Kashmir Hill writing for Gizmodo:
They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks. So users who want their accounts to be more secure are forced to make a privacy trade-off and allow advertisers to more easily find them on the social network.
The researchers also found that if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number…about a month later. Ben can’t access his shadow contact information, because that would violate Anna’s privacy, according to Facebook, so he can’t see it or delete it, and he can’t keep advertisers from using it either.
As it turns out, advertisers have the capability to track and advertise to you based on your phone number. You don’t even have to provide said number to Facebook, either.
And they’re not even denying it:
“It’s likely that he was shown the ad because someone else uploaded his contact information via contact importer,” a Facebook spokesperson confirmed when I told the company about the experiment.
Facebook did not dispute any of the researchers’ findings. “We outline the information we receive and use for ads in our data policy, and give people control over their ads experience including custom audiences, via their ad preferences,” said a spokesperson by email. “For more information about how to manage your preferences and the type of data we use to show people ads see this post.”
As Facebook would like to put it: sucks to be you!