© Dado Ruvic / Reuters
In any conversation about our online privacy, it is important to remember that our modern surveillance state was not born of the online revolution. It was alive and well long before the web era in the form of the massive data broker industry that buys and sells everything from our purchase records to our medical history. Social media merely honed and weaponized it.
Despite its transparency pledges, Facebook offers little detail about where all of the detail it obtains about us comes from. For a number of years it purchased data from many of the largest data brokers, assembling perhaps the single largest intelligence database in the world.
Now a new study suggests the company is constructing a "shadow profile" of each user by integrating contact information that was not provided by that user, but rather obtained from other users who shared their address books with Facebook. In short, even if you are careful never to provide Facebook with a certain private phone number, but one of your friends shares their phone's address book with Facebook that happens to have an entry for your private number, Facebook will link that private number with your account and allow it to be used for advertising.
This hidden contact information may not even be visible to the user whose profile has just been connected to the private phone number they had taken great pains not to share with Facebook. Browsing through the standard profile settings, there may not be a single indicator that a new phone number has just been added for them and it may not be readily possible to remove the phone number from their account. A Facebook spokesperson confirmed that the company does comb through address books shared by users and uses them to enrich its list of contact details for other users of the platform, but said they were not certain about whether it was possible to see these numbers or remove them.
While the ability to precisely target ads to a single individual using phone numbers is old news to those in the advertising world, it was eye opening to me the number of my own colleagues and friends who were unaware of this capability. They wrongfully assumed that ads on Facebook could only be targeted to extremely broad interest categories that had no connection to them as an individual. Most were downright frightened by the idea that their individual phone number could be used to precisely target them.
Of course, this reflects the fact that no matter how much is written about Facebook's advertising and data practices and no matter how much press coverage and government testimony is devoted to it, people pay little attention to detail and quickly forget the few details they read. A few weeks or months after a major privacy revelation or scandal and it is back to business as usual and most of the public forgets all about what they just learned. In turn, Facebook's new privacy stance becomes normalized through inaction, resetting the bar for the next major change.
However, when asked how the company saw this phone number association practice as complying with its obligations under GDPR, especially with regards to users not being able to readily see that a new number has been associated with their account against their will and not being able to remove that number, the company said it had no comment.
Perhaps most disturbingly, however, the Gizmodo author claims that the company explicitly denied the practice to her last year, confessing to it only after the recent study and her own experiment definitively proved that the company was engaging in the activity. When asked to comment on the reporter's claims, a Facebook spokesperson said the company had no comment.
The question of whether Facebook misled the reporter a year ago about its practices is perhaps the most disturbing question to emerge from this latest revelation. We know very little about Facebook's practices beyond that which the company reveals through its public statements. Lawmakers are forced to simply accept on blind faith the company's assurances, while the public must similarly rely on those promises. If the company was shown to have misled a reporter regarding a key privacy practice, that would undermine this precarious trust and call into question how much we can believe what Facebook tells us.
It may certainly be the case that Facebook only recently added this new behavior and that at the time the reporter asked about it a year ago the company was legitimately not performing shadow contact ad targeting. If so, however, it offers a reminder that reporters, scholars and policymakers must constantly re-ask the same questions again and again to hold companies accountable. When companies change their privacy practices they don't typically voluntarily contact every journalist and lawmaker who has ever asked about that practice in the past to update them on the new change. They simply quietly change the practice. Only by regularly re-asking all of the same questions can we force the major social platforms to either confirm when they have made changes or force them to make misleading statements on the record.
Putting this all together, while Facebook's practice of enriching user profiles by quietly associating other data with our accounts that we did not authorize is a reminder that little has changed in the aftermath of the Cambridge Analytica story. Facebook is back to the very same practices that got it into trouble in the first place. More concerning is the question of how much we can trust the company to be upfront about its practices when questioned by journalists and lawmakers. In the end, once again, all we can do is line up like lemmings and blindly trust the company's promises despite the long history of evidence to the contrary.
Reader Comments