Facebook And Its Controversial Resources For Targeted Advertising
As stated in the previous paragraphs, online social networks constantly collect numerous kinds of personally identifying information, such as names, gender, date of birth, email and phone numbers. This data is mainly exploited by the social networks to provide advertisers the most accurate targeting possible. Unluckily, these services do not clarify the relationship between the collection of data and its usage as best as possible, therefore for users it is difficult, if not completely unfeasible, figure out how they are actually being targeted by advertisers.
Taking Facebook as an example, whoever is making use of the service might presume that going on his profile and giving a look at his contact basic information is sufficient to see which phone number and email address are associated with his account and hence determine what information advertisers can use to target him. But, as pointed out before, the targeting procedure is less transparent and its mechanisms are more subtle and hardly noticeable. The focal point about this issue is the fact that Facebook not only for targeting purposes use the data that you willingly put in your profile, but it also use the personal information that the user yielded for security purposes or even that the user did not hand over at all, exploiting data that has been collected from other people’s contact books. This is information that Facebook gathered on you from other users-sources, that you cannot control and most likely you do not even imagine Facebook has it. A significant problem that concerns interdependent privacy and means a violation of the user’s privacy expectations. A research conducted by Venkatadri, Lucherini et al. (2018) tested if personal identifying information (from now on called “PII”) gave by users for security reasons such as two-factor authentication or login alerts are used for targeting purposes. The results showed that when a user provides Facebook a phone number for two-factor authentication: The phone number became targetable after 22 days, showing that a phone number provided for 2FA was indeed used for PII-based advertising, despite our account having set the privacy controls to the most restrictive choices.
Even with the possibility to use a phone number or an email address to obtain warnings about logins from unregistered devices the result was analogous: We added a phone number and an email address to an author’s account to receive login alerts, and found that both the email address and phone number became targetable after 17 days. This means that users who want to have a more protected account are obliged to make a privacy trade-off and let advertisers find them and target them more easily.
Moreover, the same team of researchers analyzed whether PII acquired without users’ awareness, for instance from other users that shared their phone contacts, is exploited for PII-based advertising. To gather data on users that did not give their direct permission, Facebook operates by examining the contact list of a user that provided the authorization, then links these contacts to existing accounts and, finally, matches the data and gains new information on these users. In a prototypical scenario, if one user, whom we will call Alberto, shares his contacts list with Facebook, included an unknown phone number for Facebook of another user, whom we will call Alessio, advertisers will be able to target Alessio making use of his phone number. We used a factory-reset Android phone, and created a contact containing the full name and the email address of one of the authors (both of which Facebook already had), as well as a new phone number that we controlled and had verified was non-targetable. We then installed the Facebook Messenger App, giving it permissions to sync the list of phone contacts. We found that the previously-unused phone number became targetable in 36 days, showing that it had indeed been linked to the corresponding author’s account without their knowledge.
Furthermore, Alessio will not even be able of managing this kind of information about him, since for Facebook it is Alberto’s data and that would infringe his privacy. Therefore, Alessio cannot do anything about something that Facebook and advertisers obtained without his approval or he even could be completely and most likely unaware of this process.