Facebook is facing criticism for not allowing users to opt out of a feature that lets people look them up using their phone number or email address.
This includes users who only added their phone numbers to set up two-factor authentication, and believed it would only be used for security purposes. The optional feature requires both a password and a one-time code sent to a mobile device to log in.
While Facebook said the settings aren’t new, the news about their existence circulated this weekend on social media.
Jeremy Burge, chief emoji officer at emoji-reference website Emojipedia, shared a screenshot of the phone number look-up setting over the weekend, sparking backlash from other Facebook users.
He tweeted: “For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that.”
Users can specify who they want to share the phone number or email address with — “Everyone,” “Friends of Friends,” or “Friends” — under the Privacy settings, but there is no way to opt out entirely.
A company spokesperson told CNN Business the feature is supposed to make it easier to find people you know but aren’t yet friends with on Facebook. For example, users could upload their mobile phone contacts to Facebook to search for friends or message a phone number on the Messenger app.
The spokesperson said there was never a way to add a phone number only for two-factor authentication, also called 2FA, and users assumed it would be exclusively used for security purposes. If people choose to implement two-factor authentication with a phone number, they must add the number to their Facebook profile.
Some security experts strongly criticized Facebook’s actions.
“It’s obvious that if you are providing a number for 2FA (which is a standard practice) that the number wouldn’t be used for other purposes without consent,” said Marty Puranik, cybersecurity expert and CEO of Atlantic.Net, a cloud computing and hosting services provider. “No other entity does this, it’s not industry standard, and of course is yet another way Facebook compromises user information.”
“It could also be a test by Facebook to see how far it can go, or what it can get away with,” he added.
Last year, Facebook said it added the ability to set up 2FA on an account without registering a phone number — you can use third-party authentication apps instead. It also removed the ability to enter someone’s phone number and email address into the Facebook search bar to help find them on the platform amid broader privacy concerns.
“Today, the ‘Who can look me up?’ settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone. We appreciate the feedback we’ve received about these settings and will take it into account,” a Facebook spokesperson said in a statement.
This isn’t the first time 2FA phone numbers have been used for other purposes. Last year, Gizmodo reported that when Facebook users entered a phone number for two-factor authentication or to get alerts about new log-ins to their account, advertisers were able to target that number. Gizmodo cited Princeton University researchers who tested how providing contact information to Facebook in different ways could be used by advertisers.
Facebook confirmed phone numbers may be used to inform ads personalization.