Another day, another Facebook privacy scandal. Last year, we discovered that the company was using the phone numbers users provided for two-factor authentication and selling them to advertisers. Now, it turns out that the company also allows end users to be targeted in this fashion when you sync contacts with the service.

You can’t opt out of it. In fact, you can’t log out of Messenger at all. And it looks as though FB is pushing hard to make phone numbers a unifying form of identification behind the scenes, even as it pushes to move WhatsApp to a unified backend with FB, combining what it knows about people into an ever-larger panopticon.

https://twitter.com/jeremyburge/status/1101402001907372032

These latest discoveries are courtesy of Jeremy Burge, Chief Emoji Officer at Emojipedia. While Facebook doesn’t directly allow users to search by phone number over the main website — that capability has been removed — it does allow users to “locate” your profile if they connect to Facebook and your mobile number is uploaded into their own contacts. In other words, if you give Facebook your mobile number for security purposes, they’ll allow people to target you in other ways. Facebook’s security page states:

The settings under Who can look me up? control how your mobile phone number or email can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone…. Note: You can search by phone number in the Messenger app.

According to Burge, the “Who Can Look Me Up” setting is set to “Everyone” by default. The default action with FB Messenger is apparently also to use a phone number for identification. When you activate Messenger, it asks for permanent permission to scrape your contacts. As Burge notes, Facebook gets your number in this fashion by scraping the contacts on your friends’ lists, even if you don’t agree to give it to them. If even one of your friends in real life uses Facebook and/or WhatsApp, and they also have your real number, FB has your real number as well. Burge notes that FB requires real numbers for page administrators and that it shares the phone number you give it for that purpose with Instagram as well. Days after sharing a 2FA number with FB, Burge received a request to use it on Instagram.

https://twitter.com/jeremyburge/status/1101411105325363201

Facebook’s own response to the problem, such as it is, can be found below. It deals with none of the security or privacy issues inherent to repurposing the 2FA information individuals provide to instead make them easier to locate on social media, or the ethics and security wisdom of sharing that information across web services. It also does not address the fact that users cannot prevent their phone numbers from being used to look them up on other services.

Past that, it’s difficult to know what to say. People still don’t really talk about how fundamentally Facebook has lied to its users about virtually every aspect of how it uses data or how hard the company has fought to avoid being held accountable for its misdeeds.

There was a time when Steve Ballmer memorably described Linux as “a cancer that attaches itself in an intellectual property sense to everything it touches.” What was utter hyperbole when describing the GPLv2 (or Linux itself) is honest fact about Facebook in 2019. The company has never heard of a piece of data it didn’t want to own, regardless of whether it had any right to it or not. It encouraged users to adopt 2FA for security purposes, then used the information for advertising. It constantly scrapes personal data about you from every device it touches, including devices you don’t even own. It tracks your location, even if you try to stop it. It’s been running a massive lobbying operation against data privacy laws all over the world. It lied about the number of underage children it was spying on. After spending most of its Portal launch event promising that the device didn’t spy on you, Facebook had to admit that Portal actually is another vehicle for spying on you. Recently, Facebook had to pull its Onavo VPN application. Why? It spied on people. The idea that lying to people about how you use their 2FA information might damage perceptions of 2FA and make people less likely to rely on it, for fear of disclosing information they don’t wish to share, is irrelevant to Facebook. Say what you will about the Borg, but at least they’re upfront about their goals and honest about the outcome.

If Facebook was a person who had treated any single individual as egregiously as the company has treated all of us collectively it would be in jail already.

These aren’t accidents. They’re the ongoing result of deliberate decisions to maximize Facebook’s profits at everyone else’s expense. Your privacy isn’t just of secondary concern to Facebook’s bottom line, it’s actively in opposition to Facebook’s bottom line. At this point, I genuinely don’t believe the disclosures will ever stop. After decades of being maligned for an endless parade of security problems, Bill Gates decided Microsoft would spend roughly a year building Windows XP SP2. Thereafter, the company would build its future operating systems in a fundamentally different fashion, with greater awareness of security concerns. This is not to say that Windows stopped having security flaws in 2005, but the release of XP SP2 is a distinct moment when Microsoft began to treat security much more seriously than it had before.

Facebook hasn’t had a similar come-to-Jesus moment. There’s no sign it ever will. At this point, the only sane way to treat Facebook is as if its disclosures and statements mean the literal opposite of everything the company says. The only security Facebook is interested in protecting is the security of its own revenue stream.

Now Read: