Facebook has come under fire once again for breaching users trust with the misuse of their data, this time through the misuse of two-factor authentication (2FA).
In recent years, internet based companies have told consumers to utilize two-factor authentication to secure their accounts online. 2FA is an additional level of security that goes beyond the standard password-only approach. With 2FA, the username and password model is enhanced with an additional means of authentication that requires the user to input a piece of additional information.
In recent days, TechCrunch highlighted an issue with Facebook’s usage of two-factor authentication. Facebook has been using people’s cellphone numbers – as provided solely for the purpose of 2FA – for targeted advertising and search.
How It Works
Let’s say a user associates their cellphone number with their Facebook account for the purpose of 2FA. If a second user has allowed the Facebook app access to their phone’s contacts list, it will suggest to connect the two users if the first users number appears on the second users contact list.
This shows that the company is using the cellphone number data for the purposes of search when it was provided in good faith by users on the basis of it being used for security purposes.
Controversy emerged surrounding the practice as it came to the attention of the wider public at the weekend. Turkish writer and New York Times contributor, Zeynep Tufekci tweeted her dismay amid the discovery.
Based on assurances by Facebook that 2FA numbers were 2FA only, we told people—AT REAL RISK—to use 2FA even when it was just via phone number. It sucked, but getting hacked is more dangerous. Hard for dissidents to avoid Facebook. Now sold out to improve ad-targeting a tiny bit.
— zeynep tufekci (@zeynep) March 3, 2019
The gravity of Tufekci’s case is sobering given that she had advised dissidents to use 2FA with Facebook. To find out that her advice had potentially placed those same people in danger does not sit well with her. A high price to pay in exchange for Facebook achieving improved advertisement targeting.
A Facebook spokesperson responded:
“We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”
In May of last year, Facebook added the option of accessing non-mobile phone based 2FA. Whilst this provides users of the social media with a means through which they can avoid this breach of their privacy, it is too late for those who had utilized phone based 2FA previously.
Jeremy Burge, Editor of emoji reference site, Emojipedia, was another who voiced his concern on The Guardian:
“I’m usually one to give benefit of the doubt but it’s so clear Facebook sees phone number as the way to unify its data sets (FB: email, Insta: username, WhatsApp: phone #) and this sort of thing only gives them less credibility when it comes to ever providing a number.”
Even Facebook’s former Chief Information Officer, Alex Stamos, was critical of the social media giant’s practices in this instance:
This is why tech companies need somebody advocating for security as a first-class goal in product, which is a different function than good security engineering. FB can’t credibly require 2FA for high-risk accounts without segmenting that from search & ads. https://t.co/CzDyuRInBU
— Alex Stamos (@alexstamos) March 2, 2019