Study Shows Facebook's Still Miles Away From Taking Privacy, Transparency Seriously

from the ill-communication dept

If the entire Cambridge Analytica scandal didn't make that clear enough, Facebook keeps doubling down on behaviors that highlight how security and privacy routinely play second fiddle to user data monetization. Like the VPN service Facebook pitches users as a privacy and security solution, but is actually used to track online user behavior when they wander away from Facebook to other platforms. Or that time Facebook implemented two-factor authentication, only to use your provided (and purportedly private) number to spam users (a problem Facebook stated was an inadvertent bug).

This week, a new report highlighted how Facebook is letting advertisers market to Facebook users by using contact information collected in surprising ways that aren't entirely clear to the end user, and, according to Facebook, aren't supposed to work. That includes not only private two-factor authentication contact info users assume to be private, but data harvested from other users about you (like secondary e-mail addresses and phone numbers not directly provided to Facebook). The findings come via a new report (pdf) by Northeastern University's Giridhari Venkatadri, Alan Mislove, and Piotr Sapiezynski and Princeton University's Elena Lucherini.

In it, the researchers highlight how much of the personally identifying information (PII) data collected by Facebook still isn't really explained by Facebook outside of painfully generic statements. This data in turn can be used to target you specifically with ads, and there's virtually no transparency on Facebook's part in terms of letting users see how this data is being used, or providing fully operational opt out systems:

"Worse, we found no privacy settings that directly let a user view or control which PII is used for advertising; indeed, we found that Facebook was using the above PII for advertising even if our control account user had set the existing PII-related privacy settings on to their most private configurations. Finally, some of these phone numbers that were usable to target users with did not even appear in Facebook’s “Access Your Data” feature that allows users to download a copy of all of their Facebook data as a ZIP file.

Again, this includes the use of two-factor authentication (2FA) credentials that Facebook has previously stated aren't supposed to be used for marketing purposes. It's something that Facebook has repeatedly claimed doesn't happen:

"Facebook is not upfront about this practice. In fact, when I asked its PR team last year whether it was using shadow contact information for ads, they denied it.

User efforts to glean more transparency from Facebook haven't fared well either, even in the UK where the GDPR was supposed to have put an end to this kind of cavalier treatment of user data:

"I’ve been trying to get Facebook to disclose shadow contact information to users for almost a year now. But it has even refused to disclose these shadow details to users in Europe, where privacy law is stronger and explicitly requires companies to tell users what data it has on them. A UK resident named Rob Blackie has been asking Facebook to hand over his shadow contact information for months, but Facebook told him it’s part of “confidential” algorithms, and “we are not in a position to provide you the precise details of our algorithms."

And again, this is a company in the wake of several major privacy scandals, attempting to avoid heavy-handed privacy regulations on both the state and federal level, making you wonder what it looks like when Facebook truly doesn't give a damn.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    Watts Aldis-Den, 28 Sep 2018 @ 6:53am

    Techdirt's usual whining, not even token call to BREAK IT UP.

    Because part of the surveillance / propaganda state, as is GOOGLE, which Fascism masnicks promote, Facebook will NEVER face anti-trust.

    Facebook's New Propaganda Partners https://fair.org/home/facebooks-new-propaganda-partners/

    Oh, I know: it's not a "monopoly" so don't worry about it! Sheesh! But what's even the basis of this piece if not that any ordinary person believes Facebook has too much power and is indifferent to the wishes of users?

    If don't call for curative action, then don't bother to complain. -- And we KNOW after 20 years of shilling that Techdirt is NOT going to advocate any measures that'd reduce corporate profits or power. This piece is more "proof" that Techdirt criticizes corporations, but since NEVER has any hint of action, is mere clickbait.

    reply to this | link to this | view in chronology ]

    • icon
      Gary (profile), 28 Sep 2018 @ 7:08am

      Re: Techdirt's usual high quality work

      The article was on point and well written.
      And I don't see you actually disputing the content of the article - only lamenting the lack of your own agenda being included.

      Please point us to your website so we can see your articles on this topic.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Sep 2018 @ 8:01am

      Homework: Substantiate your claims

      Because part of the surveillance / propaganda state, as is GOOGLE, which Fascism masnicks promote, Facebook will NEVER face anti-trust.

      Please define Fascist as you are using it. Please note any differences between your definition and the dictionary definition, for clarity.

      Please then provide links/evidence that support Masnick promoting this. Be specific, there no points for partial answers.

      Facebook's New Propaganda Partners https://fair.org/home/facebooks-new-propaganda-partners/

      There is a "Submit a Story" link on every Techdirt page. If you feel its newsworthy, you can use that link to bring it to TechDirt's attention.

      _Oh, I know: it's not a "monopoly" so don't worry about it! Sheesh! But what's even the basis of this piece if not that any ordinary person believes Facebook has too much power and is indifferent to the wishes of users?

      If don't call for curative action, then don't bother to complain. -- And we KNOW after 20 years of shilling that Techdirt is NOT going to advocate any measures that'd reduce corporate profits or power. This piece is more "proof" that Techdirt criticizes corporations, but since NEVER has any hint of action, is mere clickbait._

      Please provide positive support that anti-trust actions against Facebook would A) be legally viable under existing anti-trust law, and B) actually solve the issue of potential privacy violations.

      Please additionally advise how pointing out the behavior and heavily implying this is problematic and that Facebook should not be doing this in light of recent privacy scandals is not a form of calling for curative action.

      If the idea is that the article has a lack of proffered solution, please advise why you do not also apply the same criteria to the fair.org article linked. Charitably speaking, that article suggests bad behavior, warns people to wary, and suggests they oppose it, but does not proffer any actual solution to the perceived problem.

      Again, there is no credit for partial answers.

      I look forward to your well-thought, considered, and above all courteous reply.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Sep 2018 @ 11:52pm

        Re: Homework: Substantiate your claims

        Potential privacy problems?? You. seem too pissed to be joking.. Here's a solution.. dissolve the terrible corporation.

        reply to this | link to this | view in chronology ]

        • icon
          R.H. (profile), 30 Sep 2018 @ 8:57pm

          Re: Re: Homework: Substantiate your claims

          Would that be legal under existing antitrust law? I don't think that American antitrust law has any provisions for the dissolution of a corporate charter for much short of defrauding its shareholders or egregious lies in SEC filings. I'm only a broker (by licensing though I don't do it full time), not a corporate lawyer so, I might be missing something.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Sep 2018 @ 3:13pm

      Re: Techdirt's usual whining, not even token call to BREAK IT UP.

      What would you "break up" Facebook into?

      reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 28 Sep 2018 @ 8:32am

    2FA info is a *confidential* secret

    Dear Facebook:
    Since you've made most of our lives an open book, don't you think that revealing my 2FA information to third parties facilitates identity theft???

    If you want it secret, don't tell Facebook!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Sep 2018 @ 8:58am

      Re: 2FA info is a *confidential* secret

      It's pretty unconscionable. If it can be accessed by people other than facebook, than someone looking to steal your facebook identity knows what number to target for SIM hijacking.

      Boom - you no longer own your own facebook account. And then whoever hijacked it can download all your data.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Sep 2018 @ 10:20am

        Re: Re: 2FA info is a *confidential* secret

        Not if you give then the phone number to pizza hut

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 Sep 2018 @ 11:16am

          Re: Re: Re: 2FA info is a *confidential* secret

          Then you cannot get the text that allows you to login.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 28 Sep 2018 @ 12:32pm

            Re: Re: Re: Re: 2FA info is a *confidential* secret

            huh ... bah bye

            reply to this | link to this | view in chronology ]

          • icon
            The Wanderer (profile), 30 Sep 2018 @ 10:06am

            Re: Re: Re: Re: 2FA info is a *confidential* secret

            Easy solution: just maintain two phone numbers, and use one of them only for sign-up texts like that, never for anything else!

            ...of course, that means paying for the additional phone and number, which not everyone will be able to afford to do... and it's likely that whoever you give the number to for a sign-up text will also store it in case they need to contact you later... but who ever said the solution was perfect?

            reply to this | link to this | view in chronology ]

  • identicon
    OnThoseThatParticipate, 28 Sep 2018 @ 9:14am

    ItsOnTheUsers

    Friends don't let friends use Facebook.

    That's the simple solution.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 28 Sep 2018 @ 10:11am

    They do take it seriously.

    They have no intention of giving it back.

    reply to this | link to this | view in chronology ]

  • identicon
    homerlovesflanders, 28 Sep 2018 @ 4:45pm

    Srly, why would anyone use Facebook's VPN over ExpressVPN or Cyberghost?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Sep 2018 @ 11:43pm

    fuck facebük

    reply to this | link to this | view in chronology ]

  • icon
    Blaine (profile), 30 Sep 2018 @ 10:39am

    Oh that's easy

    "making you wonder what it looks like when Facebook truly doesn't give a damn."

    Just go to facebook.com.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Sep 2018 @ 10:44am

    At what point does the act of collecting, storing and then willingly or unwillingly transferring a complete profile of a person's life, relationships, political views, pictures, friends and family ties, location and personal data infringe on federal law -- perhaps privacy laws, 4th Amendment laws, identity theft laws, etc? I'm sure there are others laws that would apply.

    reply to this | link to this | view in chronology ]

    • icon
      R.H. (profile), 30 Sep 2018 @ 9:23pm

      Re:

      In the United States? Probably never. Have a look at Facebooks Terms of Service. If you use the service, you give them a license to use the information you provide for pursuant to the privacy settings that you set. That handles privacy laws.

      Concerning identity theft laws, as long as Facebook doesn't try to act as you (in a way that you didn't authorize in the ToS, for example, FB showing one of your friends your picture with an ad for a product whose page you "Liked") and as long as they try to keep your data out of the hands of unauthorized persons then Facebook isn't committing identity theft either.

      I saved the easiest one for last. The 4th Amendment's provision against illegal search and seizure only applies to the government. Facebook couldn't break it if they tried. Choosing to comply with a government request isn't a violation on their behalf, if anything, (and that's a big if) it would be a violation by the government agency that made the request.

      In the EU on the other hand...I don't know as much about the law there but, I have the feeling that the EU is currently in the middle of swinging the pendulum so far towards personal privacy that non-EU public governmental knowledgebases are already being harmed. In that case, Facebook may be in for a bit of a rough time over there.

      reply to this | link to this | view in chronology ]

      • identicon
        Wendy Cockcroft, 1 Oct 2018 @ 2:31am

        Re: Re:

        Indeed. But the best way to protect your privacy is to assume that everything you put online will eventually be made public, even on the strongest privacy settings.

        Be very careful about what information about yourself or your family you post online.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Oct 2018 @ 4:39pm

    If Facebook took privacy and transparency seriously, especially the former, they wouldn't exist in the first place.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.