Study Shows Facebook's Still Miles Away From Taking Privacy, Transparency Seriously

If the entire Cambridge Analytica scandal didn't make that clear enough, Facebook keeps doubling down on behaviors that highlight how security and privacy routinely play second fiddle to user data monetization. Like the VPN service Facebook pitches users as a privacy and security solution, but is actually used to track online user behavior when they wander away from Facebook to other platforms. Or that time Facebook implemented two-factor authentication, only to use your provided (and purportedly private) number to spam users (a problem Facebook stated was an inadvertent bug).

This week, a new report highlighted how Facebook is letting advertisers market to Facebook users by using contact information collected in surprising ways that aren't entirely clear to the end user, and, according to Facebook, aren't supposed to work. That includes not only private two-factor authentication contact info users assume to be private, but data harvested from other users about you (like secondary e-mail addresses and phone numbers not directly provided to Facebook). The findings come via a new report (pdf) by Northeastern University's Giridhari Venkatadri, Alan Mislove, and Piotr Sapiezynski and Princeton University's Elena Lucherini.

In it, the researchers highlight how much of the personally identifying information (PII) data collected by Facebook still isn't really explained by Facebook outside of painfully generic statements. This data in turn can be used to target you specifically with ads, and there's virtually no transparency on Facebook's part in terms of letting users see how this data is being used, or providing fully operational opt out systems:

"Worse, we found no privacy settings that directly let a user view or control which PII is used for advertising; indeed, we found that Facebook was using the above PII for advertising even if our control account user had set the existing PII-related privacy settings on to their most private configurations. Finally, some of these phone numbers that were usable to target users with did not even appear in Facebook's "Access Your Data" feature that allows users to download a copy of all of their Facebook data as a ZIP file.

Again, this includes the use of two-factor authentication (2FA) credentials that Facebook has previously stated aren't supposed to be used for marketing purposes. It's something that Facebook has repeatedly claimed doesn't happen:

"Facebook is not upfront about this practice. In fact, when I asked its PR team last year whether it was using shadow contact information for ads, they denied it.

User efforts to glean more transparency from Facebook haven't fared well either, even in the UK where the GDPR was supposed to have put an end to this kind of cavalier treatment of user data:

"I've been trying to get Facebook to disclose shadow contact information to users for almost a year now. But it has even refused to disclose these shadow details to users in Europe, where privacy law is stronger and explicitly requires companies to tell users what data it has on them. A UK resident named Rob Blackie has been asking Facebook to hand over his shadow contact information for months, but Facebook told him it's part of "confidential" algorithms, and "we are not in a position to provide you the precise details of our algorithms."

And again, this is a company in the wake of several major privacy scandals, attempting to avoid heavy-handed privacy regulations on both the state and federal level, making you wonder what it looks like when Facebook truly doesn't give a damn.