Facebook has been accused of abusing a security feature in order to weaken user privacy, after the social network was found using phone numbers initially handed over for account safety for other purposes.

The company now faces criticism that it will be harder to convince users to take other necessary security measures if users view this as an abuse of trust.

Since 2011, Facebook has asked users for their phone numbers in order to enable “two-factor authentication”, a common account security feature that sends a text message whenever a login is attempted. The social network even required the feature to be used by the moderators of large Facebook pages, telling them they had to hand over a phone number in order to prevent the page from being easily stolen by a canny hacker.

Revealed: Facebook’s global lobbying against data privacy laws Read more

But in the years after the social network first enabled two-factor authentication, Facebook began to use the phone numbers users had provided for other purposes – eventually, by September 2018, going so far as to update the language used in the prompt, adding the words “and more” to the end of a statement that had previously read, simply: “Add your phone number to help secure your account.”

Now, users who once added their phone number for security are faced with a privacy setting that asks them who can look them up using that number. The options are “everyone”, “friends of friends”, or “friends”. There is no choice to ban that use.

Similarly, Facebook shares that information with Instagram, encouraging users to update their profiles on its sister service if they have a new phone number on the main Facebook app.

In September, Gizmodo reported that Facebook also uses that security information to target adverts: if a business has a phone number for a potential customer, they can upload that number and target that customer with adverts – even if the number is only in Facebook’s systems because of the security policies.

This week’s wave of criticism was sparked by Jeremy Burge, the editor of emoji reference site Emojipedia. Burge, who is the moderator of Emojipedia’s Facebook page, was required to enter his phone number because of the number of followers that page has, and rapidly became frustrated with the lack of privacy he was afforded as a result.

“I’m usually one to give benefit of the doubt,” Burge said, “but it’s so clear Facebook sees phone number as the way to unify its data sets (FB: email, Insta: username, WhatsApp: phone #) and this sort of thing only gives them less credibility when it comes to ever providing a number.”

Others joined in the criticism. Antonio García Martínez, a former Facebook product manager, said the choice was “not just bad, it’s dumb. The fraction of users that have [two-factor authentication] enabled must be small, so the usage gain is minimal, while the PR risk is huge. Dumb trade-off.”

In a statement, Facebook addressed some of Burge’s criticisms: “We’ve been hearing questions about two-factor authentication and phone number settings on Facebook. Two-factor authentication is an important security feature, and last year we added the option to set it up for your account without registering a phone number. Separately, the ‘Who can look me up?’ settings are not new and are not specific to two-factor authentication.

“In April 2018, we removed the ability to enter another person’s phone number or email address into the Facebook search bar to help find someone’s profile. Today, the ‘Who can look me up?’ settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone. We appreciate the feedback we’ve received about these settings and will take it into account.”