Facebook is in hot water once again for how it is using the phone number users may have only provided to Facebook for security reasons.
On Twitter on Friday, Jeremy Burge, the editor of Emojipedia, called out Facebook for its phone number lookup settings. Burge found that there is no way to entirely opt out of this setting, which governs the ability of other users to find your Facebook profile by entering your phone number in search. The best you can do is limit who can do this to “Friends.”
What’s potentially most concerning is that some people may have only given Facebook their phone numbers to enable Two-Factor Authentication (2FA). That is, they gave their phone number to Facebook for security, and Facebook continues to prove that it’s using that number for much more.
Facebook prompts users to add their phone numbers for 2FA security. However, researchers and users have discovered that Facebook was actually using the phone numbers they may have only provided for 2FA for more.
In February 2018, Facebook admitted that it was using 2FA-provided numbers to send users spammy text messages; Facebook ultimately said this was a “bug.” In September 2018, Gizmodo reported on researchers’ discovery that Facebook was using phone numbers for ad targeting. Once again, Facebook was using a phone number, which users provided for security, for their own financial gain.
Currently, when Facebook prompts users to add their phone numbers for 2FA, they say “Add your phone number to help secure your account and more” (emphasis Mashable’s). However, Burge claimed on Twitter that they only recently added the “and more” language. Mashable has reached out to Facebook to ask whether and when it may have made that “and more” change.
Still, adding a vague catch all to a security prompt is a pretty weak defense of the tech giant’s activities. Facebook is saying these days that it is all about “transparency.” But two words — “and more” — that fail to disclose what the company might actually be doing with your personal invitation is just like the problems tech companies including Facebook have run into with Terms of Service: they’re technically covered, but don’t actually provide clarity or control to users.
Mashable has asked Facebook whether it is planning to allow users to disable phone number lookup entirely, and will update this story when we hear back. Facebook users also can’t entirely opt out of email address look ups.
For now, if you don’t want people to be able to find your Facebook profile using your phone number (or email address), you can limit that setting to just Friends here. You also no longer have to use a phone number to enable 2FA; Facebook added support for 2FA apps including Google Authenticator and Duo Mobile in May 2018.