Well, we all should have seen this coming. Facebook is under fire again for arguably misusing user data, this time related to the phone numbers that many of us provided as a way of adding a two-factor authentication layer to our profiles.
The problem is that Facebook is apparently using those phone numbers for the purpose we intended (account security), but also, well, for other things. Jeremy Burge, who runs the Emojipedia website, called attention to this in a series of tweets in recent days in which he notes that you can now apparently search user profiles via the phone numbers users have provided — and that there seems to be no way for users to tell Facebook to not allow this.
In one of his tweets, Jeremy includes a menu of options from Facebook showing that users do have some choices about who’s allowed to look them up by their phone numbers. For example, you can allow “everyone,” “friends” or “friends of friends.” One option that’s not present, though, is the ability to select “no one” — which would of course prevent anyone from looking you up by your phone number, potentially tying your number to your actual Facebook profile for anyone who wants to search for it.
Here’s Facebook’s former chief security officer weighing in on this issue:
This is why tech companies need somebody advocating for security as a first-class goal in product, which is a different function than good security engineering. FB can’t credibly require 2FA for high-risk accounts without segmenting that from search & ads. https://t.co/CzDyuRInBU
— Alex Stamos (@alexstamos) March 2, 2019
Facebook offered a response about this to TechCrunch, explaining that choosing who can look you up by your phone number isn’t a new setting. Last May, Facebook eliminated the requirement that you set up two-factor authentication via the addition of a phone number — so what’s going on here, in other words, is that once you do add a number, it opens up a variety of ways for Facebook to use it. To be fair, though, anyone who’s upset by this should be aware that Facebook very likely already had their number anyway, via the way it builds out its trove of connections between users — the way, for example, your friends may have uploaded their contacts, including you in that pile.
The other icky thing about this is that, again via a confirmation to TechCrunch, Facebook has acknowledged that it does use phone numbers provided for two-factor authentication to also improve its user ad targeting. The great money-making engine of advertising, in other words, is apparently too important to let a thing like a user’s protectiveness of their phone number get in the way.