Facebook Must Explain What it's Doing With Your Phone Number (Update)
Like many others, PI were alarmed at recent reports that Facebook have been making mobile phone numbers (which users believed to be) provided for the express purpose of "two-factor authentication" (2FA) both searchable, and a target for advertising by default.
One of the myriad ways Facebook displays targeted adverts to users is through so-called "Custom Audiences". These "custom audiences" are lists of contact details, including phone numbers and email addresses, uploaded by advertisers. Facebook then matches this "custom audience" with the details they hold, to target adverts at accounts associated with this contact information.
Facebook have history when it comes to blurring of lines between contact information provided for security, and contact information provided for other purposes.
In early 2018, in a paper titled 'Investigating sources of PII used in Facebook's targeted advertising', researchers Giridhari Venkatadri, Elena Lucherini, Piotr Sapiezynski and Alan Mislove stated that contact information (i.e. phone numbers) handed over by users for security purposes was being shared with advertisers.
We reached out to Facebook, asking them for clarification on their policies and procedures around the use of phone numbers. Our full exchange can be found at the end of this blogpost.
Why was this alarming?
Humans are bad at passwords. We are awful at randomness. In the words of XKCD:
Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
We tend to end up with one or two passwords* able to pass the various "security" restrictions imposed by various websites. We then consider these passwords to be "strong".
Unfortunately these "strong" passwords, which we re-use and keep for years, tend to get summarily dumped on the internet, trivially guessed by brute force, obtained from a data leak or sold on the black market. [n.b. A quick check on HaveIBeenPwned will let you know if your account credentials are compromised.]
The direct result of this is that a username and password ("single-factor authentication") is just not secure enough to prove ownership of high value accounts; be they email**, online banking, social media accounts, or otherwise.
* (Let me guess... your password is 8-15 characters, starts with a capital letter, and ends in "1!", right?).
** Your email account is a gold mine – it is where you receive the password resets for your other accounts!
To address the flaws of password security, multi-factor authentication has become more prevalent.
Multi-factor authentication – usually implemented as two-factor authentication (2FA) – boils down to “something I know”, and “something I have, and only I have”.
This second factor is usually some sort of one-time passcode either sent to you by SMS, or generated either in an app, or on a token device.
By adding in this second factor, even if you know someone's password you'd be unable to log into their account.
Because of this extra authentication step, you'll usually find 2FA used by organisations targetted because of who they are or what they do – which includes banking!
Many online-based organisations offering 2FA (and there are quite a few – look at the excellent resource at TwoFactorAuth) tend to offer SMS as their primary, sometimes exclusive, second authentication factor. This includes Twitter and (until recently) Facebook... which requires, of course, registering a phone number to receive these SMSs.
Facebook's (former) Chief Security Officer acknowledged 2FA as "an important security feature that has helped a lot of people mitigate the risk of phishing attempts and helps protect people from having their accounts compromised." He went on to state that "the last thing we want is for people to avoid helpful security features...", and took swift action when in 2018 users were receiving non-security related SMS on their 2FA phone numbers.
So in spite of the importance of 2FA and their own pronouncements, were Facebook undermining users' trust by using 2fA details for targetted advertising?
We asked Facebook several simple questions, starting with "is it accurate that phone numbers given specifically for security purposes are now searchable"?
Here are our five takeaways from a (slightly confusing) exchange with Facebook.
1. Phone number ≠ 2FA only... at least, until recently.
If you thought that you were providing your phone number solely for security purposes, you are mistaken.
Facebook were careful to stress to us that "there is currently no way to provide a phone number specifically for security purposes" - further clarifying that a user cannot turn on SMS 2FA without first having a phone number registered against their Facebook account.
This, however, is the source of the confusion - there are two different ways of adding a phone number.
- Through "Security and 2FA"
No matter which way is used to add a phone number, the end result is the same - Facebook do not differentiate between the methods... until "recently".
"Once a user adds their phone number to their Facebook account and then later chooses to use this phone number to enable two-factor authentication, the number can be used for the purposes set out in the phone number flow and in our Data Policy, including product and advertising purposes."
By default, phone numbers added to a Facebook profile are set to searchable by "everyone". The minimum possible audience for searchability is "friends".
2. Added a 2FA phone number pre-April 2019? It's probably been used for targetted advertising.
If you have attached a phone number to your Facebook account:
- It is likely to have been used for targetted advertising, as per Facebook's terms
- Until April 2018 it was directly searchable from the Facebook search bar
In response to feedback, in April 2019, Facebook revised their systems so that new phone numbers added directly through the two-factor authentication settings screen are no longer used to match Custom Audiences, deliver ads, or to provide, personalise and improve Facebook Products
It is unclear whether these April 2019 changes to targetting have been applied retroactively to those phone numbers already provided.
3. "Who can look me up?" - probably more people than you realise!
The "who can look me up?" settings have been in place for many years. In April 2018 (one month after media reporting about abuse of 2FA), Facebook "removed the ability to enter another person's phone number or email address into the Facebook search bar to help find someone's profile", however these details remain able to be matched "in other ways".
An obvious question is what are all the 'other ways' your profile can be matched, although it appears to be through uploading contact books to Facebook. This is apparently to enable people who already have your contact details to find you on Facebook.
It is also disappointing that currently, as Facebook confirm, the "Who can look me up" setting applies to all phone numbers you have added to Facebook and defaults to "everyone." In addition the minimum audience you can change it to is 'friends'. We believe that at the very least the default setting should be 'friends' and Facebook should add 'only me' as a minimum audience.
4. Most people on Facebook could have had their public profile scraped using phone numbers
In response to our questions, Facebook referred back to a post they made in April 2018, which is worth recalling when querying use of phone numbers.
Search and Account Recovery: Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name. In Bangladesh, for example, this feature makes up 7% of all searches. However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.
5. New customers only
Facebook have assured us that "in response to feedback", now when adding a new phone number to a Facebook account directly through the 2FA security settings:
- this phone number is no longer searchable/targettable by advertisers (i.e. will not appear in "custom audiences") by default,
- this phone number has its visibility (i.e. to whom it appears on your profile) set to “only me” by default,
- the “who can look me up” setting defaults to “everyone” (as applies to all phone numbers added to Facebook)
If you are adding a new phone number, but do not go through the 'two-factor authentication flow' and instead go through the 'phone number flow' and later choose to use this phone number to enable 2FA, then:
- the number can be used for the purposes set out in the phone number flow and in Facebook's Data Policy i.e. product and advertising purposes
- the number will be searchable to a minimum audience of "friends" - although no longer through the Facebook search bar.
What remains unclear
We are not aware exactly when Facebook started asking for users's mobile phone numbers; how many users provided these and when. We are also unable to interrogate when and why each user uploaded their phone number, what percentage believed this was solely for the purposes of 2FA, and why they believed this.
However, it is clear that many people did believe that to be the case, many people provided their phone numbers believing that it would make their accounts more secure, and as a result, many companies were able to conduct targeted advertising based on this user data.
We think it is great that Facebook have taken concerns on board and made changes, and we congratulate them for doing so, however we still have concerns around the default "who can look me up" setting being set to "everyone".
Allowing numbers to be searchable both undermines users' trust in two-factor authentication, a critical security feature, and puts users' security at risk if they are unaware that their account may be identified by their phone number. This is particularly concerning for activists, dissidents and communities at risk all over the world that have a clear and present need to protect their security and who use Facebook to communicate and organise
How to check your account
Go To Settings > Privacy > How people find and contact you.
Set the drop down next to "Who can look you up using the phone number you provided" to "Friends" rather than "Everyone" or "Friends of friends". As it is, Facebook has the setting set to "Everyone" by default.