" in town, so people _will_ continue throwing money at it. “Least worst”
is a fine and lucrative place to be in.

\- can we just get over this idea of rational economies, by the way

\- marketing is less of a science than a craft, and all the implications
thereof

~~~
NiekvdMaas
I'm in ad tech, and believe me: FB advertising _works_. The vast majority of
their ad revenue is coming from experienced ad buyers that are spending
immense amounts on direct response campaigns, not branding.

If you want to see how things work, start a small ad campaign yourself of FB.
It's all about ROI, attribution, cost per action, super detailed targeting,
etc. It's the opposite of "throwing money at it hoping that it'll work",
unlike offline advertising or even traditional display ads.

~~~
njarboe
Exactly like this article states. You can give Facebook a list of phone
numbers or email addresses and it will put your ad in front of only those
people. Does anyone know how small a list you can target? List of one? List of
one plus N number of dead email addresses? Therefore a list of one, but more
expensive?

~~~
snaky
> The smallest audience you can upload is an audience size of 30 people. Also,
> this audience size needs to be 30 people which Facebook can identify and
> find. So, if you upload an email list of 30 and Facebook can match only 20
> of those email addresses to Facebook profiles then it will reject your list,
> so in most cases you need to upload a list of about 60 people. You then need
> ensure you upload a list of only females or males which includes the one
> email address of the person you are targeting (the opposite to the one
> person that you are targeting). Lastly you need to choose the gender in the
> demographic filtering which matches the intended target. Here’s a step by
> step example below

"Sniper Targeting on Facebook: How to Target ONE specific person with super
targeted ads" [https://medium.com/@MichaelH_3009/sniper-targeting-on-
facebo...](https://medium.com/@MichaelH_3009/sniper-targeting-on-facebook-how-
to-target-one-specific-person-with-super-targeted-ads-515ba6e068f6)

~~~
njarboe
Informative article, mostly about how amoral this salesman is. I wonder if
most people in sales think this way. Maybe the article was created solely as
an ad for the author's company and the content is all lies. I'd have no way to
know with out trying the myself and a fake article would be in complete
alignment with the author's value system.

------
anonytrary
"Give me as much service as you can while keeping me as far off the grid as
possible" is a skill that is sorely lacking in this market. I don't have this
problem with weed dealers, but I have this problem with information dealers.
Internet companies could seriously learn a thing or two from the black market
on how you treat your customers.

~~~
tanto
Does your weed dealer provide the service for free? If you want to be treated
as a $$$ paying customer start paying. Problem with social networks and $$$ is
that network effects will not come into effect as not everyone will be willing
to pay.

There are actually ethical information dealers but they require you to pay
them as you are paying your weed dealer.

~~~
fouric
Most internet service companies, including Facebook and Google, don't give you
the option of paying for privacy even if you wanted to.

~~~
odyssey7
I think that if it's possible to define a way of operating businesses in a way
that doesn't harvest data in a way that's nonessential to the services, then
there should be a law requiring this option: to pay out of your pocket
directly the amount of revenue the company would have expected to make, in
exchange for the company not doing this data collection. But it seems
difficult to get to such a definition. I think this law would be very popular.

~~~
Natanael_L
Indirectly GDPR does this. All data collection must be either opt in, or
necessary to provide the service.

~~~
odyssey7
Oh, I forgot an important detail. I should have added another aim I would want
is that as a result of paying this money, you wouldn't receive any
advertisements from the service.

~~~
Kostchei
We're trying to build the idea of "paid for storage" that doesn't look at your
stuff, but getting people to pay fora service that others provide with
advertising for free is hard.

Any company being truthful about what their customers want can't be tracking
them 24-7 and sifting everything they type. Almost no-one wants that level of
invasiveness. We just put up with it because there are no real (easy)
alternatives or aren't aware.

------
mojuba
Another personal observation. I have an Instagram account that I thought was
fully incognito. I never connected it to any other social account, I used a
separate email for authentication etc. Just days after the Instagram founders
left Facebook I started receiving friend suggestion on my IG that were very
very relevant. Those were people I knew in real life and mostly connected via
Facebook but not only. I shouldn't be surprized as being connected to the
Internet by itself is an end to your privacy but still, this was probably the
spookiest invasion into my privacy so far. Bye-bye Instagram.

~~~
qrbLPHiKpiux
This is a perfect example of the need for physical comparmentation. Separate
devices never connected through the same internet service. As far as devices
go, to think you have separated “anything” on only one device, you’re living
in fantasyland.

~~~
pixl97
If the app can look at your wireless, even that is not enough. It can just
make a map of the SSID/BSSID around you.

~~~
dylan604
Statements like this make me want to learn phone OS development just so I can
have a better understanding on what information an app can get from the OS.
Honest question, why would an app ever need to know the SSID of a wireless
network? The app should only care if there is a valid network connection, and
then use it. I can see being able to know if it is wifi vs cellular so they
can have the option to limit large downloads to wifi only. However, the SSID
would not be necessary information for the app.

~~~
arkitectual
An example would be an app for associating a device without a screen on to a
wireless network. Think IoT devices or Alexa. Saves the user from having to
type in the SSID which is a pain.

------
hnzix
The reason I never give fb my mobile is if you use a pseudonym account, it
will suggest your profile as a friend to anyone who has your mobile in their
phone contact list (eg ex-partners, stalkers, employers, drug dealers). Found
that one out the hard way.

I know Zuck wants me to preemptively upload my nudes, but still.

~~~
ageitgey
This is basically how FBI Director Comey's secret Instagram account (and thus
Twitter account) was unmasked. But it was even worse - you are suggested to
3rd party people who just follow the people who know you:
[https://gizmodo.com/this-is-almost-certainly-james-comey-
s-t...](https://gizmodo.com/this-is-almost-certainly-james-comey-s-twitter-
account-1793843641)

~~~
ninit3
Yep, something similar I discovered recently that if you sign up to Instagram
with somebody's email that they use on Facebook then within a day or two
you'll start to see all of their friends from Facebook whom are also on
Instagram in your recommended follows. All of this happens without email
verification..

~~~
dvfjsdhgfv
> All of this happens without email verification

This has very interesting consequences...

~~~
baybal2
Whoa... so it was around in the open since around 2013, and still not fixed?
0_0

~~~
pishpash
Almost every shop does this, no verification before use. ffs, at least provide
a "report not mine" function.

~~~
jkaplowitz
I've only ever seen a "report not mine" function from Google. Where else have
you seen it? I am not on FB/LinkedIn/most similar ones, so I may be missing
examples.

------
ergothus
recently interviewed at Facebook (didn't pass the in-person) and one thing I
was looking for was a job that WASN'T based on ads. I didn't want to come
across negative so I was circumspect in my asking ("Tell me about the
positions at Facebook that I as an outsider don't know about - I know ads,
messaging, and events"). I wasn't really excited by the answers I got - ads
seemed worked into everything they brought up, but the answers weren't super-
nefarious either. This was the Seattle office, which apparently has a strong
ads-basis. Because they hire people and then (allegedly) let them pick from
available team openings (after a "bootcamp" to do onboarding), I
simultaneously felt like I'd have a chance to avoid the worst but also
couldn't be sure of what I was committing to. I didn't pass the interview and
the few weeks since have tried very hard to make me not regret that by raising
issues like this one, despite my natural tendency to give FB the benefit of
the doubt and to recognize the difficulty of moderating speech sanely.

I've never had such uncertainty about what a job would involve before - the
"you find your match" sounded good initially, but in retrospect I'm wondering
if I dodged a bullet - so hard to know.

~~~
sweezyjeezy
I find it interesting that you would absolve yourself for working for Facebook
just because you wouldn't be working directly on ads. Facebook is an ad
company with services attached (a fairly reprehensible one in my opinion). If
you work for them, you are helping them achieve their goals, which ultimately
is about serving people ads, it doesn't matter what particular role you are
doing there.

~~~
ergothus
"absolve" is not the correct term (I think) - I don't find ads particularly
offensive, I just don't ENJOY them, and I was looking for a job I'd enjoy and
enjoy telling people about. I'm perfectly fine with ads existing, though I'm
supportive of being able to buy my way out of them. (You can raise issues
about ads being inherently deceptive and manipulative, and I wouldn't say
you're wrong, but I've not taken a position against them...yet)

That facebook is doing bad things because ads are their only real source of
income is a problem because of the bad things, not the ads. At the time the
primary concern was "what should facebook be doing about de facto empowering
hate speech and (actual) fake news?" and that's a tricky problem that I don't
think has a resolved answer, and I sympathize with those that empower
communication and only later realize people have more desire to trash things
than apply rational caution. Since then much more has come out about some FB
practices (and Google), and the question of whether ads-as-your-primary-
revenue-source is too much incentive to be "evil" is being implicitly raised,
but is likewise not yet resolved.

That said, I do think there are lines to draw and lines not worth drawing.
There's very few jobs that don't end up supporting bad things. I don't think
it's right to pretend that if you aren't doing it directly that you AREN'T
supporting such things...but I also think it's sometimes unrealistic to make
your situation worse to deny an indirect support. Deciding where that line
lives is an individual decision, and one I have to regularly re-evaluate. To
expand my point in the previous post, the news coming out about FB practices
definitely made me feel like I'd have been uncomfortable even if I wasn't
working directly in ads.

------
abalone
_> They found that when a user gives Facebook a phone number for two-factor
authentication or in order to receive alerts about new log-ins to a user’s
account, that phone number became targetable by an advertiser within a couple
of weeks._

I have always been suspicious of the aggressive "give us your phone number to
secure your account" campaigns that so many sites/apps are running. And I
think this is a HUGE disservice to users.

At first I was like, cool, companies are being responsible and encouraging
good security practices, good on them. But there was something a touch too..
aggressive and "marketing-y" about it. It raised my spidey sense. Maybe the
form and frequency and placement of them just was too familiar to previous
campaigns to grab your email for "opt in" spam.

All of these companies should be shamed to high hell. Getting people to adopt
2FA is so important and here they are _shamelessly_ exploiting it to market to
you for undisclosed purposes.. well, buried in the privacy policy, but you
know how that goes. The prompt is 100% about securing your account and nothing
mentioned there about using it for targeting.

Seriously F these companies for breaking user trust.

ALSO: Did Zuckerberg lie to Congress?[1]

[1] [https://techcrunch.com/2018/04/11/facebook-shadow-
profiles-h...](https://techcrunch.com/2018/04/11/facebook-shadow-profiles-
hearing-lujan-zuckerberg/)

------
kevmo
I am becoming anxious to see some action out of the DOJ Anti-Trust division
against Google, Facebook, and Amazon, etc. These tech behemoths effectively
own most of the consumer internet and they use their muscle to either acquire
or force out the majority of other players. More regulation is not going to
cut it (or else it would have already).

In America (and most places), law normally lags quite a bit behind the events
of the day. Standard Oil destroyed markets unchecked for several decades in
the 1800s. No individual or company could withstand their market power. Then
the government divided it into dozens of vertically integrated companies,
which allowed for a wave of new market entrants, better deals for consumers,
and higher standards of living for more people.

We are obviously at that breaking point now with the tech behemoths and their
sprawling, impregnable market power. It is time for antitrust action against
Facebook and the gang.

~~~
trendia
I think we need proper privacy measures, since the misuse of data is not
necessarily an "antitrust issue". For instance, would breaking up Facebook
really mean that the newly formed constituents respected privacy? And would
antitrust enforcement against Google or Facebook reduce privacy exploitation
by smaller entities?

I'd argue that it would not -- 1,000 small Facebooks could still violate
privacy. Creating privacy legislation is the only real way to achieve proper
privacy guarantees.

------
a_imho
When people suggested phone 2fa was a data collection scheme they were hushed
and called tinfoils.

~~~
Freak_NL
People still do that when you point out that using a phone number as a
required identifier (WhatsApp, Signal, etc.) gives every 'free' service a near
perfect unique identifier that's the same for all services used by that
person. Ideal for cross-service collation.

Who wants a social security number when you've got someone's phone number?

~~~
baarkerlounger
Except that a phone number is as quickly and easily disposable and changeable
as an email address or any other identifier?

------
ravenstine
I talked with the lead engineers from a company back in 2014, that shall
remain nameless, that bought private profile data from Facebook, ran it
through a bunch of algorithmic mumbo jumbo, and sold the aggregated data to
marketing firms. They acted like this was really cool and awesome, much like
the wide-eyed cultists. It was very creepy, and I backed away slowly even
though this place was looking for more engineers.

This kind of thing has been going on forever, and I've told people this. 99%
of people don't actually care, though.

~~~
avivo
Are you sure the "private profile data" wasn't aggregated _before_ it was
sold? Either way, selling private data is not something Facebook is actually
known to do much (outside of misunderstandings by confused
activists/journalists). If you contact me (info in profile) I'm very curious
to understand more.

~~~
pimmen
Maybe they bought it from someone violating the terms of setting up a Facebook
app? I can't stress that this shit's illegal but I also can't stress how the
Cambridge Analytica scandal showed that Facebook had almost no way of
regulating this.

------
danShumway
You can personally decide not to use Facebook, which is good. But you can't
convince everybody to do that. So if you or your family members do use
Facebook, _at least_ install an ad blocker for all of them.

Not for privacy, but to deny them revenue. I block Google ads on every single
site I visit, period. I don't care if the advertising is non-obtrusive. If
it's being run through Google, part of that revenue is going to fuel Google's
tracking. I support creators directly instead. And if creators refuse to give
me a way to support them, that's not an excuse to expect me to contribute to
Google's bottom line.

Huge props to the people who are working on blocking trackers and protecting
privacy. I'm very glad they exist, and I don't think their efforts are
worthless. But, it is _currently_ a losing battle to fight these companies on
the privacy front, because the tracking model is so profitable that they will
always be pushing more resources into it than we are. Collectively, the people
fighting for privacy don't have enough resources to win.

But there's an easy, completely legal solution to that problem; the one thing
companies haven't figured out how to get around is ad blocking. And a good ad
blocker will block even native ads. For a company like Facebook, all of this
boils down to getting you to click on ads. If enough people target that
chokepoint, then the advertisers will start pulling out of the system, and
there'll be less financial incentive for these companies to undermine people's
security and privacy.

And we have evidence that this works. Even Google, which is the powerhouse for
getting their ads to actually show up, is starting to devote more resources
into trying to figure out how to stop mainstream people from installing
adblockers. That's where all the autoplay stuff came from, that's where the
acceptable ads initiative came from. They desperately want your roommate to
say, "I'm not going to mess around with these weird Chrome extensions or
whatever, that's too complicated. Chrome blocks this stuff itself, anyway."

Install adblock on every browser you get access to, tell ordinary people who
aren't on HN to use it, and let the advertising industry kill itself. Make it
very obvious to companies that buying ads on Facebook is a complete waste of
time because even non-technical users just won't see them.

~~~
bla2
> You can personally decide not to use Facebook, which is good. But you can't
> convince everybody to do that. Pretty scary.

Which means Facebook has a shadow profile of you even if you don't use it at
all: [http://theconversation.com/shadow-profiles-facebook-knows-
ab...](http://theconversation.com/shadow-profiles-facebook-knows-about-you-
even-if-youre-not-on-facebook-94804)

~~~
danShumway
Yep. And I don't know a way to get around shadow profiles.

We should try to find one. I fully support the privacy fixes people are
proposing. I think that's really important. But it's pretty obvious that
Facebook is winning right now.

However, the only thing that Facebook cares about is getting you to click on
an ad. So even if you can't stop Facebook from getting a shadow profile on
you, at least you can make that profile worthless by blocking ads literally
everywhere that Facebook can think to display them to you, for you and your
family/friends.

And you can be public about it to ensure that when Facebook goes to companies
and says, "we have all this data for your next campaign", somebody in the
sales-pitch meeting raises their hand and says, "yeah, but nobody looks at
your ads."

~~~
chopin
The workaround is called GDPR. A shadow account is illegal with that.

~~~
MzHN
The standard official Facebook response to this is that you do not own your
"shadow profile" since it's a profile made out of data gathered from other
people and companies, and thus they can not let you control it. In other words
"it is not your data".

I doubt that holds in court, but as mentioned in the article, there are people
in the EU who for months have tried to get Facebook to provide the shadow
profile data on GDPR grounds, and Facebook has yet to allow it.

It seems like Facebook can afford to stall, they've got more knowledge and
power than a single EU citizen can have, so I'm sure they know what they're
doing.

\----

To be honest, I think Facebook is in breach of _multiple_ GDPR articles
_simultaneously_ here, which is quite a feat in itself.

They're in breach of:

\- Privacy by Design (a.k.a. Privacy by Default)

\- Right to Access

\- Right to Be Forgotten (which is older than GDPR..?)

\- Data Portability

Then again, Facebook is not alone. I'm pretty sure there are very, very few
companies on the web that are not in breach of GDPR at least in spirit, if not
in letter.

~~~
M2Ys4U
>I doubt that holds in court

There's a zero chance that holds in court. If it were possible to have a
negative chance it would have a negative chance of holding in court.

Data protection does not in any way relate to "ownership" of data.

If the data are personal data then you are forbidden from processing that data
unless you have one of seven lawful bases enumerated in the GDPR, and where
the data are sensitive then those bases are reduced further.

~~~
danShumway
So this is an interesting scenario that I've seen people bring up before, but
I've never been completely clear on the answer. Let's say I'm using an online
virtual assistant with auto-replies and stuff like that, and I upload your
contact information and phone number so it can help me manage my
schedule/emails/etc...

Under GDPR, the company I just gave that information to doesn't have your
permission. So, let's say that later on, you go to the company and say, "hey,
delete any information about me." For them to comply, they can't keep on
syncing your contact information in my address book, right?

I guess, how does GDPR handle a situation where a separate customer is going
to Facebook and saying, "hey, let me put in that I'm X's cousin"? Should
Facebook block that person from specifying the relationship in the UI? Or
would that just fall under "essential for business"?

------
boraturant
As an FB Marketing API developer, this has been available for several years .
The way it works, advertisers can send their phone list to FB for ad
targeting. However, phone hashes are sent, not clear ones.

Personally, as long as the user has an opt-out and opt-in options, I don’t
think ad targeting is necessarily an unethical pattern, the blurring lines of
ads and recommendations would be actually a pattern that users might like.
Would you rather use Netflix or Spotify without recommendation engine?

~~~
mattlondon
Thanks for the info - didn't think of this angle (i.e. advertising sending a
list of numbers to target, and facebook tying that to their cookie ID they
have on you). There I was wondering how this works in a browser since browsers
don't know your phones number (right?).

> Would you rather use Netflix or Spotify without recommendation engine?

100% yes.

Personally for me the term "personalisation" is becoming a dirty word and I am
becoming uneasy when I hear it mentioned in design docs and product launches
etc. I dont want to see what some algorithm thinks I want to see. Instead I
would prefer to see the real, unfiltered, unfettered data. I think the whole
Fake News outcry started me thinking about it in a more deep way.

Imagine if you went into a fancy restaurant for some special occasion and the
waiter took a look at you as you walked in and brought you a "special" menu
based on some decision they made silently in their own head about what they
think you want. Rightly you'd want to see the _full_ menu and not just what
they think you want to see. Sure I'd welcome them pointing out some highlights
on the menu, but I'd apprecaite seeing the whole thing before making up my own
mind.

As a result now I use DuckDuckGo exclusively and have Firefox set up with
Google Container[1] to keep the Google cookies separate from everything else
(I dont use facebook at all so their cookies are entirely blocked as 3rd
party) as well as the usual uBlock Origin, privacy badger et al. I am even
toying with the idea of moving away from my gmail that I've been using since
2004/05.

1 - [https://addons.mozilla.org/en-US/firefox/addon/google-
contai...](https://addons.mozilla.org/en-US/firefox/addon/google-container/)

~~~
394549
> Personally for me the term "personalisation" is becoming a dirty word and I
> am becoming uneasy when I hear it mentioned in design docs and product
> launches etc. I dont want to see what some algorithm thinks I want to see.
> Instead I would prefer to see the real, unfiltered, unfettered data. I think
> the whole Fake News outcry started me thinking about it in a more deep way.

That's also a corruption of the meaning of "personalisation." Personalisation
is about _me_ making choices to adapt a product to _my_ preferences, it's not
about _the product_ making choices about how to interact with me.

Real personalisation would be having the (sticky) option to shut the algorithm
off and "see the real, unfiltered, unfettered data."

------
Spearchucker
All my personal details on Facebook are (and have always been) false. My phone
number is the number of a hotel in Monte Carlo. When Facebook nagged me to
give them my mobile number for 2fa I ignored them. My friends thought I was
crazy. I know it's not exactly gracious of me but feeling very self righteous
right about now.

~~~
Loughla
So you're stuffing it full of false data, but still connected to people who
aren't stuffing it full of false data?

That seems like a lot of effort for no real payoff.

~~~
epicide
This is basically the only reason I don't "delete" my Facebook account. I have
so many family members and friends that I cannot realistically prevent putting
pictures and the like about me on Facebook.

At least I can see some of what Facebook has about me instead of none.

------
usrusr
The other really stupid thing, besides generally hurting the adoption of 2FA
forever, is that they probably did it for hardly more than scraps, compared to
their conventional add targeting capabilities.

Maybe I am completely wrong about this, but I'm pretty convinced that almost
all of the ad spending for that feature would have reached Facebook's coffers
anyways had it not been available.

~~~
neotek
At Facebook's scale even the scraps can be worth millions.

And the sad truth is that the vast majority of people will not be deterred by,
be aware of, or even understand the fact that Facebook is abusing their phone
number in this way, so as far as Facebook is concerned it's a small bump in
the long road to increased profitability.

~~~
usrusr
> At Facebook's scale even the scraps can be worth millions.

Sure, but the same is true about negative headlines, the effect is just more
difficult to quantify.

Maybe it's a general world view problem within Facebook, but usually these
things are the result of one overly ambitious person or group optimizing the
singular bonus metric of their own little fiefdom at the cost of corporation-
wide commons. Big organizations need to be extremely vigilant in their defense
against internal foes who won't blink an eye costing the company billions for
a gain of millions add long as the latter will be attributed to them while the
former won't.

------
css
> A spokesman also told us that users can opt out of this ad-based repurposing
> of their security digits by not using phone number based 2FA.

That's one way to encourage people to use 2FA App, I guess.

~~~
jandrese
Note however that to enable any other type of 2FA you first have to give them
your phone number. You can delete your phone number afterward, but it's too
late, they have seen everything.

~~~
css
Interesting, thanks for letting me know. I don't have an account. I understand
_why_ they require you to verify a phone number though, for the exact reason
this article explains.

~~~
jandrese
The phone number isn't for your protection (it's actually really terrible for
2FA), it's for Facebook's protection. It's an anti-bot mechanism to require a
unique phone number for each account, or no more than 5 accounts per number or
so.

They also refuse VoIP numbers for authentication.

------
pilif
Didn't we have this discussion already earlier this year and they told us it
was an unfortunate bug and that it has been fixed?

Yes. Yes. We did: [https://www.theverge.com/2018/2/16/17022162/facebook-two-
fac...](https://www.theverge.com/2018/2/16/17022162/facebook-two-factor-
authentication-sms-notifications-security-bug)

~~~
darthoctopus
not relevant

~~~
pilif
I think it is relevant: back in february they made us believe that them using
2FA phone numbers for marketing purposes was a bug and today we learn that
them using 2FA phone numbers for marketing purposes is a feature.

So either they lied in February or they have changed their minds. Either way,
I think there is value to bring this very similar discussion back to our
minds.

------
unquietcode
Facebook gonna Facebook. It's long past time to consider regulation of an
ethically bankrupt corporation.

~~~
everdev
Why have costly government regulation when users can just quit?

Plenty of other online and offline ways to connect with the people in your
life.

~~~
lumberjack
Users cannot "just quit". Facebook probably has a profile for my grandma who
never touched a PC in her whole life.

~~~
everdev
Many people can't quit because they are addicted, but there is an option to
permanently delete your account and it takes about 5min. I'm not aware of
Facebook creating profiles for people that haven't signed up for their
service. If so, that should definitely be illegal.

The government should have bigger fish to fry than trying to regulate the
distribution of information that you have and continue to willingly provide to
a company. If you don't like it, sure government could jump in and make
Facebook just how you like it, or you could delete the info you don't want
them to have. The later sounds easier on everyone.

------
makecheck
I only use Facebook like every month now but it _always_ asks about my phone
number. It also asks me to enable a log-in short-cut every time.

This last time, they crossed a line: they _pre-filled the field_ (I do NOT
have this set up in the browser), meaning they _already figured out my number_
(probably by scrubbing some friend’s phone) and just want it confirmed. To
hell with that. I would _not_ be surprised if every spam call in existence can
be traced to Facebook.

------
dangrover
Inaccurate headline. Being targetable is different than them "giving access"
to the information. The actual information is not shared with anyone.

~~~
megous
Though you can probably gat at least an IP address, and if you create a nice
looking fake e-shop with something your target may want, ... they may give you
the rest.

Phishing ads on FB may be less obvious than sending them a phishing link over
e-mail.

------
magicalhippo
It's also entirely what I expected, hence why I haven't given Facebook my
number. Not sure why anyone is surprised by this to be honest.

~~~
asaph
Facebook probably knows your phone number anyway because your friends have
likely shared their phone's contacts with Facebook.

~~~
ddeck
Or if you use Whatsapp. Their privacy policy makes this pretty clear:

 _As part of the Facebook family of companies, WhatsApp receives information
from, and shares information with, this family of companies. We may use the
information we receive from them, and they may use the information we share
with them, to help operate, provide, improve, understand, customize, support,
and market our Services and their offerings. This includes helping improve
infrastructure and delivery systems, understanding how our Services or theirs
are used, securing systems, and fighting spam, abuse, or infringement
activities. Facebook and the other companies in the Facebook family also may
use information from us to improve your experiences within their services such
as making product suggestions (for example, of friends or connections, or of
interesting content) and showing relevant offers and ads._

Bizarrely, whilst general everywhere else, the policy specifically calls out
banner ads to make it clear that they won't use them until they do, at which
point they'll stop saying they don't:

 _No Third-Party Banner Ads. We do not allow third-party banner ads on
WhatsApp. We have no intention to introduce them, but if we ever do, we will
update this policy._

[https://www.whatsapp.com/legal/#privacy-policy-affiliated-
co...](https://www.whatsapp.com/legal/#privacy-policy-affiliated-companies)

~~~
enriquto
> We do not allow third-party banner ads on WhatsApp. We have no intention to
> introduce them, but if we ever do, we will update this policy.

I wonder how do they come up with this kind of language? Do they write a short
text that gets filtered several times by multiple teams of lawyers and comes
down to this? I cannot honestly imagine a sane human being writing such
intricate bullshit, even on purpose.

------
puppetmaster
It should be already well understood that free services aren't free. To me the
moral issue of the story is how Facebook isn't upfront about "the cost" of the
services they provide.

You want to use facebook to get in touch with friends? We all now know that
you will be targeted by ads customized with every piece of information that
you reveal (and some bits that you are not even aware you are revealing...)

Assume that an extra layer of security is also costing you some privacy.
Interesting dilemma...

~~~
ben_w
It is not well understood that they are a service.

To many people it is more like a place, and places are free. Sure,
_technically_ you can buy a place and own it and charge for access, and
_technically_ somebody owns almost all places you might care to go to, but
mostly we think of them as free.

The fact that it costs nothing, monetarily, to access… that very thing often
makes something seem like it has no cost.

~~~
gdrift
I don't understand why people think these services cost nothing monetarily.

All ads are not free, all advertised products already include the cost of
advertising in their price.

So everybody are paying for those "free" services whether they use them or
not.

~~~
ben_w
I suspect most people don’t get as far as “thinking” that in a conscious,
deliberative, system-2 sense of the word — They see no price tag, so it’s
free.

------
marssaxman
I always imagined they would probably end up doing this, and that's why I've
never accepted 2FA anywhere a site has tried to push it on me. They can't spam
me if they don't know my number...

~~~
JoshTriplett
Good 2FA does not involve phone numbers.

I use 2FA on sites that support TOTP.

------
kerng
Again? Weren't they called out on this about half a year ago already? Did they
continue doing this? How irresponsible and total lack of any ethical standard.
Its horrible but mostly just sad that users are just a commodity to make
profit. So let's trick them to sign up for 2FA to pretend they have more
security and then we can send them nice little ads. What a bad company this
has become.

------
spr1ted
People of multiple platforms dislike me for discrediting facebook. Simply
talking about facts and what they could expect. They think they know it all.
Some corps are good some are evil. People tend to forget that an evil person
could also be your most trusted and reliable one. I work as a cyber security
engineer and the things i have see flying by are crazy. The fact that
information is sold without you4 knowledge is real. Its a dark world out there
in disguise.

~~~
fosco
What can we do about it? I realize this is probably not answerable in this
thread but I find myself asking this question more frequently lately and I
still cannot answer it.

would be happy to see this discussion split into an Ask HN: or other, I think
this topic should be debated quite a bit more than it is with the goal of
attaining real results on fixing these issues.

~~~
jzl
Simple: delete your Facebook account. Many of us already have. Nothing will
send a stronger message than people doing this en masse. Even if they don't
get the message or don't care, it's the only way to protect yourself from
their never-ending privacy violations.

~~~
Ari_Ugwu
This. Though I will say, in my opinion tech companies are more or less wild
animals we pretend are domesticated.

Nothing is free.

Facebook continues to do good for people. Twitter as well. These are
invaluable communication channels for many people.

I imagine this problem will get fixed about the same time my physical spam
mail stops arriving. I'm not holding my breath, given that I can _say_
something to my wife in the privacy of our own home and get a cold call or
physical mailing about it a few weeks later.

I try to encourage people to pay for the services they believe in. Whether you
love or hate Microsoft for $6.99/mo you can get Office, (decently private)
email, cloud storage, and Skype. Hate Skype? Don't blame you but from there
you can get a phone number that you can give out and keep your personal number
just for family/emergencies.

This sends a powerful message to folks trying to build a better mouse trap. It
is _very_ hard to produce a free service that competes with these folks but if
we show we're willing to pay for privacy then maybe we'll start to see
competitive innovation in that space again.

Now that I have a family it inspires rage that my phone rings constantly from
spammers and I might ignore a call that's time sensitive and important.

~~~
cdcfa78156ae5
> Whether you love or hate Microsoft for $6.99/mo you can get Office,
> (decently private) email, cloud storage, and Skype. Hate Skype? Don't blame
> you but from there you can get a phone number that you can give out and keep
> your personal number just for family/emergencies.

Microsoft compromises the security and privacy of all of their online
services, including Skype, Outlook.com, and Hotmail:
[https://www.theguardian.com/world/2013/jul/11/microsoft-
nsa-...](https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-
collaboration-user-data)

A much better alternative is to give your money to independent telephony
providers that run on, and support, Free Software:
[https://jmp.chat/](https://jmp.chat/)

------
_Microft
I had my mobile phone-number appear pre-filled in an add-your-number-to-your-
account prompt on Facebook's mobile website while I never provided it in any
way to Facebook myself (in the meaning of: neither added it to my account nor
mentioned it ever on the website; I never used their apps at all either) .
They had farmed it from one of my contacts adressbook obviously. Not
surprising that they'd do that but still a disconcerting feeling to actually
see it happen.

~~~
philipodonnell
TBF that might ave been your browser doing the pre-filling.

------
akerro
I'm in a wired situation, I opened my facebook account with a phone number,
not email, my username is phone number I had ~5 years ago. I lost the sim card
~4.5 years ago, so since then I still use the same login. Every time I login
facebook asks me to update my phone number because it's no longer valid, so
they probably know it's been recycled and someone else owns the number.
Another thing... a year ago, I got a new sim card with new phone number again
(I change my number every 1-2 years), and since that time I can't use this
phone number to setup 2FA because... someone else on Facebook has this number
in their profile!

~~~
batuhanicoz
It's admittedly off topic but if you don't mind me asking, what are the
reasons for you to change your number every 1-2 years? Doesn't that complicate
things with past clients, old friends and maybe even with family?

I changed my number 3 years ago but I _still_ keep my old number active
because it occasionally gets calls or text from past contacts.

~~~
akerro
I don't use phones for communication, I much more relay on emails. My friend
and family know how to contact me and they know that my phone number might
stop working any time. I don't give phone numbers to clients, as I don't want
to be disturbed when they want something, instead I respond to emails when I
have time.

------
tjoff
I guess EU users should be fine? GDPR is a masterpiece.

I actually assume that they violate GDPR, but GDPR gives users a sliver of
chance to fight back.

------
qwerty456127
Wait? Did somebody ever doubt this? I always believed collecting phone numbers
for their marketing needs is exactly the reason why do any of the social
networks ever introduce SMS auth.

------
newscracker
The situation is such that this is what's expected of Facebook. It would be a
shocker if Facebook didn't do this. Actually, it's quite surprising that it
took so long to do this.

Bottom line, Facebook will devalue you as a human and invade your privacy in
any manner possible for as long as it can withstand legal pressures and get
away with paltry fines. Obviously, all these measures are to provide users
with a better experience. That's Facebook's DNA.

------
psykus
You'll notice whenever you get the banner to add a phone number for 2FA, it
says "add your phone number for additional security _and more_ "

~~~
daemin
I also hate how all the social media apps want to grab your address book to
"see who else you know on here". They _all_ do it.

~~~
JetSpiegel
At least on recent Android you can deny it. The UI doesn't support it and you
need to resort to hacks such as
[https://whatsappwithoutcontact.com/](https://whatsappwithoutcontact.com/)

~~~
daemin
For WhatsApp in its initial incarnation I did not mind allowing it access to
my contacts since the phone number was the way it identified people and since
it was universal.

With these upcoming incarnations I'm not sure I want to use it, and I'll be
looking for a simple IM application which just charges a simple fee for
service.

------
Bhilai
The only justification I could come up is that Facebook has grown so big that
"one hand does not know what the other hand is doing." The security and
privacy folks at Facebook agreed to this kind of abuse is somewhat hard to
believe and the most likely explanation is that these features never got fully
reviewed and vetted. Either way its a big failure.

------
Aunche
Don't get me wrong, this is absolutely a scummy thing to do since it's
deceptive. That said, I don't understand why everyone thinks this is such a
big deal. They already have your phone number from 2FA anyways, and they
already show advertisements. What difference does it make that they let
advertisers target people based on their number?

------
chadash
I'm not sure I understand what's going on here and the article doesn't really
explain. What does it mean that they are "using your 2FA phone number"? It
doesn't seem like they are texting ads to people. Are they just using the area
code to determine where you live?

~~~
p49k
Advertisers can upload lists of phone numbers that represent people they want
to see their ads. Facebook matches those up with your 2FA phone number to show
you those ads.

------
bogomipz
And yet in April Mark Zuckerberg told the US Congress that he wasn't
"familiar" with shadow profiles[1]:

Lujan: Facebook has detailed profiles on people who have never signed up for
Facebook, yes or no?

Zuckerberg: Congressman, in general we collect data on people who have not
signed up for Facebook for security purposes to prevent the kind of scraping
you were just referring to [reverse searches based on public info like phone
numbers].

Lujan: So these are called shadow profiles, is that what they’ve been referred
to by some?

Zuckerberg: Congressman, I’m not, I’m not familiar with that.

[1] [https://techcrunch.com/2018/04/11/facebook-shadow-
profiles-h...](https://techcrunch.com/2018/04/11/facebook-shadow-profiles-
hearing-lujan-zuckerberg/)

~~~
igravious
Quelle surprise.

I bet plausible deniability is that they call them by a different name
internally.

Information brokers are so sketchy – it makes me so sad that the coolest tech
companies are also some of the sketchiest.

Do you remember back when the internet and web were all so full of promise?
Instead we got tech behemoths that would put Standard Oil and AT&T in their
day to shame.

~~~
bogomipz
I wouldn't count FB to be among the "coolest" tech companies. Maybe 10 years
ago they had some cachet but today it's just Mega Corp.

------
vezycash
On android, if messenger handles SMS, FB knows how much you have in the bank
and your transactions.

~~~
saiya-jin
having any FB-developed app on your phone is a serious mistake in the first
place

~~~
CalRobert
It's a mistake many people make just by buying a phone. I had an HTC M8 and
liked it except that they made it absolutely impossible to remove FB until I
flashed Lineage on to it.

------
makecheck
This is the kind of thing that is stupidly hard to fight now. Even if you
block Facebook’s 80,000 domains at your router, your friend’s address book
dump gives lots of goodies to Facebook and 3rd parties and you can’t touch it.
Every new thing they try becomes illegal in 2 years “but not yet” so they do
it until they can’t.

Sometimes it seems like the “Default deny” security concept needs to apply to
Internet companies. Instead of having _years_ to screw with data and the
Internet until told “no”, how about every idea they have is illegal until it
can be proven through thorough review that it might be valuable?

------
TheKarateKid
This is probably the reason Jan Koum left Facebook. He knew the betrayal of
privacy promised of Whatsapp was completed by Facebook by doing exactly this.

This doesn’t surprise me at all. Facebook has been bothering me for YEARS to
enter my mobile number for “account recovery” purposes. My email is fine for
that.

Now Facebook is recommending pages and friends to me who I only am connected
with on Instagram. Not to mention Facebook notifications are now integrated
into IG. I wouldn’t be surprised if these were the final nails that made Kevin
Systrom leave.

------
happybuy
This should have been obvious for anyone who is paying attention.

When data collection and advertising companies such as Facebook (and Google)
push a feature actually beneficial to users so aggressively – such as 2FA –
during the sign-up process; you'd have to be naive to think it's for your
benefit.

It's not 2007 any more... tech savvy users should know better than to trust
such organisations with any scrap of additional personal information than
absolutely necessary.

~~~
type0
Tech savvy or not, really there's no way any current fb user would be
concerned with it nowdays and they will continue to rat you out to the fb
apparatus. You know how they say "ignorance is a bliss".

------
bigtyy
I believe that for us to wait for our governments to have to make regulations
around our privacy and data is overly optimistic. Since companies like Google
and FB exist on a global market the only way to truly bring about any real
changes is to take away the very thing that they're looking for, and that's
our use of said services. As someone that works daily with the general public
trying to educate them on the safety and use of their technology, I often ask
what their feelings are on the subject of companies like FB and Google selling
their data to anyone willing to pay for it. The response I get the vast
majority of the time is that they aren't doing anything illegal so why would
they care? My response to that is "Would you let strangers walk into your
house and dig through your personal items?". Every time i get the same
response. "Of course not!" Well in my mind this is no different. I've read a
lot of suggestions on what we feel government should do to regulate these
things but we need face facts here. Society is addicted to many of these
services. The simple solution would be to just STOP USING THEIR SERVICES.
There are alternatives to both of those services. We now know that the data
being collected and sold has the potential of revealing information that could
be used maliciously against us, and we complain about what's going on. But
then many people turn right around and continue to use the free service. I
truly feel that this isn't totally an issue with government regulation as much
as it an issue with the vast majority of its users being completely addicted
to it. If we want to truly make any kind of impact we need to take personal
responsibility for these things. And not only that, but as people that are
knowledgeable on these topics we need to educate those non-technical people
around us just what it is they're giving up when they click Accept on their
EULA's and privacy agreements. As much as I dislike what FB and Google are
doing at the end of the day they are counting on the fact that the general
public won't spend even 30 seconds reading these agreements. If users care so
little about the fact that they're making a legally binding agreement why
would FB and Google? Most are so concerned with getting access to whatever
service they're attempting to gain access to that they just click the accept
button with little or no thought about what it is they're agreeing to.
Government can't be expected to do our thinking for us.

------
joesb
Umm, based on the content of the article, no, Facebook did NOT advertiser
access to your shadow contact information.

Advertisers can specifically say that they want to advertise to a phone number
THAT THEY ALREADY HAVE, (READ: THE ADVERTISER ALREADY KNOW WHO YOU ARE). And
Facebook will display that ads to the Facebook account that use that phone
number in their shadow contact info.

At no point does advertiser have access to which Facebook account that is.

~~~
tomhoward
From the guidelines:

> Please don't use uppercase for emphasis. If you want to emphasize a word or
> phrase, put _asterisks_ around it and it will get italicized.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
yumraj
We know that social networks are here to stay, and even if people disagree the
writing is on the wall for Facebook to have Myspace moment, as soon as an
alternate is available.

What will it take for some prominent VCs/Investors to just come together and
create a fund to fund FB replacement? If done right, they will make a killing
(from a returns perspective).

------
type0
Orwells final warning is chilling and beautiful, in a some kind of perverse
metaphorical sense it's strangely relevant to the future of the Brave new
world that we are "faced with":

[https://www.youtube.com/watch?v=SIoAX5bI6S0](https://www.youtube.com/watch?v=SIoAX5bI6S0)

edit: typo

~~~
tremon
George Orwell didn't write Brave New World, though.

~~~
type0
I haven't said that he did, I just meant things probably won't be completely
Orwellian.

------
njarboe
The article states that you can give Facebook a list of phone numbers or email
addresses and it will put your ad in front of only those people. Does anyone
know how small a list you can target? List of one? List of one plus N number
of dead email addresses? Therefore a list of one, but more expensive?

------
anfilt
Honestly, I hate how many 2FA systems want you to use a phone number. There
are other ways that are much better.

~~~
snarfy
Everybody punts security issues from identification to the next guy.
Eventually the only safeguard left between you and the bad guys is a minimum
wage salesman working at the t-mobile counter. It's sad to know that all of
your primary email addresses, with links to online shopping accounts with
credit cards, bank accounts, etc, can all be accessed by spoofing your phone
number.

~~~
anfilt
I honestly wish sites would use client side certs or auth via a private key.

~~~
tialaramex
Client side certs mean now every user has a verifiable identity. Maybe you're
OK with Facebook knowing your full ID, but is it also OK to tell Grindr,
Redtube and Amazon?

Security Keys are better here. The security key can prove to a site that its
the same one as before. "Before what?" Well that's up to the site. In most
cases it's going to register one or more keys when you sign up to the site,
and then check you still have one when logging in. This is completely useless
for everything except the one thing it's intended for, a Second Factor during
login.

~~~
anfilt
You can always generate a new key pair though. I don't necessarily mean a cert
signed by a CA. More akin to use a key pair for SSH.

------
tombert
It upsets me that the "normal" way to keep in touch with people now seems to
be to use some kind of big-brother-esque system.

I try and evangelize Signal over WhatsApp and most of my friends won't budge.
I deleted my Facebook four years ago, and as a result I have lost contact with
a lot of friends.

~~~
Brockenstein
Before this sort of technology keeping in contact with friends wasn't trivial.
Both parties had to want to keep it up. And if they didn't, or you didn't, you
just lost contact with a lot of people as a normal matter of course. Everyone
moved on with their lives, you met new people, and so on.

That there is this artificial world where people can arbitrarily keep in
contact doesn't make that sort of non-interaction of occasionally commenting
on or liking posts normal or better. It certainly is easy though to search for
someone you knew ages ago, add a friend, have the five minute conversation of
what's been going on the last five, ten, twenty years and then never really
talk again.

In this regard facebook isn't the problem, and your preferred platform isn't a
solution. The problem is people.

------
tempodox
Is anybody still surprised that everything FB touches ends up being an
unethical swamp?

------
pard68
I work in sysops. Our user base is larger 40+ year olds. It has taken us
nearly two years to convince our users to use a phone or email for password
resets. We are now moving to 2fa and this sort of stuff only hurts the
industry.

------
FrostyBear
The big picture here seems to be alluding people. Let's not get bogged down
with Symantec's and logistics. It boils down to self preservation, people need
to understand who/ what that " self" is.

~~~
Number8
Well Frosty, I for one am glad to see the struggle and gasping for oxygen. As
for hope in each generation, I honestly believe #3 is growing stronger each
day. We are alive in a great moment in time.

------
sandov
>The researchers also found that if User A, whom we’ll call Anna, shares her
contacts with Facebook, including a previously unknown phone number for User
B, whom we’ll call Ben.

Why didn't the author use Alice and Bob?

------
d--b
"Why did you never join facebook?" they used to ask me.

------
WA
No surprise. But what can one do? Btw this is definitely not GDPR-compliant,
because consent isn’t given for using the phone number this way.

I feel helpless, even though GDPR is in place.

------
tambourine_man
At what point are people going to stop being surprised by news like this?

That’s their business model, it’s what they do. If you use it, treat all data
as public. Otherwise, don’t.

------
throwaway122378
One would think they’ve learned and will stop. On the other hand, they’ve been
getting away with this type of behaviour so WHY STOP

------
EZ-E
Does this affects Facebook's "Account Kit"? (toolkit that provides
login/register by SMS to third party apps)

------
ozim
I really liked it when people downvoted me when I wrote that Google pushing
for 2FA phone numbers is doing it to get your phone number. (they don't use it
for ads but lately I don't trust them, also 6mo ago I removed my FB)

In the end I gave Goog even 2 of my numbers because I am scared as hell to
lose access to my account. I got my Gmail account when it was in 'innvite
only' so it is my main account for long time. Have to move out of it soon.

------
yesenadam
Lately FB says when I go on there "Add a profile pic so people know who you
are". Huh? I've always one.

~~~
pndy
Ha! I'm being constantly nagged whenever I visit fb (to see if those who can't
live anymore without it, didn't want something etc.) to update my details -
which I removed long ago; among that, they sometimes "suggest" updating new
profile pic, which I haven't change since end of 2014 - when I stopped wasting
time there

~~~
denzil_correa
The worst part about these updates is that you have two options - "Yes" and
"Not Now". The "No" option doesn't exist in their dictionary.

------
anoplus
Sadly, I believe Facebook will truly respect their users in the face of
backlash.

------
paul7986
So, Google is not doing this too?

How many of us use 2FA on our Google accounts?

------
subbz
Facebook (probably) using everything possible for ad targeting

------
macpete
That‘s what happens when you give a dog a bone

------
adam12
This should not be a surprise to anyone. Facebook is all about making money
with your info.

------
ricokatayama
cambridge, whatsapp founders, instagram founders, 2FA exploit and so on.
What's next for Mark? And actually what would be the trigger for people to
flee away?

~~~
justtopost
Slow boiling the frog. Those who can notice at this point already left.

------
wmeredith
It’s a cycle. Facebook has been doing nasty shit and apologizing for it since
2003. I’m starting to think they aren’t actually sorry.

[https://www.wired.com/story/why-zuckerberg-15-year-
apology-t...](https://www.wired.com/story/why-zuckerberg-15-year-apology-tour-
hasnt-fixed-facebook/)

~~~
MaxBarraclough
Right, because _Move fast and break stuff_ is their mantra. I'm surprised that
articles doesn't even mention it.

Perhaps _Move fast and hurt people_ would be more honest. I think it's rather
catchy.

~~~
splicer
Move fast and break stuff, like a bull in a china shop.

~~~
mitchellgoffpc
I like it! "Facebook: We're a bull in a china shop."

------
ddebernardy
The url should point to the Gizmodo article; not the sensationalizing tweet.

[https://gizmodo.com/facebook-is-giving-advertisers-access-
to...](https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-
shadow-co-1828476051)

The actual story is FB enriching your profile with shadow contact information
about you when you _or third parties_ provide it with details it wasn't aware
about yet. For instance when a friend of yours has your landline number in
their address book and gives FB access to the latter; or when an advertiser
provides FB with the same as part of targeting an ad campaign.

~~~
B-Con
Is this any surprise? Just a few hours ago the Acton article on the front
page[0] talked about them doing this in WhatsApp:

> Later he learned that elsewhere in Facebook, there were “plans and
> technologies to blend data.” Specifically, Facebook could use the 128-bit
> string of numbers assigned to each phone as a kind of bridge between
> accounts. The other method was phone-number matching, or pinpointing
> Facebook accounts with phone numbers and matching them to WhatsApp accounts
> with the same phone number.

> Within 18 months, a new WhatsApp terms of service linked the accounts and
> made Acton look like a liar.

Companies like this, and Facebook _in particular_ , are desperate to connect
identities. Phone numbers are an incredibly useful way to do so. Most people
only have a couple of them, their re-use rate is slow, they get entered into
forms all over the place, and they're usually valid (because they were
provided as a primary method of contact).

In this case advertisers have an identity (and phone number), Facebook wants
to match on that value. They're going to do it any way they can.

It may not be ethical, but the carrot is right there and it's naive to think
you can give them your identifying number and they're going to turn a blind
eye to it.

[0]
[https://news.ycombinator.com/item?id=18074690](https://news.ycombinator.com/item?id=18074690)

~~~
close04
Wasn't one of the conditions to get the deal approved by EU regulators to NOT
share any data between services? [0] Did they just restart it because they
found reprieve or simply decided to ignore the regulation?

Edit. Also this [1]. Does GDPR suddenly open the door for sharing this data
"legitimately"?

[0]
[https://www.ft.com/content/951d650e-abf5-11e6-9cb3-bb8207902...](https://www.ft.com/content/951d650e-abf5-11e6-9cb3-bb8207902122)

[1]
[https://www.theguardian.com/technology/2018/mar/14/whatsapp-...](https://www.theguardian.com/technology/2018/mar/14/whatsapp-
sharing-user-data-facebook-illegal-ico-gdpr)

~~~
B-Con
According to the article it was one of the conditions and they paid ~$100-200M
(IIRC) in fines for breaching it.

Which furthers my point, that Facebook will jump on any carrot in front of it.

------
anilakar
This is exactly the kind of abuse that GDPR is designed to curtail.

~~~
amelius
Small question: how do you prove it, adequately for a court of law?

I imagine that to prove it, you'd have to make several accounts, with several
phone numbers, and somehow demonstrate to a judge that the information leaks
through. Not an easy task.

~~~
tumetab1
It's "easy".

1\. Ask for the judges phone number 2\. Register new account with judges phone
number (clean browser, no friends added or pages liked) 3\. See friend
recommendations from the judge in this new FB profile.

~~~
dwighttk
wouldn't be surprised if FB kept a list of regulators and judges whose
information is treated differently from the rest of us.

------
tajen
I didn’t give facebook my phone, my email has timed out (and facebook knows
it, it deactivated my email) and I forgot my password, more or less
intentionally. So the only thing tying me to Facebook is my browser cookie. I
have to say, I’m surprised I’ve been able to keep this account open for years
in this state, it’s almost as if they really wanted me to stay. But it’s
possible to keep a facebook account alive with no accurate contact
information.

------
senectus1
[https://www.gizmodo.com.au/2018/09/facebook-is-giving-
advert...](https://www.gizmodo.com.au/2018/09/facebook-is-giving-advertisers-
access-to-your-shadow-contact-information/)

------
mtgx
Google has been pushing SMS 2FA a little more aggressively over the past
couple of years, too. And I think Apple made it "easier to use SMS 2FA" in iOS
12 for the same reason.

I also said before that this is _exactly_ why Facebook wanted to "verify
people's faces for security purposes", too. It just seemed so obvious to me
that Facebook would use security as an excuse to get people to put their own
100% accurate face scans into Facebook. It's also because Facebook used the
same excuse with the shadow tracking (it's for your own good!), which is as
ridiculous as Google claiming Analytics is for website visitors' own good.

~~~
matwood
> And I think Apple made it "easier to use SMS 2FA" in iOS 12 for the same
> reason.

Wait. You think Apple is selling your phone number to advertisers?

~~~
jeromegv
That person is confusing different things.

Apple is making it easier to use SMS 2FA in iOS 12 (automated copy paste)

However Apple itself doesn’t use SMS for 2FA.

As for Apple they had your phone number since the launch of the iPhone (!).
Never needed 2FA to know it.

And no, Apple isn’t selling your phone number.

~~~
MrEfficiency
>Apple isn’t selling your phone number.

Until they have bad iphone sales.

Given Apple's less than stellar track record toward developers, employees, and
customers, Apple will do things for Apple.

~~~
arcticbull
No dude, Apple has an excellent track record for privacy of customer data.
They don't share anything with anyone else, intentionally. It's a walled-in
garden. They have always, and continue to, view themselves as a hardware
company. They make money on hardware sales. I mean look at their margins. Any
such activity, if called out, may lower their hardware sales.

~~~
MrEfficiency
You must be new to Capitalism and Apple.

------
tomlock
I'm surprised people didn't know this... this has been happening for at least
4 years through custom audiences. An advertiser can upload a list of mobile
numbers or email addresses to target people.

~~~
lmedinas
Actually this should be an act of "good faith" where you are adding a layer of
security to your account and not about making even more harm to your account.

------
jarfil
Phone numbers were not a secure 2FA anyway, and I've been using the TOTP
alternative since it's been available... but I don't really see a problem with
them using whatever to show "more relevant ads", if you don't want ads just
use an ad blocker.

~~~
underwater
Likewise, passwords fail to protect against a whole class of attacks. I don’t
know why Facebook still uses them.

~~~
jarfil
Phone numbers fail against remote third party undetectable attacks with O(1)
complexity. You'd have to use a password like "1234" to fail like that.

------
oxymoran
I was purging my life of all things Google(Facebook went first), so I was
changing my email addresses under all my various accounts. An odd thing
happened when I was changing my info for my Microsoft account: they texted my
as a security precaution. The only problem is that I NEVER gave Microsoft my
phone number. I do not have 2FA set up. In my contact details, there is a
blank for my phone number. WTF Microsoft.

~~~
joering2
What kind of cooperation level did YOU expect from a $240MM check?

[http://www.nbcnews.com/id/21458486/ns/business-
us_business/t...](http://www.nbcnews.com/id/21458486/ns/business-
us_business/t/microsoft-invests-million-facebook/)

------
megaman8
I think it's much worse when HTC places ads on your phone via bloatware apps
that can't be uninstalled. That's absolutely vicious and hardly ever gets any
press time. But, oh, facebook makes a minor little slip up and they even FIX
the problem and everyone looses their heads over it.

~~~
darpa_escapee
One of the bloatware apps that I can't remove from my phone is Facebook :)

Thanks, Sprint!

