Facebook criticised for misuse of phone numbers provided for security

Facebook’s under fire – again. This time, it’s for using phone numbers provided for security reasons, for other things.

Users are once again accusing Facebook of playing fast and loose with their privacy, allowing users to look up their profiles using the phone number they thought they were only providing for 2FA (two-factor authentication). What’s more, there’s no getting out of it, since Facebook has no opt-out for the “look me up by my phone number” setting.

This latest scandal blew up on Friday, when Emojipedia founder Jeremy Burge publicly criticized Facebook’s information-slurping operation:

In a string of tweets sent after that, Burge said that he noticed that in September Facebook slipped in an understated “and more,” appended to the original phone number prompt. The “and more” linked to a page that explained that the number would be used for purposes other than securing your account.

Burge also noted that getting users to put in their phone number to sign up for services has been “the single greatest coup” for the social media and advertising industries: it’s “one unique ID that is used to link your identity across every platform on the internet,” he said.

When is a search not a search?

In April 2018, Facebook CTO Mike Schroepfer announced new data access restrictions: one of a string of attempts the company made to try to appease lawmakers and regulatory bodies and to try to keep users from torching their accounts in the Cambridge Analytica fallout.

Facebook said at the time that “most people on Facebook” may have had their public profile information scraped by “malicious actors.” The scraping was done with account recovery and search tools that let users look up people by their phone numbers and email addresses, then take information from their profiles.

From Schroepfer’s post:

Until today, people could enter another person’s phone number or email address into Facebook search to help find them. So we have now disabled this feature.

Burge tweeted today that while the ability to “search” for people using their phone number was turned off last year, it’s still possible to “look up” profiles using phone numbers stored in your phone:

“This isn’t a mistake”

Facebook former chief security officer said that Facebook once had plans to segregate phone numbers provided for 2FA from those which users handed over for other purposes. So much for that – it’s now clear that Facebook made an intentional choice not to do so, he said:

Facebook never did replace Stamos. Too bad: as Stamos pointed out in another Tweet, this is a clear example of why companies need somebody devoted to advocating for security:

The privacy and safety repercussions

These are the privacy repercussions: if someone you know has used her phone number to turn on Facebook 2FA, and if you’ve allowed the Facebook app to access your contacts on your phone, it will see your friend’s phone number and offer to connect the two of you – in spite of your friend not having offered to make her phone number available for looking her up.

This doesn’t just lead to potentially awkward situations, such as when you’re not real-life friends with the person whom Facebook suggests you link up with… as pointed out by security expert and academic Zeynep Tufekci, it can prove dangerous for people who need to stay hidden:

What to do?

If you choose to remove your phone number from your account, you can’t use it to recover the account or use SMS-based 2FA.

The good news is that in May 2018, Facebook made it easier to use third-party authentication apps for 2FA – such as, for example, Google Authenticator, Authy, Duo Security, or Sophos Authenticator (here are the links for the iOS and the Android version).

That doesn’t necessarily mean that profiles aren’t findable by phone number search, though. As Burge pointed out, phone numbers have been used throughout Facebook’s other apps, including WhatsApp and Instagram. And even if you don’t give Facebook your number, a friend who shares their address book with one of Facebook’s apps might do it for you.

You can at least mitigate the fallout by limiting who can look you up by using your phone number.

Go to Settings > Privacy > How people can find and contact you. Set the drop down next to Who can look you up using the phone number you provided? to “Friends,” rather than “Everyone” or “Friends of friends.” As it is, Facebook has the setting set to “Everyone” by default.

If you’re concerned about which privacy and security settings to focus on in Facebook, you might be interested in our guide to protecting your account.