Facebook could be breaking EU law by using shadow data for ads

By Steven Melendez

September 27, 2018

If you provide your phone number to Facebook to secure your account with two-factor authentication, or someone you know uploads your number as part of their cell-phone contact list, advertisers can use that number to target you with ads, researchers have found.


On Wednesday, Gizmodo reporter Kashmir Hill wrote that she successfully targeted an ad to Northeastern University computer science professor Alan Mislove using his office landline number, which he never provided to Facebook. Facebook and Instagram allow advertisers to upload lists of phone numbers or email addresses to target with ads as part of its “custom audiences” feature; the social network can then match those to data it has already collected to pinpoint the correct user.

Facebook previously denied that contact information from users’ “shadow profiles” could be used to target ads, then confirmed that it was possible after hearing of Hill’s experiment with Mislove, she wrote. Users can’t get access to the set of contact information Facebook has associated with them based on other people’s contact lists, the company told Hill, and users have reportedly had difficulty accessing it under Europe’s General Data Protection Regulation, or GDPR, which requires companies to turn over personal data they have collected upon request. People setting up two-factor authentication on Facebook can use a technique that doesn’t require a phone number, though that feature was only launched in May.

The advertising feature drew criticism on social media after it was disclosed by Gizmodo, with some arguing that using the two-factor numbers and contact data for ad targeting could violate GDPR. Apart from the general requirement that people can review data about themselves, the rule says that data not be used for purposes users haven’t authorized. Others in the tech industry have predicted Facebook could face consequences under the regulation, reports the U.K. tech publication Verdict.

“This poor practice of personal data collection is surely going to find companies such as Facebook being a target from the EU,” Joseph Carson, chief security scientist at Washington, D.C., cybersecurity company Thycotic, told Verdict. “If Facebook is indeed selling personally identifiable information to marketers without consent and the marketers use that data to target EU citizens both companies will be liable under EU GDPR and not just Facebook, as failure to gather consent from 3rd party sources is also a failure to comply with EU GDPR.”

How the system might work across Facebook, Instagram

Facebook holds a patent on “associating received contact information with user profiles stored by a social networking system,” which describes joining third-party contact information to user profiles to generate friend recommendations:

Facebook could be breaking EU law by using shadow data for ads | DeviceDaily.com
Diagram from a 2012 Facebook patent

“After associating contact information from a stored contact entry with a user profile, contact information from subsequently received contact entries is compared to information in the user profile and the associated contact information. Hence, if information in either the user profile or the associated stored content entry matches a portion of the contact information from a subsequently received contact entry, the connection suggestion module [described in the patent] identifies that the user profile matches the subsequently received contact entry.”

The patent doesn’t address advertising, and Facebook didn’t respond to an inquiry from Fast Company, including about whether the patented technology matches its practices. It’s unclear to what extent the same ad targeting would be possible on Facebook-owned Instagram. The two networks share common advertising services, and Instagram also tells users it uses uploaded contacts for friend suggestions.

“Only you can see your contacts, but Instagram uses the info you’ve uploaded about your contacts to make friend suggestions for you and others and to provide a better experience for everyone,” according to Instagram documentation.

Facebook in general has come under fire for its data privacy and ad targeting practices in recent months, including criticism over data sharing with political firm Cambridge Analytica and allegations the company’s ad targeting can violate rules on discrimination in housing and job ads. Top executives have vowed to do more to protect users’ data and help them understand how it’s used by the service.

“We have a responsibility to protect your data, and if we can’t, then we don’t deserve to serve you,” CEO Mark Zuckerberg wrote in March.