The problem: Facebook asks users to provide a mobile phone number so that it can secure their accounts using 2FA, but it then uses phone numbers it collects for other purposes that are not prominently disclosed to users.
Last year, researchers learned that Facebook was using 2FA phone numbers as part of its multi-billion dollar advertising business. Now, it has been discovered that the social networking giant is also using phone numbers collected for 2FA purposes in an arguably even more disturbing way. Specifically, phone numbers provided for 2FA purposes are applied to the company's profile look-up functionality, enabling users to locate other users' profiles by phone number.
Phone numbers also feed Facebook's suggested friends feature, so as 9to5 Mac explains, "What this means is that if someone else uploads their contacts to Facebook – something the company encourages new users to do as a way of finding friends – you will pop up as a suggested friend if you use your phone number for 2FA." By default, phone numbers are searchable by "everyone" on Facebook, and there's no way to opt out of phone number use entirely.
According to the EFF, this is clearly "in defiance of user expectations and security best practices."
Facebook's apparent willingness to use data in this way, even in the face of criticism that seems reasonable, raises questions about how data collected for one purpose can and should be used for other purposes.
Facebook, as well as other tech giants such as Google, often collect information from their users, such as mobile phone numbers, to verify their identities and secure their accounts. But the broad and seemingly ever-growing scope of their businesses offers a strong incentive to take that data and commingle it with other data sets collected for various purposes. Once commingled, these companies can more easily connect the proverbial dots about their users, allowing them in many cases to develop surprisingly detailed internal profiles.
These internal profiles can be used for a variety of purposes that have privacy implications, such as ad targeting.
Mark Risher, head of Privacy & Security for Google, last year claimed that the search giant has never used data collected for 2FA purposes in ways like Facebook. After the revelation that the social networking firm used phone numbers provided for 2FA for advertising purposes, he contrasted Google's stance with Facebook's.
"Our privacy focus has always been rooted in being extremely, excruciatingly transparent about what information we collect, why we're collecting it, how it's going to be used, and providing easily accessible control so that anyone who wants to change how their information is being used can do it with a couple of clicks," Risher told Mashable.
Risher's statements might be true, but users have little way of determining how their information is being used behind the scenes to ensure it's used in a manner consistent with their expectations.
Are companies accurately tracking the purposes for which data was collected, and if so, how? Is data collected from users for limited purposes, such as 2FA, stored in the same databases as data collected for other purposes? If data is segregated in some way based on how and why it was collected, is it accessible to other systems via internal and external APIs? If so, how is the use of that data controlled and monitored to ensure those systems use it in appropriate, permissible ways?
These are important questions that companies should be answering internally and disclosing publicly.
If they don't, there is the risk that as more users become aware of the fact that information they provide for security purposes could be used in ways they don't approve of, they will come to distrust security measures like 2FA.
While the efficacy of 2FA has become the subject of debate and certainly isn't perfect, the possibility that users will be reluctant to embrace measures designed to protect them should concern companies like Facebook and Google, and serve as a reminder that when they too aggressively try to connect the personal dots of their users, they could actually be jeopardizing their relationships with users and the security of their services.