Facebook Is Giving Advertisers Access to Your Shadow Contact Information

Kashmir Hill Sep 27, 2018. 16 comments

Last week, I ran an ad on Facebook that was targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways. I was helping him test the theory by targeting him in a way Facebook had previously told me wouldn’t work. I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove’s office, a number Mislove has never provided to Facebook. He saw the ad within hours.

One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a “custom audience.”

You might assume that you could go to your Facebook profile and look at your “contact and basic info” page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it’s going about it in a less transparent and more invasive way.

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all, but that was collected from other people’s contact books, a hidden layer of details Facebook has about you that I’ve come to call “shadow contact information.” I managed to place an ad in front of Alan Mislove by targeting his shadow profile. This means that the junk email address that you hand over for discounts or for shady online shopping is likely associated with your account and being used to target you with ads.

Facebook is not upfront about this practice. In fact, when I asked its PR team last year whether it was using shadow contact information for ads, they denied it. Luckily for those of us obsessed with the uncannily accurate nature of ads on Facebook platforms, a group of academic researchers decided to do a deep dive into how Facebook custom audiences work to find out how users’ phone numbers and email addresses get sucked into the advertising ecosystem.

Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser. They came up with a novel way to detect whether that information became available to advertisers by looking at the stats provided by Facebook about the size of an audience after contact information is uploaded. They go into this in greater length and technical detail in their paper.

They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks. So users who want their accounts to be more secure are forced to make a privacy trade-off and allow advertisers to more easily find them on the social network. When asked about this, a Facebook spokesperson said that “we use the information people provide to offer a more personalized experience, including showing more relevant ads.” She said users bothered by this can set up two-factor authentication without using their phone numbers; Facebook stopped making a phone number mandatory for two-factor authentication four months ago.

The researchers also found that if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later. Ben can’t access his shadow contact information, because that would violate Anna’s privacy, according to Facebook, so he can’t see it or delete it, and he can’t keep advertisers from using it either.

The lead author on the paper, Giridhari Venkatadri, said this was the most surprising finding, that Facebook was targeted ads using information “that was not directly provided by the user, or even revealed to the user.”

I’ve been trying to get Facebook to disclose shadow contact information to users for almost a year now . But it has even refused to disclose these shadow details to users in Europe, where privacy law is stronger and explicitly requires companies to tell users what data it has on them. A UK resident named Rob Blackie has been asking Facebook to hand over his shadow contact information for months, but Facebook told him it’s part of “confidential” algorithms, and “we are not in a position to provide you the precise details of our algorithms.”

“People own their address books,” a Facebook spokesperson said by email. “We understand that in some cases this may mean that another person may not be able to control the contact information someone else uploads about them.”

To test the shadow information finding, the researchers tried a real-world test. They uploaded a list of hundreds of landline numbers from Northeastern University. These are numbers that people who work for Northeastern are unlikely to have added to their accounts, though it’s very likely that the numbers would be in the address books of people who know them and who might have uploaded them to Facebook in order to “find friends.” The researchers found that many of these numbers could be targeted with ads, and when they ran an ad campaign, the ad turned up in the Facebook news feed of Mislove, whose landline had been included in the file; I confirmed this with my own test targeting his landline number.

“It’s likely that he was shown the ad because someone else uploaded his contact information via contact importer,” a Facebook spokesperson confirmed when I told the company about the experiment.

Facebook did not dispute any of the researchers’ findings. “We outline the information we receive and use for ads in our data policy, and give people control over their ads experience including custom audiences, via their ad preferences,” said a spokesperson by email. “For more information about how to manage your preferences and the type of data we use to show people ads see this post.”

In that post, “Hard Questions: What Information Do Facebook Advertisers Know About Me?”, Facebook’s vice president of ads Rob Goldman discusses how advertising works on Facebook and what you can do if “I don’t want my data used to show me ads.” The post doesn’t mention the surprising collection or use of contact information for targeted advertising that the researchers discovered.

I think that many users don’t fully understand how ad targeting works today: that advertisers can literally specify exactly which users should see their ads by uploading the users’ email addresses, phone numbers, names+dates of birth, etc,” said Mislove. “In describing this work to colleagues, many computer scientists were surprised by this, and were even more surprised to learn that not only Facebook, but also Google, Pinterest, and Twitter all offer related services. Thus, we think there is a significant need to educate users about how exactly targeted advertising on such platforms works today.”

While Facebook isn’t upfront about which of your contact information it uses for ads, it is upfront about which advertisers are getting access to you with it. Facebook’s “ad preferences” page has a section devoted to “advertisers you’ve interacted with” where it will show you which advertisers have you in their contact list. My own list has over 300 advertisers on it, very few of whom to which I remember consciously giving my contact information—but if I did it would likely have been a junk email address so that I never had to hear from them again. Mislove says Facebook could be far more transparent here:

“Facebook could also reveal to users which [personal information] was used to target the delivered ad, helping users understand how their [information] is used by advertisers,” said Mislove by email. In other words, Facebook could tell me which email address or phone number all these advertisers have on me. With the involvement of shadow contact information, though, Facebook may have been avoiding that because it doesn’t want me to know what personal information Facebook has on me.

Contact the Special Projects Desk

This post was produced by the Special Projects Desk of Gizmodo Media. Email us at tips@gizmodomedia.com, or contact us securely using SecureDrop.

There are certainly creepier practices happening in the advertising industry, but it’s troubling this is happening at Facebook because of its representations about letting you control your ad experience. It’s disturbing that Facebook is reducing the privacy of people who want their accounts to be more secure by using the information they provide for that purpose to data-mine them for ads. And it’s also troubling to discover another way in which shadow contact information is used, beyond friend recommendations , given that Facebook doesn’t let users see this information about themselves or let them delete it.

Mislove thinks Facebook can make its platform more transparent by telling users everything it knows about them, including all the contact information it’s gathered from various sources, and how that information gets used. He suggests that Facebook let users see all the data it has on them and then let them specify whether it is correct and whether advertisers can use it.

Facebook has claimed that users already have extensive control over what information is made available to advertisers, but that’s not entirely true. When I asked the company last year about whether it used shadow contact information for ads, it gave me inaccurate information, and it hadn’t made the practice clear in its extensive messaging to users about ads. It took academic researchers performing tests for months to unearth the truth. People are increasingly paranoid about the creepy accuracy of the ads they see online and don’t understand where the information is coming from that leads to that accuracy. It seems that, when it came to this particular practice, Facebook wanted to keep its users in the dark.


Other Kashmir Hill's posts

Apple's battle with the FBI: All your questions answered Apple's battle with the FBI: All your questions answered

My news feed is filled with people talking about Apple, the FBI, the DOJ and iPhone unlocking. What the hell is going on?The FBI has an iPhone left behind by San Bernardino shooter Syed Farook, who, along with his wife, killed 14 people and injured others at his workplace in December. The FBI wants to unlock the phone so...

You can now call or text anyone with end-to-end encryption, for free You can now call or text anyone with end-to-end encryption, for free

For years, smartphone users have been out of luck if they wanted to call or text everyone in their address books for free using encryption. iPhone users could send each other encrypted texts with iMessage, and free apps existed to help Android users communicate with each other securely. But there was no way to send secure messages from an iPhone to...

Tor users captured by CMU had 'no reasonable expectation of privacy' Tor users captured by CMU had 'no reasonable expectation of privacy'

Your browser does not support HTML5 video tag.Click here to view original GIFKent Hernandez/FusionTwo years ago, researchers affiliated with Carnegie Mellon University bragged that they had "broken" Tor, software designed to allow people to use and browse the web more privately. The revelation threw the privacy and security community into a tizzy, as the researchers claimed to have de-anonymized "hundreds of...

Twitter bans nonconsensual intimate photos, a.k.a. 'revenge porn' Twitter bans nonconsensual intimate photos, a.k.a. 'revenge porn'

It has historically been a nightmare if nude or intimate photos of you made their way out onto the Internet. Beyond the sheer embarrassment of exposure, it was very, very hard to get those photos removed. If pleas to websites to take down revealing pics posted by vengeful exes or hackers didn't work, women — and occasionally men — resorted to...

Suggested posts

¿Desaparecieron los likes de tu Instagram? Esto es lo que está pasando ¿Desaparecieron los likes de tu Instagram? Esto es lo que está pasando

Instagram ha anunciado hoy que eliminará el contador de “me gustas” en algunas cuentas a nivel global. La plataforma ya había probado este cambio en Irlanda, Italia, Japón, Brasil, Australia y Nueva Zelanda, pero ha decidido hacer un último test en todo el mundo antes de implementarlo definitivamente.Si eres uno de los elegidos para la prueba, dejarás de ver...

All the Best Video Calling Options, Ranked All the Best Video Calling Options, Ranked

We now have the technology—and the broadband and cellular speed—to see each other when we want to chat. And when it comes to video-calling apps, you’ve got a plethora of options to pick from on phones, laptops, and even TVs. Here are the ones we like the most, ranked.1) Microsoft SkypeAvailable on: web, Windows, macOS, Linux, Android, iOS, Xbox,...

Forget Credit Cards, Google's Looking to Open Its Own Checking Accounts Forget Credit Cards, Google's Looking to Open Its Own Checking Accounts

This year saw plenty of tech giants dabble in finance. Apple released its credit card , Facebook just launched a Venmo competitor and is trying to get its Libra cryptocurrency off the ground, and now Google is reportedly mulling offering a financial product of its own—checking accounts.The project, according to a Wall Street Journal exclusive, is titled Cache and...

How to Watch the Trump Impeachment Hearings Today on YouTube, Facebook, and More How to Watch the Trump Impeachment Hearings Today on YouTube, Facebook, and More

The impeachment hearings against President Donald Trump start today in Washington, D.C. at 10 am ET/ 7 am PT. And even if you’re not near a TV, you can watch it all unfold on YouTube, Facebook, Twitter, and more, with our links below.The central question at today’s hearings is whether President Trump tried to get the President of Ukraine,...

A Brief Explanation of Facebook's Scary New iPhone Bug A Brief Explanation of Facebook's Scary New iPhone Bug

A handful of folks recently spotted an unwelcome addition to the Facebook app for iPhone. Some stray swipes on the News Feed would inexplicably reveal the viewfinder for the phone’s rear camera. It’s unclear if the camera was recording, but there it was lurking in the background of an app that’s infamous for running all kinds of unwanted processes...

Instagram Is Coming for TikTok's Head By Copying Its Best Features Instagram Is Coming for TikTok's Head By Copying Its Best Features

First, Instagram killed Snapchat when it cribbed its Stories feature . Now, the social media platform is reportedly gunning for TikTok with a new format called Reels.First spotted by TechCrunch, Reels is currently being rolled out in Brazil. Available on both iOS and Android, the feature lets users record 15-second clips that can then be set to music. Users...

How to Make Your Social Media Feeds About More Than Just Your Boring Friends How to Make Your Social Media Feeds About More Than Just Your Boring Friends

Remember when opening up social networking apps was exciting? Now, all your friends seem to post about is politics / their baby / their side business / what they’re eating. The good news is that the best social apps go way beyond your friends and family—there’s interesting content out there if you know where to find it.Instagram is a...

Sheryl Sandberg Thinks You’re an Idiot Sheryl Sandberg Thinks You’re an Idiot

In the face of undiminishing backlash over a decision to accept money from politicians in exchange for propagating their campaign lies, Facebook has been doubling down, launching its own duplicitous campaign. The aim apparently is to convince the world that Facebook is serving some higher calling, defending the rights of people everywhere to say what they want, when they...

Hero Politician Shuts Down Heckler With 'OK Boomer' During Climate Speech in New Zealand Hero Politician Shuts Down Heckler With 'OK Boomer' During Climate Speech in New Zealand

Chlöe Swarbrick, a 25-year-old member of New Zealand’s parliament, was interrupted by another politician while giving a speech about climate change on Tuesday. And rather than stop everything to address the heckles, she did what anyone of her generation has learned to do when confronted with climate deniers. She said “OK Boomer” and moved on.“How many world leaders, for...

Dinner at Zuckerberg's Leaves Civil Rights Organizers 'Cautiously Hopeful' Dinner at Zuckerberg's Leaves Civil Rights Organizers 'Cautiously Hopeful'

After seven years of lobbying Facebook to address the rampant hatred that continues to choke the most powerful social media platform in the world, top officials at several prominent civil rights organizations on Monday finally got a meeting with the boss.Many, including Muslim Advocates and Color of Change, are members of a coalition whose focus is pushing Facebook to...