Facebook's targeting users with ads using data they provided for security reasons - and it shows why the company still can't be trusted on privacy

• Facebook is using contact information collected about users in surreptitious ways to target them with ads, according to a new research paper.
• Among the data the company is using to target users with ads is contact information users provide for security purposes.
• We shouldn't be surprised that the company is using such information for commercial purposes - it has a long history of aggressively pursuing, collecting, and using users' personal information.

Facebook has never been a paragon for protecting privacy - quite the opposite, in fact.

But we just got another revealing glimpse at how far it's willing to go to glean information about you that it and its advertising partners can use to target you with ads. And, yet again - for the umpteenth time - the company comes across looking sleazy.

It turns out that Facebook has turned some security features into data-grabbing, ad-selling opportunities. The company takes phone numbers provided by customers for its two-factor authentication system and for sending customers alerts about new log-ins to their account and uses them to target users with ads, as Gizmodo reported this week.

In other words, Facebook is engaged in a bait-and-switch. It's taking information that users provide it for the purpose of helping make their accounts more secure and using it to violate their privacy - without being entirely clear to users what it's doing.

"Users may naturally provide this data with only security purposes in mind; if used for advertising, this may significantly violate a user's privacy expectations," a group of professors, three of which hail from Northeastern University, said in their understated way in the research paper on which Gizmodo based its report.

Facebook also targets users based on data they can't control

But that's not the only way that Facebook is garnering information about users surreptitiously and using it for advertising purposes, according to the professors' report. Facebook also targets users with ads based on personal contact information even when they themselves don't provide that information, according to the paper. That happens when their phone numbers or email addresses are included in the address books uploaded by other users.

Those contact details could be ones that users purposefully didn't share with Facebook. What's worse, Facebook keeps hidden from users who provided that information or what it is - or bar its use. Additionally, the company was able to target users with ads using such information even when users had their privacy settings configured to the highest level.

"The target user in this scenario was provided no information about or control over how this
phone number was used to target them with ads," the professors wrote in their report.

Facebook representatives did not return an email seeking comment. But the company did not dispute the paper's findings, Gizmodo reported.

"We use the information people provide to offer a more personalized experience, including showing more relevant ads," a company spokeswoman told Facebook.

The spokeswoman added that in the case of two-factor authentication, users can now configure it without using their phone number. The reason the company bars people from seeing and controlling information shared about them by other users is because it considers that information to be owned by those other users.

"People own their address books," the spokeswoman told Gizmodo.

Facebook has a poor history when it comes to users' privacy

That's a very convenient answer for Facebook. It means that even if users are trying to protect their private information from the company or advertisers, that information can be exposed without their say or knowledge. That's great for Facebook and its advertisers, but bad for users' privacy.

But at this point, we should probably expect such practices from Facebook. The company's business, after all, revolves around collecting as much data as possible from users and using that information to target them with advertisements. It's repeatedly pushed users to share more and more personal information and frequently hasn't been completely upfront about what it's collecting or what's being done with that information.

Don't just trust me on that. That's what the Federal Trade Commission found when it issued a consent decree against the company in 2012. Thanks to the Cambridge Analytica scandal this spring, the company is now under investigation for violating that decree.

In the wake of that scandal, Facebook made an effort to demonstrate that it's now serious - really serious - about protecting users' privacy. It's made a big show about giving users more tools to control who can see their private information and clamping down on developers who previously had access to that data.

But these latest revelations indicate that these efforts are largely just that - a show. Facebook is what it's always been, a data harvesting, ad targeting machine. And its post-Cambridge Analytica privacy epiphany hasn't changed that.