Facebook’s under fire – again. This time, it’s for using phone numbers provided for security reasons, for other things.
Users are once again accusing Facebook of playing fast and loose with their privacy, allowing users to look up their profiles using the phone number they thought they were only providing for 2FA (two-factor authentication). What’s more, there’s no getting out of it, since Facebook has no opt-out for the “look me up by my phone number” setting.
This latest scandal blew up on Friday, when Emojipedia founder Jeremy Burge publicly criticized Facebook’s information-slurping operation:
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that. pic.twitter.com/zpYhuwADMS— Jeremy Burge (@jeremyburge) March 1, 2019
In a string of tweets sent after that, Burge said that he noticed that in September Facebook slipped in an understated “and more,” appended to the original phone number prompt. The “and more” linked to a page that explained that the number would be used for purposes other than securing your account.
The original FB phone number prompt never mentioned "and more". It was shown for MONTHS before a link was added in September 2018 clarifying "actually we'll use this wherever we damn well please" pic.twitter.com/FcOTIZdVf5— Jeremy Burge (@jeremyburge) March 1, 2019
Burge also noted that getting users to put in their phone number to sign up for services has been “the single greatest coup” for the social media and advertising industries: it’s “one unique ID that is used to link your identity across every platform on the internet,” he said.
When is a search not a search?
In April 2018, Facebook CTO Mike Schroepfer announced new data access restrictions: one of a string of attempts the company made to try to appease lawmakers and regulatory bodies and to try to keep users from torching their accounts in the Cambridge Analytica fallout.
Facebook said at the time that “most people on Facebook” may have had their public profile information scraped by “malicious actors.” The scraping was done with account recovery and search tools that let users look up people by their phone numbers and email addresses, then take information from their profiles.
From Schroepfer’s post:
Until today, people could enter another person’s phone number or email address into Facebook search to help find them. So we have now disabled this feature.
Burge tweeted today that while the ability to “search” for people using their phone number was turned off last year, it’s still possible to “look up” profiles using phone numbers stored in your phone:
Here's what the search/look-up difference appears to mean:— Jeremy Burge (@jeremyburge) March 5, 2019
What you can’t do now: 🔍❌ enter any phone number to “search” for matching profile/s
What you can still do now: 🔄🔍✅ Create an address book full of numbers, sync it to Facebook, and “look up” matching profiles
“This isn’t a mistake”
Facebook former chief security officer said that Facebook once had plans to segregate phone numbers provided for 2FA from those which users handed over for other purposes. So much for that – it’s now clear that Facebook made an intentional choice not to do so, he said:
There were hacky fixes put in place and there was supposed to be a big project to segregate numbers. This isn’t a mistake now, this is clearly an intentional product choice.— Alex Stamos (@alexstamos) March 2, 2019
Facebook never did replace Stamos. Too bad: as Stamos pointed out in another Tweet, this is a clear example of why companies need somebody devoted to advocating for security:
This is why tech companies need somebody advocating for security as a first-class goal in product, which is a different function than good security engineering. FB can’t credibly require 2FA for high-risk accounts without segmenting that from search & ads. https://t.co/CzDyuRInBU— Alex Stamos (@alexstamos) March 2, 2019
The privacy and safety repercussions
These are the privacy repercussions: if someone you know has used her phone number to turn on Facebook 2FA, and if you’ve allowed the Facebook app to access your contacts on your phone, it will see your friend’s phone number and offer to connect the two of you – in spite of your friend not having offered to make her phone number available for looking her up.
This doesn’t just lead to potentially awkward situations, such as when you’re not real-life friends with the person whom Facebook suggests you link up with… as pointed out by security expert and academic Zeynep Tufekci, it can prove dangerous for people who need to stay hidden:
Yep. I can no longer keep keep private the phone number that I PROVIDED ONLY FOR SECURITY to Facebook. ZERO notification of this major, risky change. For years I urged dissidents at risk to use 2FA on Facebook. They were afraid of this. @Facebook doesn't care about their safety. pic.twitter.com/lW8wjBJlfz— zeynep tufekci (@zeynep) March 3, 2019
What to do?
If you choose to remove your phone number from your account, you can’t use it to recover the account or use SMS-based 2FA.
The good news is that in May 2018, Facebook made it easier to use third-party authentication apps for 2FA – such as, for example, Google Authenticator, Authy, Duo Security, or Sophos Authenticator (here are the links for the iOS and the Android version).
That doesn’t necessarily mean that profiles aren’t findable by phone number search, though. As Burge pointed out, phone numbers have been used throughout Facebook’s other apps, including WhatsApp and Instagram. And even if you don’t give Facebook your number, a friend who shares their address book with one of Facebook’s apps might do it for you.
You can at least mitigate the fallout by limiting who can look you up by using your phone number.
Go to Settings > Privacy > How people can find and contact you. Set the drop down next to Who can look you up using the phone number you provided? to “Friends,” rather than “Everyone” or “Friends of friends.” As it is, Facebook has the setting set to “Everyone” by default.
If you’re concerned about which privacy and security settings to focus on in Facebook, you might be interested in our guide to protecting your account.