Shadow user profiles: Facebook advertisers will find you even by non-public phone number


    Four days ago on Habré a lot of noise was made by the article " Our personal data does not cost you anything ". Did you know that this is only the tip of the iceberg, and that in reality everything is much worse? What do you think, if your enemies have not only your passport data, but also a list of your purchases in a pharmacy or in an “adult” store, which they will obtain by redirecting you to a controlled site through a personalized advertisement?

    Interesting details about the targeting and contextual advertising system on Facebook were found out by researchers from Boston University and Princeton. It turns out that advertising agencies are able to deliver personalized ads to a specific user of Facebook, using his contact information, even if he did not place them in the profile itself.

    A screenshot of the ad, made by Alan Mislov, with an explanation from Facebook as an “advertiser” selected him to his audience for the show

    Kashmir Hill, a journalist for the portal Gizmodo, writes :
    Last week, I launched an ad on Facebook that was aimed at an informatics professor named Alan Mislov. Alan Mislov is studying how privacy works in social networks and has developed a theory according to which Facebook allows advertisers to reach users using contact information collected in highly non-standard ways.

    I helped him test this theory by targeting an advertising campaign to his account in a way that, according to official recommendations from Facebook, should not have worked. I set up an ad to show a Facebook account to a user associated with the landline phone number of Alan Mislov’s office. The number that Mislov never gave to Facebook.

    Alan Mislov saw the ad in just a few hours

    Researchers Giridhari Venkadadri, Peter Sapezinski and Alan Mislov from Boston University together with Elena Lucerini from Princeton University conducted a series of tests in which fabricated contact and personal data were transmitted to Facebook for a group of test accounts. The researchers tracked whether this information became available to advertisers and how exactly this information will be used by them, by analyzing statistics on the size of the audience provided by the advertising cabinet of the social network. The research results were published in the form of a detailed article [PDF] on 18 pages.

    One of the many ways that you can deliver an ad on Facebook and Instagram is the ability of advertisers to download lists of phone numbers or email addresses as a file. Then the Facebook account algorithms match the contact details from the downloaded lists to the social network user accounts associated with this contact information. A clothing retailer can advertise clothing on Instagram from women who have already bought something from them before, a politician can advertise on Facebook to those who already have his mailing list, or the casino can make lucrative offers based on knowledge of email addresses of people suspected of gambling. Facebook calls it a “ custom audience.”".

    It is well known that Facebook uses for advertising targeting all the information that you voluntarily provide about yourself , including all contact and personal data. Just go to the “ contacts and basic information ” section to see which email addresses and phone numbers are associated with your account, and this is just the “starter pack” of the knowledge that advertisers can use to “hunt” you.

    However, Facebook for the sale of advertising shows is not ready to be content with only the contact information that users voluntarily placed in their social network profiles. Facebook also uses contact information that users have provided only for account security purposes and contact information that they themselves have not transmitted at all. Instead, such information, for example, was collected from other people's contact lists. This information forms a digital trace hidden from the ordinary view of each user of a social network. Such a trace among security researchers has become known as the user's “shadow profile” (Shadow Profile).

    As written in a fresh article on GizmodoFacebook in particular uses the information that the user leaves during two-factor authentication.

    Two-factor authentication is a security protocol by which access to an account is opened upon presentation of several “evidence of authentication mechanisms”, for example, an account password and a confirmation one-time code from an SMS message. In this case, the user leaves his cell phone number. Experts have found that Facebook retains this data and indirectly resells to advertisers, who in turn build on this targeting advertising publications.

    Back in May 2016, Facebook was criticized for creating and using shadow profiles.and not only for its regular users, but also for unregistered and unauthorized visitors of Facebook resources as well as sites with established scripts from the social network (like button, advertising modules, etc.).

    Kashmir Hill was able to show Alan Mislov's personalized announcement precisely because she was “aiming” at his shadow profile. This means that your junk e-mail address, which you use to get discounts on shares or for secret online purchases, is probably already associated with your account and is used to target advertisements to you.

    Facebook Head Mark Zuckerberg said he didn’t have information at the April 2018 Congressional Hearing.about the use of “shadow profiles” technology in his company. However, the materials from the above-mentioned article once again prove the existence of this very dubious and invasive practice of collecting information by the American social network.

    As a result, even your most intimate secrets may turn out to be secrets for anyone, but not for advertisers on Facebook. And it is not so bad if they use this knowledge to simply force you to make another spontaneous purchase. Worse, if the ad targeting of the shadow profile is already used by the attacker to attack you. The consequences can be quite variable.

    Methods of dealing with surveillance by Facebook

    1. Radical
    • Delete all your contact and personal data from social network accounts
    • Delete all accounts on Facebook
    • Remove all applications from mobile devices related to Facebook
    • Set total blocking of any scripts from Facebook addresses in all browsers, including mobile ones.
    • And of course, do not forget about the traditional blockers of advertising.

    2. Compromise
    • If there is no possibility of abandoning your Facebook account, then in the account settings in the “advertising settings” section, you need to completely disable the personalization of ads.

      It looks like this

    • It is advisable to combine these measures with sending the " Do not Track " parameter in all browsers and disabling the advertising identifier in Apple and Android mobile devices .

    Only registered users can participate in the survey. Sign in , please.

    And how do you fight online surveillance? (choose no more than two options)

    • 30% I turned off the personification of advertising and reset advertising device identifiers 12
    • 65% I use ad blocking and scripting tools 26
    • 2.5% Keep social networks in separate containers Firefox 1
    • 10% I enter the network only from anonymous browser tabs 4
    • 7.5% I use Tor Browser 3
    • 0% I sit online only through Linux Tails 0
    • 15% Removed all accounts in social networks 6
    • 12.5% I only have fake accounts without real photos and full name 5
    • 5% I do not use the Internet 2
    • 32.5% I do not care about surveillance 13

    Also popular now: