Facebook has auto-enabled an option that allows the social network to use a user’s phone number to match them to people they may know, even if that user only gave their phone number to enable SMS-based two-step verification.
And as long as a user has given their phone number to Facebook, there is no way to completely opt-out.
It’s yet another privacy snafu from Facebook, and frustratingly is one that is very similar to other privacy contentious decisions made by the social network.
So what has Facebook done this time?
Facebook offers a number of ways for its users to beef up the security on their accounts; one popular method is using SMS-based two-step verification. This means users give their phone number to Facebook, and Facebook will text a code to that user when someone tries to login to their account from an unrecognised device. That means the person logging in will need both the account password and the login code sent via SMS.
This is an effective way of keeping crooks out of your account, because even if someone somehow manages to obtain the account password, they probably won’t have the all-important SMS code.
Sponsored Content. Continued below...
Generally, this is something we recommend enabling.
It is widely expected that a site that offers this service will keep those phone numbers (that users provide for the purposes of two-step verification) segregated from other parts of the website, such as advertising or tracking features. So basically, if a user provides their phone number for account security, it should only be used for account security.
But Facebook hasn’t done this?
No. Security and privacy experts noticed a slight difference in wording recently when Facebook prompted users to enter their phone numbers to help keep their accounts secure. Then, a once-dead privacy option re-emerged asking users “who can look you up using the phone number you provided” with no option to select ‘No One’ or ‘Just Me’. The most privacy stringent option available is ‘Friends’ – but of course Facebook is defaulting this to ‘Everyone’.
Sponsored Content. Continued below...
You can’t directly enter a phone number into Facebook and get the matching profile as you could before, but it appears that Facebook is still using the provided-for-security-purposes-only-phone-number to link users to other users. So for example, if User A provides their phone number to enable SMS two-step-verification, Facebook will still try and match that phone number if it finds it in User B’s address book. And now Facebook has linked those two people, based on information that should only have been used for account security purposes.
What can I do?
We still recommend enabling two-step verification, or better yet, two-factor authentication on important online accounts.
Firstly, if you do use SMS based two-step verification, you can limit what Facebook can do with your phone number by setting the privacy option to “Friends Only” and not the default “Everyone”. Just go to your Settings, select Privacy and head to the “who can look me up using my phone number” option and select “Friends“.
Fortunately, Facebook is compatible with other types of 2FA other than using an SMS login code. For example you can use third party authenticator programs, such as Google Authenticator on your smartphone. These generate a code for you to login each time you need one, without the need of an SMS code or (more importantly) giving Facebook your phone number. So you can remove your number from Facebook, and still keep two-step verification or two-factor authentication enabled. We have a tutorial on how to set that up right here for you.
Of course this doesn’t mean Facebook no longer has your phone number. If someone who has your phone number has also given the Facebook or Facebook Messenger App permission to trawl through their contact book, the social network more than likely still knows your number.
Another option, of course, is to leave Facebook altogether as many privacy experts are now advising. The social network is showing little signs of ever really changing from their sluggish, reactive approach to online privacy, as this latest revelation demonstrates.