Over the weekend, Facebook users were freaked out to learn that the social network allows “Everyone” to look them up with the phone number they provided for two-factor authentication (2FA) by default. This sneaky ad-targeting method disguised as a privacy tool really has no privacy benefits, but there’s still a way to protect yourself.
The Twitter thread by Emojipedia’s Jeremy Budge pointed out that Facebook’s settings, which control who is allowed to look up your account with a phone number that you’ve provided, do not include an option to completely opt-out of its “look up” service. The whole point of two-factor authentication is to give users an extra layer of login protection by requiring them to enter a code that’s texted to their phone in addition to their password. Gizmodo first reported back in September that Facebook also uses those phone numbers to help it serve targeted ads and to connect users with people they may know. As TechCrunch points out, the fact that Facebook provides no option to remove oneself from the “look up” feature prompted many users to cry foul, including Facebook’s former Chief Security Officer, Alex Stamos.
When you enter a phone number on Facebook, you’re given the option to choose who can see that number on your profile’s “about” page. You can choose “only me,” and you might think that hides the number and it’ll only be used for two-factor logins. But within Facebook’s nesting doll settings, there’s another option box under Privacy Settings and Tools. It asks a user, “Who can look you up using the phone number you provided?” and there isn’t an option to choose “No One.” The setting defaults to “Everyone,” which would allow advertisers to upload their own email lists that Facebook cross-references and uses to target ads. For example, a politician might provide Facebook with a mailing list of like-minded people to whom they would like serve an ad on a Facebook product or as part of its ad network that extends around the web.
The most private setting you can choose is to only allow “Friends” to look up your profile.
In just the last year, Facebook has admitted to two separate data breaches affecting a combined total that’s upwards of 137 million people. One would think that Facebook would want to make privacy tools that are purely related to privacy and give users no reason to avoid them. But this is Facebook, and it always has an ulterior profit motive. In addition to ad targeting, it also came under criticism last February when its 2FA tool began spamming users with text messages. It later said that the issue was caused by a “bug.” On Saturday, Stamos framed the situation as one in which Facebook is undermining the security of its own tool, tweeting:
This is why tech companies need somebody advocating for security as a first-class goal in product, which is a different function than good security engineering. FB can’t credibly require 2FA for high-risk accounts without segmenting that from search & ads.
The bottom line is that you should absolutely use two-factor authentication on your Facebook account but remove your phone number from the equation. In order to do that, you’ll need to download a third-party authentication app like Google Authenticator or Duo Mobile on your phone. Then to go to this Facebook page and click the “Get Started” button. Choose the “Authentication App” option and click next. You then have the option to either enter a code into your third-party app or use it to scan a QR code. This will link the authentication app to Facebook. Now, when 2FA is needed to log in, you’ll find a unique, temporary code created by the authentication app.
Granted, performing 2FA with a phone number is a lot simpler and more intuitive, but a third-party app is the safer method to use in this situation, it doesn’t open you up to even more creepy ads, and the simpler an application, the less likely it is to contain function-breaking bugs.
I also understand that we’re all overwhelmed with by privacy-invading services, so if you insist on just continuing to use your phone number for 2FA, at least go to the preferences page and adjust the ad settings to disallow the targeting options.
Facebook reportedly has big plans integrate its Instagram, Messenger, and WhatsApp products in the near future, and it’s entirely possible that it would use its leverage over billions of users to require a phone number as a unique ID for that mega-platform. We asked Facebook if it has plans to do that, but it did not respond to any of our questions for this story. All we know is that the more people show they’re unwilling to hand over a phone number to an untrustworthy company, the more likely Facebook is to do the right thing.