As Part of a Pending FTC Settlement, Facebook Agrees Not to Exploit Information Provided for Security Purposes, With Caveats

In 2018, Kashmir Hill reported for Gizmodo that Facebook was allowing advertisers to target users based on user data provided solely — according to Facebook — for security purposes, such as two-factor authentication phone numbers. Additional reporting by Zack Whittaker of TechCrunch from earlier this year indicated that Facebook indexed two-factor phone numbers in their friend finder tool, without a way to opt out.

Katie Paul, Reuters:

Facebook Inc will no longer feed user phone numbers provided to it for two-factor authentication into its “people you may know” feature, as part of a wide-ranging overhaul of its privacy practices, the company told Reuters.


It had already stopped allowing those phone numbers to be used for advertising purposes in June, the company said, and is now beginning to extend that separation to friend suggestions.

I believe this is the first explicit acknowledgement that two-factor phone numbers were being used for People You May Know, in addition to the ways in which they were previously exploited.

Sounds good, right? Well, this is Facebook, so its not like this change is available now and applies to all accounts:

Michel Protti, a long-time Facebook executive who took over as chief privacy officer for product this summer and is leading the overhaul, told Reuters the two-factor authentication update was an example of the company’s new privacy model at work.

The change – which is happening in Ecuador, Ethiopia, Pakistan, Libya and Cambodia this week and will be introduced globally early next year – will prevent any phone numbers provided during sign-up for two-factor authentication from being used to make friend suggestions.

Existing users of the tool will not be affected, but can de-link their two-factor authentication numbers from the friend suggestion feature by deleting them and adding them again.

So, unless you reconfigure your two-factor authentication settings — and live in one of the five named countries — the phone number you thought would be used solely for security will keep being usurped for building Facebook’s people finding tools.

If this is an example of Facebook’s radical new privacy-focused business model, well, that seems about right to me.