Did you know that when you use your phone to authenticate your Facebook login, the company feeds the number into its friend suggestions feature? Neither did most other people until the social media giant told Reuters about it this week.
Facebook operates a two-factor authentication (2FA) system that lets users add a second authentication channel to their account. Instead of relying solely on a username and password, they can also set their account to require a login code from a third-party authentication app, or a code sent via SMS text message to their phone.
It’s the phone number part that’s a problem.
Facebook clearly likes to use as much of your personal data as it feels it can, and that includes the phone number linked to your 2FA setting. A study by researchers at Princeton and Northeastern universities released in May 2018 found that the company had been using these 2FA phone numbers to serve advertisements. What’s worse is that you couldn’t register for the 2FA service without a phone number until Facebook changed its policy in May 2018.
When it fined Facebook $5bn in July 2019, the FTC also made it promise not to do that anymore. The 20-year settlement order that the Commission submitted said that Facebook:
[…] shall not use for the purpose of serving advertisements, or share with any Covered Third Party for such purpose, any telephone number that Respondent has identified through its source tagging system as being obtained from a User prior to the effective date of this Order for the specific purpose of enabling an account security feature designed to protect against unauthorized account access (i.e., two-factor authentication, password recovery, and login alerts).
So it stopped. So far, so good. But in an interview with Reuters, Facebook’s chief privacy officer Michel Protti explained that the company had also been feeding those numbers into its ‘people you may know’ feature, which suggests friends for you to connect with on the platform.
This is all part of a wide-ranging effort to improve the company’s privacy, Protti told Reuters. How safe does it make you feel? A lot of people will have had no idea that it was using peoples’ 2FA details in this way. You can file this little gem under “you were doing what, now?”
Facebook will flip the off-switch on that data usage over the next few months, beginning in Ecuador, Ethiopia, Pakistan, Libya and Cambodia next week and going global next year.
Reuters said that if you’ve already given the social media platform your number as part of the 2FA service then the change won’t be retroactive – you’ll have to go into your settings manually, delete your number, and enter it again.
Stannum Capeau
This seem to go to the heart of the balance between privacy and security.
To ensure privacy you may split your activities over multiple accounts using different log-in details (and passwords – of course). You may even use a VPN to hide your IP address to stop the likes of Facebook and co aggregating details from one IP address as all potentially belonging to one advertising target. That is as much as you can do to for instance keep your business, activist and social lives apart on the internet.
Then you sign up to 2FA with one telephone number (or one “key” etc.) and immediately you have provided all these data aggregators with a means to aggregate your different online personas!
I have a “burner phone” and PAYG sim card just for my main google account (the others are unsecured by 2FA); but how many more phones. yubikeys etc. must I both have and carry with me?
Kristina Burgess
I had to change my facebook account because I had to get a new phone and number now I can’t log in to any of my accounts please help me I can’t get in contact with anyone it keeps say to enter a valid phone number and it will not let me put my phone number in and my old phone doesn’t show anything on the screen so I can’t get into my old account
Michael
is your facebook account really precious to the you,can you not just start afresh ?
Bill Justesen
Good ‘ol bait-and-switch. Facebook tells you they are going to secure your account, and then go beyond that into unethical territory. I’m hoping regulators are going to be coming down on them harder the more stuff like this is exposed.
Anthony Maw
Yawn. some people are just privacy freaks that really should not be on facebook at all in the first place. I use 2FA and I really don’t care if they use it for friend suggestions.
Mahhn
Never trust a company that you are the product of.
Would make an interesting article, if someone wrote one about where we (consumers) are the product, but people think the company is a service to them. I wonder if cattle think that the farmers are there to care for them and their interest.