Facebook will stop mining contacts with your 2FA number

Did you know that when you use your phone to authenticate your Facebook login, the company feeds the number into its friend suggestions feature? Neither did most other people until the social media giant told Reuters about it this week.

Facebook operates a two-factor authentication (2FA) system that lets users add a second authentication channel to their account. Instead of relying solely on a username and password, they can also set their account to require a login code from a third-party authentication app, or a code sent via SMS text message to their phone.

It’s the phone number part that’s a problem.

Facebook clearly likes to use as much of your personal data as it feels it can, and that includes the phone number linked to your 2FA setting. A study by researchers at Princeton and Northeastern universities released in May 2018 found that the company had been using these 2FA phone numbers to serve advertisements. What’s worse is that you couldn’t register for the 2FA service without a phone number until Facebook changed its policy in May 2018.

When it fined Facebook $5bn in July 2019, the FTC also made it promise not to do that anymore. The 20-year settlement order that the Commission submitted said that Facebook:

[…] shall not use for the purpose of serving advertisements, or share with any Covered Third Party for such purpose, any telephone number that Respondent has identified through its source tagging system as being obtained from a User prior to the effective date of this Order for the specific purpose of enabling an account security feature designed to protect against unauthorized account access (i.e., two-factor authentication, password recovery, and login alerts).

So it stopped. So far, so good. But in an interview with Reuters, Facebook’s chief privacy officer Michel Protti explained that the company had also been feeding those numbers into its ‘people you may know’ feature, which suggests friends for you to connect with on the platform.

This is all part of a wide-ranging effort to improve the company’s privacy, Protti told Reuters. How safe does it make you feel? A lot of people will have had no idea that it was using peoples’ 2FA details in this way. You can file this little gem under “you were doing what, now?”

Facebook will flip the off-switch on that data usage over the next few months, beginning in Ecuador, Ethiopia, Pakistan, Libya and Cambodia next week and going global next year.

Reuters said that if you’ve already given the social media platform your number as part of the 2FA service then the change won’t be retroactive – you’ll have to go into your settings manually, delete your number, and enter it again.