We’ve all given our number to someone and then regretted it later.
Today, that person is Mark Zuckerberg.
Facebook is in trouble – yes, again – over privacy concerns.
This time it’s because millions of users who handed over their phone number were promised that it would only be used for security purposes – specifically, for two-factor authentication, where you get a text message if there’s a login attempt on your account – but it’s now emerged that a default privacy setting lets anyone look you up using your phone number if they have it, and you can’t turn it off completely.
IT news site The Register explains it most clearly:
[I]f someone you know – let’s call her Sarah – has given her number to Facebook for two-factor authentication purposes, and you allow the Facebook app to access your smartphone’s contacts book, and it sees Sarah’s number in there, it will offer to connect you two up, even though Sarah thought her number was being used for security only, and not for search.
So yeah, that creepy guy you went on one Tinder date can plug in his contacts and he’ll be pointed right at your Facebook page, even if you’re not searchable, or if your display handle is a sneaky nickname instead of your IRL name.
This is an especially bad oversight given that the company switched off phone number and email searches last year in the middle of the Cambridge Analytica scandal.
It was originally spotted by Jeremy Burge, the Melbourne-born founder of Emojipedia.
Facebook 2FA numbers are also shared with Instagram which prompts you 'is this your phone number?' once you add to FB.
— Jeremy Burge (@jeremyburge) March 1, 2019
The original FB phone number prompt never mentioned "and more". It was shown for MONTHS before a link was added in September 2018 clarifying "actually we'll use this wherever we damn well please" pic.twitter.com/FcOTIZdVf5
— Jeremy Burge (@jeremyburge) March 1, 2019
Using a phone number to sign up for services has been the single greatest coup for the social media and advertising industries. One unique ID that is used to link your identity across every platform on the internet.
That is why every startup wants your phone number.
— Jeremy Burge (@jeremyburge) March 1, 2019
It's shocking that this one number is used for usernames, authentication (2FA), advertising tracking, geolocation and more. And it's the same piece of info you have to give to a random plumber to come and fix the boiler.
— Jeremy Burge (@jeremyburge) March 1, 2019
In a statement provided to media, Facebook acknowledged people weren’t happy about the lack of transparency, but didn’t sound particularly apologetic:
“In April 2018, we removed the ability to enter another person’s phone number or email address into the Facebook search bar to help find someone’s profile. Today, the ‘Who can look me up?’ settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone. We appreciate the feedback we’ve received about these settings and will take it into account.”
So what can you do?
Not much, to be honest. You can change the setting so that only people you’re already friends with can look you up by phone number, and you can set up two-factor authentication that uses an app instead of your phone number.
Other than that, if you want to keep using Facebook, you’re still at the mercy of whatever Zuckerberg feels like doing with your data.