Facebook Uses 2FA Phone Number to Target Ads

Surprise! Facebook just confirmed it does, in fact, use phone numbers that users provided it for security purposes to also target them with ads. Specifically, a phone number handed over for two-factor authentication (2FA) — a security technique that adds a second layer of authentication to help keep accounts secure.

Facebook’s confession follows a story Gizmodo ran and related to research work carried out by academics at two U.S. universities who ran a study in which they say they were able to demonstrate the company uses pieces of personal information that individuals did not explicitly provide it to, nonetheless, target them with ads.


History of Using User Contact Details

hile it has been — if not clear, then at least evident — for a number of years that Facebook uses contact details of individuals who never personally provided their information for ad targeting purposes (harvesting people’s personal data by other means, such as other users’ mobile phone contact books which the Facebook app uploads), the revelation that numbers provided to Facebook by users in good faith, for the purpose of 2FA, are also, in its view, fair game for ads has not been so explicitly ‘fessed up to before.

Some months ago Facebook did say that users who were getting spammed with Facebook notifications to the number they provided for 2FA were a bug. “The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications,” Facebook then-CSO Alex Stamos wrote in a blog post at the time.


Apparently not thinking to mention the rather pertinent additional side-detail that it is nonetheless happy to repurpose the same security feature for ad targeting. Because of money perhaps?

The Shadow Profile Front

A Facebook spokesperson was quoted in a statement, “We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”

A spokesman also told the publication that users can opt out of this ad-based repurposing of their security digits by not using phone number based 2FA. (Albeit, the company only added the ability to do non-mobile phone based 2FA back in May, so anyone before then was all outta luck.)

mark zuckerberg

On the “shadow profiles” front — aka Facebook maintaining profiles of non-users based on the data it has been able to scrape about them from users and other data sources — the company has also been less than transparent.

Founder Mark Zuckerberg feigned confusion when questioned about the practice by US lawmakers earlier this year — claiming it only gathers data on non-users for “security purposes”.

Well, it seems Facebook is also using the (valid) security concerns of actual users to extend its ability to target individuals with ads — by using numbers provided for 2FA to also carry out ad targeting. Safe to say criticism of the company has been swift and sharp.

Marcus B.

I’ve been a writer on this website right from the start. And I’m actively supporting it with exciting contributions and extensive testing! I have many years of experience concerning Internet and privacy topics. In addition, I’m always up to date and keep the team informed about the latest developments, not only for the protection of privacy but also for legal and regulatory issues.

We will be happy to hear your thoughts

Leave a reply