Here’s the latest from Facebook:
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that. pic.twitter.com/zpYhuwADMS
— Jeremy Burge 🐥🧿 (@jeremyburge) March 1, 2019
For years, Facebook has been badgering its users to set up two-factor authentication, which is indeed considered best practice for online security. This requires you to give Facebook your phone number so that they can text you a passcode to log in to your account.
But last year we learned that Facebook had made all these phone numbers available to advertisers so they could target ads. Now it turns out that even if you never added it to your profile, other people can still look you up via your phone number.
Is this a big deal? In and of itself, maybe not. But there are two big harms here anyway. First, Facebook has once again revealed personal information without asking permission. The default should be to keep security information completely private unless you explicitly give permission to share it. But in this case it’s not. And not only is the default set to make it shareable, there’s not even a way to change it once you discover what’s going on.
Second, this kind of behavior will rightfully make people suspicious of security enhancements. It’s in everyone’s best interest to improve online security, and we should always feel confident that online companies are at least doing their best to keep our security information safe and private. Once again, though, Facebook has blown up this implicit contract in order to improve its bottom line by a few dollars. Nice work, guys.