Privacy and security usually go hand in hand but Facebook seems determined to destroy that relationship. Last year, the company encouraged users to submit their phone numbers in order to set up two-factor authentication – a security feature that helps people better protect their online accounts. Now it's been discovered that Facebook has been using these same phone numbers as part of an invasive look up tool which can't be turned off.
The discovery was made by @jeremyburge on Twitter who noticed when going through his Facebook settings that there's no way to stop others searching for your Facebook profile via your phone number.
His tweet thread shows that when you give Facebook your phone number, it defaults to allowing everyone to search for your Facebook profile via your phone number. While you can update this setting and restrict the search to your Facebook friends, there‘s no way to disable it completely.
This is particularly concerning when you consider that last year, Facebook prompted users to submit their phone number with the on-site message: “Add your phone number to help secure your account.”
At the time, this was the only way for Facebook users to enable two-factor authentication and the messaging gave users the false impression that this phone number was only being used for security purposes.
Burge's revelation means that most of the users who submitted their phone number to secure their Facebook account were also inadvertently adding their profile to public Facebook search results based on this phone number.
Sadly, this isn't the first time Facebook has misled users who submitted their phone number for security purposes. Last year, it was discovered that Facebook was using phone numbers for ad targeting without making this clear to users.
Burge's tweet thread also shows examples of how Facebook shares this phone number with the Facebook-owned services Instagram and WhatsApp, and then goes on to discuss how the phone number is used as:
- A singular ID for linking user identities across every platform on the internet
- A security tool for receiving two-factor authentication
- A contact tool
- An ad tracking tool
- A geolocation tool
He goes on to highlight that since your phone number is used for a wide variety of purposes, it's very easy for Facebook and other third-party services to collect a range of personally identifiable information based on your phone number.
Burge ultimately suggests that because your phone number is the key to an invisible mesh of your data, you shouldn't hand it over to Facebook and other third-party services. Unfortunately, if you follow this advice, you'll often have to compromise on security.
Facebook originally required users to submit a phone number to enable two-factor authentication and many other third-party services have this same requirement. If you want the maximum level of security, you're often forced to hand over your phone number. However, as this Facebook example has shown, handing over your phone number makes you vulnerable to a wide range of potential privacy violations.
While Facebook now allows users to set up two-factor authentication without submitting a phone number, the damage has been done and it has once again compromised user privacy under the veil of improving security. This privacy blunder is likely to cause many people to lose faith in the two-factor authentication process and make consumers more resistant to good security practices.