Facebook gives users the option of allowing users to “look up” their profile using their phone number to “everyone” by default, or to “friends of friends” or just the user’s “friends.”
But there’s no way to hide it completely.
Tufekci’s argued that users can “no longer keep keep private the phone number that [they] provided only for security to Facebook.”
Facebook spokesperson Jay Nancarrow told TechCrunch that the settings “are not new,” adding that, “the setting applies to any phone numbers you added to your profile and isn’t specific to any feature.”
Gizmodo reported last year that Facebook uses that when a user gives Facebook a phone number for two-factor, it “became targetable by an advertiser within a couple of weeks.” And, if a user doesn’t like it, they can set up two-factor without using a phone number — which hasn’t been mandatory for additional login security since May 2018.
Even if users haven’t set up two-factor, there are well documented cases of users having their phone numbers collected by Facebook, whether the user expressly permitted it or not. In 2017, one reporter for The Telegraph described her alarm at the “look up” feature, given she had “not given Facebook my number, was unaware that it had found it from other sources, and did not know it could be used to look me up.”
To the specific concerns by users, Facebook said: “We appreciate the feedback we’ve received about these settings and will take it into account.”
Concerned users should switch their “look up” settings to “Friends” to mitigate as much of the privacy risk as possible.
When asked specifically if Facebook will allow users to users to opt-out of the setting, Facebook said it won’t comment on future plans. And, asked why it was set to “everyone” by default, Facebook said the feature makes it easier to find people you know but aren’t yet friends with.
Others criticized Facebook’s move to expose phone numbers to “look ups,” calling it “unconscionable.”
Alex Stamos, former chief security officer and now adjunct professor at Stanford University, also called out the practice in a tweet. “Facebook can’t credibly require two-factor for high-risk accounts without segmenting that from search and ads,” he said.
Since Stamos left Facebook in August, Facebook has not hired a replacement chief security officer.