Last September, Facebook drew fire for abusing the phone numbers users provided for two-factor authentication messages, sending spam advertising messages over the same channel — now, rather than reforming its ways, Facebook has doubled down on poisoning the security well, by adding a no-opt-out policy of allowing anyone in the world to search for you by phone number if you provide that number for two-factor auth.
This feature has been around for a long time (Facebook promised to remove it in the wake of the Cambridge Analytica scandal), but what's changed is that Facebook is now requiring some users to turn on two-factor authentication (which is a good practice, though SMS provides the worst security of all 2FA methods); that means that millions of Facebook users are now exposing themselves to potentially serious privacy risks as a condition of securing their Facebook accounts.
We are in a great race to improve computer security before the existing bad-security debt comes due, creating breach-quakes that make all the infosec disasters to date look like the mere tremors that they are. Educating users about 2FA is a huge part of that process, and Facebook is poisoning the well, just because.
This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire.
"Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."
Facebook Doubles Down On Misusing Your Phone Number [Gennie Gebhart/EFF Deeplinks]
Facebook's Phone Number Policy Could Push Users to Not Trust Two-Factor Authentication [Lorenzo Franceschi-Bicchierai/Motherboard]