Security researchers say they have confirmed that Facebook is using ‘shadow data’ to target users of its service for advertising purposes, a move which one commentator has branded as a violation of the principles of GDPR.
The General Data Protection Regulation (GDPR) requires holders of personal data to get explicit permission to gather personal data and then allow users to know what data is held on them and to opt out of its use for specific purposes.
The researchers said that Facebook is taking data uploaded by one user and then matching that to another user for the purpose of targeting the second user with advertising.
The researchers are Giridhari Venkatadri (lead author), Piotr Sapiezynski and Alan Mislove, all from Northeastern University, and Elena Lucherini from Princeton University in the US.
In an article on Gizmodo, the writer conducted an experiment with one of the researchers. She bought an advert from Facebook that was designed to target the security researcher using just his phone number, a bit of data that he had never uploaded to Facebook.
The advert showed up in his feed within hours. The researchers identified a number of ways that shadow data is being linked to users.
In their paper, the authors showed that when a user gives a telephone number for two-factor authentication (2FA), the information became targetable within 22 days, demonstrating that "a phone number provided for2FA was indeed used for PII-based advertising, despite our account having set the privacy controls to the most restrictive choices".
The researchers also tested how data provided for unrecognised login alerts might become targetable. They added a telephone number and email address for alerts and found it became targetable after 17 days.
They could find no information on the site to warn users that supplying this information would enable Facebook to target ads at them with this information. Facebook upgraded its 2FA four months ago to allow users to use other channels apart from their phones and email, but these remain as options.
The researchers also investigated whether Facebook could get PII without a user’s knowledge such as by another user uploading their contact details. "Such use would be particularly pernicious because it involves PII that a user is not even aware Facebook has, and which additionally could be inaccurate (as it is not verified by the user)," the paper said.
They synced a Facebook Messenger account containing the full name and email of one of the researchers (data for which was already in Facebook) and included a previously unused telephone number. They discovered that the phone number was linked to the researcher’s account and targetable for advertising within 36 days, "showing that it had indeed been linked to the corresponding author’s account without their knowledge," the research paper said.
Venkatadri told Gizmodo that it was surprising that Facebook was using data "that was not directly provided by the user, or even revealed to the user".
The researchers also found evidence that user data was being leaked through ‘audience reach’ estimates. Although Facebook changed the interface after being alerted by the researchers, the replacement system, ‘audience size’, may still be susceptible to leakage, but it would require more research to determine the extent of this, the paper said.
Alan Duric, co-founder of instant messaging service Wire based in Switzerland, said, "The law clearly states that any data collected must have a consent from an individual beforehand and it must be clear why and how the data will be used. Using people’s phone numbers to target adverts without any permission is therefore a direct breach of GDPR.
"Facebook is following its motto from early days ‘move fast and break things’ when it comes to data protection and the GDPR. Their business model is simply non-compatible with privacy and clearly they’re willing to take risks and not follow the rules."
A Facebook spokesman told SC Magazine UK, "We use the information people provide to offer a better, more personalised experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you've uploaded at any time."
Facebook said that phone numbers uploaded for security purposes would only receive security-related messages. It says that its data practices are spelled out in its data policy and therefore it says it is not trying to hide anything.
Any decision to investigate Facebook for potential breaches of GDPR would have to be taken by a data regulator in a European Union member state. SC Magazine UK asked the UK data regulator, the Information Commissioner’s Office, for comment but it has yet to respond.