6 March 2019

Privacy International (PI) has written Facebook to express our concern and request urgent answers regarding its policy on the sharing of mobile phone numbers of its users.

Alarmingly, recent reports say that some of the phone numbers provided by users for the express purpose of two-factor authentication (2FA) as a way of securing their accounts are now made searchable across the platform by default.

PI is concerned that allowing such numbers to be searchable both undermines users' trust in two-factor authentication, a critical security feature, and puts their security at risk.

We are therefore calling on Facebook to answer if:

It is accurate that phone numbers given specifically for security purposes (including 2FA) are now searchable; This was this due to a deliberate policy, an oversight, or a bug; This is a change of policy, and if so what legal basis is for repurposing these phone numbers under GDPR Article 6(4); Users are made aware of the repurposing of the phone numbers given for security purposes; Users can see who has access to this information; They will confirm reporting by Venkatadri et al which found "no privacy settings that directly let a user view or control which PII is used for advertising; indeed, we found that Facebook was using the above PII for advertising even if our control account user had set the existing PII-related privacy settings on to their most private configurations. Finally, some of these phone numbers that were usable to target users with did not even appear in Facebook’s “Access Your Data" feature”; They will take any steps to ensure that phone numbers provided for the purpose of securing accounts are not made searchable.

We will update this page with any response.

Read more from Gizmodo, Motherboard, & Venkatadri et al.