It looks like Facebook allows people to look up users on the platform using their phone number, even if they submitted that number for security purposes.
The news comes from Jeremy Burge, the man behind Emojipedia. He tweeted a lengthy thread exploring how Facebook uses phone numbers submitted for two-factor authentication (2FA) as an identifying and tracking tool. Worse, Burge says there’s no way to turn it off.
The news follows a revelation in September 2018 that the social network used 2FA phone numbers for advertising purposes as well.
Burge’s tweet thread highlighted that Facebook’s default settings allow anyone — regardless if they have a Facebook account — to look up your profile with your 2FA phone number.
Users can hide their phone numbers so no one can see it, but that doesn’t remove the ability for people to look you up using it.
For example, when Facebook asks a user to upload their contact book to find friends, if that contact book includes your phone number, Facebook can use it to find your profile.
The social network previously removed the option to search for profiles by phone number after admitting “most people on Facebook could have had their public profile scraped in this way.” Burge notes that either Facebook’s statement about this change was misleading, or the current settings page is misleading as it indicates you can still search for people this way.
Your phone number acts as one unique ID across all platforms
Burge compared the use of phone numbers by Facebook to having a unique ID that links your identity across every platform on the internet.
He also revealed that the company shares 2FA phone numbers with its other platforms, like WhatsApp and Instagram.
To make it all worse, Burge’s says that if you don’t want to give your number to Facebook, too bad — it probably already has it. If any of your friends allow Messenger or WhatsApp to access their contacts, Facebook can learn your number that way, according to Burge.
To cap it off, Burge suggests this new reliance on the phone number is Facebook’s reaction to data regulations like GDPR. Your phone number becomes a bridge across services, such as Facebook, WhatsApp and Instagram. According to Burge, if you delete Facebook, it’ll keep your data under the pretense it’s used for Instagram or WhatsApp — which it can do thanks to the phone number’s new role as a unifying identification tool.
Ultimately, the best thing users can do now is rely on apps for 2FA instead of phone numbers. Not only are apps more secure, but it means you won’t have to hand out your phone number to companies like Facebook.