- Facebook won't let users opt out of a feature that allows them to be searched by phone numbers provided for two-factor authentication, TechCrunch first reported.
- Facebook repeatedly asked users to set up the security feature using their phone number before changing the requirement in May 2018.
- Now, users have realized that number can be used to look up their profiles and target them with advertisements.
Facebook asked users to add their phone numbers as an extra security measure, but now they are learning their numbers are being used as a way to look up their profiles and even target them with ads, without the option to opt out.
TechCrunch first reported the feature after Jeremy Burge, who runs the site Emojipedia, called it out in a tweet on Friday.
While users can hide their phone number from the general public and restrict who can look them up by phone number by switching the setting from "everyone" to "friends of friends" or just "friends," Facebook does not give the option to get rid of the look-up option entirely. That means if a user's setting allows "everyone" to look them up by phone number, even a person without a Facebook account could find their page on the site.
The concern around Facebook's use of phone numbers follows its plans to further integrate its messaging services across Messenger, WhatsApp and Instagram. WhatsApp uses phone numbers as the primary way to set up an account, which could raise privacy concerns for users already surprised by the use of their phone number on Facebook's other platforms.
In a statement sent to CNBC, Facebook said the settings "are not new and are not specific to two-factor authentication. In April 2018, we removed the ability to enter another person's phone number or email address into the Facebook search bar to help find someone's profile. Today, the 'Who can look me up?' settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone. We appreciate the feedback we've received about these settings and will take it into account."
Since May 2018, Facebook has removed the requirement of adding a phone number to set up two-factor identification (2FA).
In September, Facebook confirmed to TechCrunch that it uses phone numbers provided for 2FA for ad targeting after Gizmodo reported that numbers provided for 2FA "became targetable by an advertiser within a couple weeks." Facebook's former security chief, Alex Stamos, criticized the practice in a tweet Saturday, saying "FB can't credibly require 2FA for high-risk accounts without segmenting that from search & ads."