Criminal Behavior: How Facebook Steals Your Security Data to Violate Your Privacy

One of the most fundamental and crucial aspects of proper privacy implementations is the basic concept of “data compartmentalization” — essentially, assuring that data collected for a specific purpose is only used for that purpose.

Reports indicate that Facebook is violating this concept in a way that is directly detrimental to both the privacy and security of its users. I’d consider it criminal behavior in an ethical sense. If it isn’t already actually criminal under the laws of various countries, it should be.

There’s been much discussion over the last few days about reports (confirmed by Facebook, as far as I can determine) that Facebook routinely abuses their users’ contact information, including phone numbers provided by users, to ad target other users who may never have provided those numbers in the first place. In other words, if a friend of yours has your number in his contacts and lets Facebook access it, Facebook considers your number fair game for targeting, even though you never provided it to them or gave them permission to use it. And you have no way to tell Facebook to stop this behavior, because your number is in someone else’s contacts address book that was shared and is under their control, not yours.

This abuse by Facebook of “shadow contacts” is bad enough, but is actually not my main concern for this post today, because Facebook is also doing something far worse with your phone numbers.

By now you’ve probably gotten a bit bored of my frequent posts strongly urging that you enable 2sv (two-step verification, 2-factor verification) protections on your accounts whenever this capability is offered. It’s crucial to do this on all accounts where you can. Just a few days ago, I was contacted by someone who had failed to do this on a secondary account that they rarely used. That account has now been hijacked, and he’s concerned that someone could be conducting scams using that account — still in his name — as a home base for frauds.

It’s always been a hard sell to get most users to enable 2sv. Most people just don’t believe that they will be hacked — until they are and it’s too late (please see: “How to ‘Bribe’ Our Way to Better Account Security” – https://lauren.vortex.com/2018/02/11/how-to-bribe-our-way-to-better-account-security).

While among the various choices that can be offered for 2sv (phone-based, authenticator apps, U2F security keys, etc.) the phone-based systems offer the least security, 2sv via phone-based text messaging still greatly predominates among users with 2sv enabled, because virtually everyone has a mobile phone that is text messaging capable.

But many persons have been reluctant to provide their mobile numbers for 2sv security, because they fear that those numbers will be sold to advertisers or used for some other purpose than 2sv.

In the case of Google, such fears are groundless. Google doesn’t sell user data to anyone, and the phone numbers that you provide to them for 2sv or account recovery purposes are only used for those designated purposes.

But Facebook has admitted that they are taking a different, quite horrible approach. When you provide a phone number for 2sv, they feel free to use it as an advertising targeting vector that feeds into their “shadow contact” system that I described above.

This is, as I suggested, so close to being criminal as to be indistinguishable from actual criminality.

When you provide a phone number for 2sv account security to Facebook, you should have every expectation that this is the ONLY purpose for which that phone number will be used!

By violating the basic data compartmentalization concept, Facebook actually encourages poor security practices, by discouraging the use of 2sv by users who don’t want to provide their phone numbers for commercial exploitation by Facebook!

Facebook will say that they now have other ways to provide 2sv, so you can use 2sv without providing a phone number.

But they also know damned well that most people do use mobile phones for 2sv. There are very large numbers of people who don’t even have smartphones, just simple mobile phones with text messaging functions. They can’t run authenticator apps. Security keys are only now beginning to make slow inroads among user populations.

So Facebook — in sharp contrast to far more ethical companies like Google who don’t treat their users like sheep to be fleeced — is offering vast numbers of Facebook users a horrible Hobson’s choice — let us exploit your phone number for ad targeting, or suffer with poor security and risk your Facebook account being hijacked.

This situation, piled on top of all the other self-made disasters now facing Facebook, help to explain why I don’t have a Facebook account.

I realize that Facebook is a tough addiction to escape. “All my friends and family are on there!” is the usual excuse.

But if you really care about them — not to mention yourself — you might consider giving Facebook the boot for good and all.

–Lauren–