Facebook’s under fire – again. This time, it’s for using phone numbers provided for security reasons, for other things.
Users are once again accusing Facebook of playing fast and loose with their privacy, allowing users to look up their profiles using the phone number they thought they were only providing for 2FA (two-factor authentication). What’s more, there’s no getting out of it, since Facebook has no opt-out for the “look me up by my phone number” setting.
This latest scandal blew up on Friday, when Emojipedia founder Jeremy Burge publicly criticized Facebook’s information-slurping operation:
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that. pic.twitter.com/zpYhuwADMS— Jeremy Burge (@jeremyburge) March 1, 2019
In a string of tweets sent after that, Burge said that he noticed that in September Facebook slipped in an understated “and more,” appended to the original phone number prompt. The “and more” linked to a page that explained that the number would be used for purposes other than securing your account.
The original FB phone number prompt never mentioned "and more". It was shown for MONTHS before a link was added in September 2018 clarifying "actually we'll use this wherever we damn well please" pic.twitter.com/FcOTIZdVf5— Jeremy Burge (@jeremyburge) March 1, 2019
Burge also noted that getting users to put in their phone number to sign up for services has been “the single greatest coup” for the social media and advertising industries: it’s “one unique ID that is used to link your identity across every platform on the internet,” he said.
When is a search not a search?
In April 2018, Facebook CTO Mike Schroepfer announced new data access restrictions: one of a string of attempts the company made to try to appease lawmakers and regulatory bodies and to try to keep users from torching their accounts in the Cambridge Analytica fallout.
Facebook said at the time that “most people on Facebook” may have had their public profile information scraped by “malicious actors.” The scraping was done with account recovery and search tools that let users look up people by their phone numbers and email addresses, then take information from their profiles.
From Schroepfer’s post:
Until today, people could enter another person’s phone number or email address into Facebook search to help find them. So we have now disabled this feature.
Burge tweeted today that while the ability to “search” for people using their phone number was turned off last year, it’s still possible to “look up” profiles using phone numbers stored in your phone:
Here's what the search/look-up difference appears to mean:— Jeremy Burge (@jeremyburge) March 5, 2019
What you can’t do now: 🔍❌ enter any phone number to “search” for matching profile/s
What you can still do now: 🔄🔍✅ Create an address book full of numbers, sync it to Facebook, and “look up” matching profiles
“This isn’t a mistake”
Facebook former chief security officer said that Facebook once had plans to segregate phone numbers provided for 2FA from those which users handed over for other purposes. So much for that – it’s now clear that Facebook made an intentional choice not to do so, he said:
There were hacky fixes put in place and there was supposed to be a big project to segregate numbers. This isn’t a mistake now, this is clearly an intentional product choice.— Alex Stamos (@alexstamos) March 2, 2019
Facebook never did replace Stamos. Too bad: as Stamos pointed out in another Tweet, this is a clear example of why companies need somebody devoted to advocating for security:
This is why tech companies need somebody advocating for security as a first-class goal in product, which is a different function than good security engineering. FB can’t credibly require 2FA for high-risk accounts without segmenting that from search & ads. https://t.co/CzDyuRInBU— Alex Stamos (@alexstamos) March 2, 2019
The privacy and safety repercussions
These are the privacy repercussions: if someone you know has used her phone number to turn on Facebook 2FA, and if you’ve allowed the Facebook app to access your contacts on your phone, it will see your friend’s phone number and offer to connect the two of you – in spite of your friend not having offered to make her phone number available for looking her up.
This doesn’t just lead to potentially awkward situations, such as when you’re not real-life friends with the person whom Facebook suggests you link up with… as pointed out by security expert and academic Zeynep Tufekci, it can prove dangerous for people who need to stay hidden:
Yep. I can no longer keep keep private the phone number that I PROVIDED ONLY FOR SECURITY to Facebook. ZERO notification of this major, risky change. For years I urged dissidents at risk to use 2FA on Facebook. They were afraid of this. @Facebook doesn't care about their safety. pic.twitter.com/lW8wjBJlfz— zeynep tufekci (@zeynep) March 3, 2019
What to do?
If you choose to remove your phone number from your account, you can’t use it to recover the account or use SMS-based 2FA.
The good news is that in May 2018, Facebook made it easier to use third-party authentication apps for 2FA – such as, for example, Google Authenticator, Authy, Duo Security, or Sophos Authenticator (here are the links for the iOS and the Android version).
That doesn’t necessarily mean that profiles aren’t findable by phone number search, though. As Burge pointed out, phone numbers have been used throughout Facebook’s other apps, including WhatsApp and Instagram. And even if you don’t give Facebook your number, a friend who shares their address book with one of Facebook’s apps might do it for you.
You can at least mitigate the fallout by limiting who can look you up by using your phone number.
Go to Settings > Privacy > How people can find and contact you. Set the drop down next to Who can look you up using the phone number you provided? to “Friends,” rather than “Everyone” or “Friends of friends.” As it is, Facebook has the setting set to “Everyone” by default.
If you’re concerned about which privacy and security settings to focus on in Facebook, you might be interested in our guide to protecting your account.
6 comments on “Facebook criticised for misuse of phone numbers provided for security”
I guess few of us are surprised.
I hate the way big-tech thinks they can demand information on pain of locking you out of something they have sought to make essential.
Recently the twitterbot though it had found a kindred spirit in my twitter account and suspended it for “bot like behaviour” and insisted that I give them a phone number to get my twitter account back!
So trip to the shops to buy a cheap 2G phone for cash (so no IMEI recorded against a credit card), then buy a PAYG sim at another shop (again for cash), connect the two, let twitterbot try and seduce me (talking dirty with 6 digits!) and I am reconnected. Now ditch the sim and/or ditch the phone?
Was that excessive? It would appear not if facebook’s behaviour is anything to go by.
It looks like I’m properly trained in my mistrust of FaceBook. I have for years ignored their prompts to enter my phone number. With my FB password stored in a good pasword manager I see no reason to supply them with it.
Clearly, an extremely serious breach of GDPR for those EU users.
As far as I’m concerned, I would love for all the various EU GDPR bodies to go for Facebook’s throat and fine them the maximum. Mark Suckbug always comes across so smug.
Not sure if possible for phone but if you create a custom group and call it “NoContact” and leave the group empty. You could amend the FB permissions to only allow “NoContact” to search on Phone Number…
Here is the other thing – You can put the number in the facebook messenger app and still look people up too. Just put the phone number in and click on people. Boom – search still works
@BumBook You suggested a burner phone for the phone ID. Doesn’t work very often – here’s why. If the phone number expires, the social media network might just delete your account. Happened to me with one global social media network. Whole account simply deleted. And if you don’t lose your account, it certainly puts you at risk of losing control of your account.
What’s our alternative? To get and keep a single burner phone on which we put €20/year to keep it alive. The issue with this is that since it’s a single telephone, the social media networks will be able to connect your accounts. Sharing such a phone among family or friends or a company would confuse them. We’d probably get the message “This telephone number is associated with another account.”
We have truly entered the world of Big Brother and are all Winstons, except many of us naively believe we are free and that we live in a market economy (rather than a monopolistic corporatocracy).