When 2FA means sweet FA privacy: Facebook admits it slurps mobe numbers for more than just profile security
'This isn’t a mistake now, this is clearly an intentional product choice' says ex-CSO Stamos
Another week, another Facebook privacy storm.
This time, the Silicon Valley giant has been caught red-handed using people's cellphone numbers, provided exclusively for two-factor authentication, for targeted advertising and search – after it previously insinuated it wouldn't do that.
Folks handing over their mobile numbers to protect their accounts from takeovers and hijackings thought the contact detail would be used for just that: security. Instead, Facebook is using the numbers to link netizens to other people, and target them with online ads.
For example, if someone you know – let's call her Sarah – has given her number to Facebook for two-factor authentication purposes, and you allow the Facebook app to access your smartphone's contacts book, and it sees Sarah's number in there, it will offer to connect you two up, even though Sarah thought her number was being used for security only, and not for search. This is not a particularly healthy scenario, for instance, if you and Sarah are no longer, or never were, friends in real life, and yet Facebook wants to wire you up anyway.
Following online outcry over the weekend, a Facebook spokesperson told us today: "We appreciate the feedback we've received about these settings, and will take it into account."
Don't hold your breath.
Outrage over Facebook's phone-number slurping was sparked on Friday by Emojipedia founder Jeremy Burge, who publicly criticized Mark Zuckerberg's information-harvesting operation for making users searchable via phone numbers submitted for the ostensible purpose of account security.
"For years Facebook claimed that adding a phone number for 2FA was only for security," he said via Twitter. "Now it can be searched and there's no way to disable that."
Facebook had partly disabled such phone-number searches in the past, preventing people from finding someone's profile directly from their number: in April 2018, the ad biz said it had switched off phone number search following the Cambridge Analytica scandal, citing abuse. "Until today, people could enter another person’s phone number or email address into Facebook search to help find them," said CTO Mike Schroepfer in a blog post at the time "So we have now disabled this feature."
What remains is that Facebook will use submitted phone numbers to suggest friend connections for those upload related contact information, even if that friend only provided the phone number for 2FA account security.
Correction: Last month, we called Zuckerberg a moron. We apologize. In fact, he and Facebook are a fscking disgraceREAD MORE
"Today, the 'Who can look me up?' settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone," a Facebook spokesperson explained to The Register on Monday in an email.
"Control" in this case doesn't mean limit phone number usage entirely; it means a menu that makes the number available to "Everyone," "Friends of Friends," or just "Friends" during a contact upload lookup. Users have the option to remove their phone number from their account, though that would preclude using it for account recovery. As of May last year, Facebook began providing support for 2FA without a phone number via authenticator apps. Thus you can do multi-factor authentication with Facebook: remove the phone-based 2FA and reactivate it using an authenticator app.
In any event, it may still be possible however to abuse Facebook's friend-finding feature by uploading large numbers of contacts via a mobile phone in the hope that Facebook will return a useful response for some of them. Also, searching by phone number on WhatsApp works, if you uploaded that number when you uploaded that person's contact information.
Facebook last year amended its solicitation to submit a phone number with a link explaining that the number would be used for other purposes. As Facebook explains on a support page, it uses phone numbers for account security, to help friends find you, and for account recovery.
The devil is in the details
Not mentioned on its help page is the fact that Facebook uses phone numbers for advertising. Researchers from Princeton University and Northeastern University in the US last year examined how Facebook uses personally identifiable information supplied by users.
They found "that phone numbers and email addresses added as profile attributes, those provided for security purposes such as two-factor authentication, those provided to the Facebook Messenger app for the purpose of messaging, and those included in friends’ uploaded contact databases are all used by Facebook to allow advertisers to target users."
According to Alex Stamos, Facebook's former chief security officer, the antisocial network at one point planned to segregate phone numbers provided for 2FA from phone numbers provided for other purposes, but that now no longer seems to be the case.
"This isn’t a mistake now, this is clearly an intentional product choice," he said via Twitter, adding that Facebook needs someone in the product design chain advocating for security. "[Facebook] can’t credibly require 2FA for high-risk accounts without segmenting that from search and ads," he said.
The Register asked Facebook to respond to the tweet from Stamos but Facebook's spokesperson didn't answer.
All of this is taking place as Facebook pushes ahead with a plan to consolidate its user data across Facebook, Instagram and WhatsApp, in an effort to blunt the impact of Europe's GDPR privacy regime. That's a goal Facebook COO Sheryl Sandberg has reportedly been pursuing for years, as a recently revealed cache of documents suggests. ®
Sponsored: Becoming a Pragmatic Security Leader