Facebook says it will soon stop its practice of using phone numbers provided to the company as part of its two-factor authentication (2FA) security tool to power a friend suggestion feature, Reuters reported on Thursday. According to the report, Facebook was using phone numbers users gave it specifically to protect their accounts from unauthorized access to try and encourage them to add members of their address book to their friends list.
The company says the change is part of its broader privacy overhaul in response to a $5 billion Federal Trade Commission settlement reached in July over Facebook’s privacy practices. As part of that settlement, Facebook was barred from using phone numbers gathered from 2FA requests for advertising. Today’s change is an extension of that. Although not explicitly demanded by the FTC, Facebook’s use of phone numbers has come under scrutiny by the company’s internal privacy review team, led by chief privacy officer Michel Protti.
Protti’s team conducted a review starting in August that was not specifically aimed at 2FA-related privacy issues, but rather a broader overview, Reuters reports, as Protti is in charge of signing off on the quarterly privacy certifications mandated by the FTC settlement. The review was designed to make sure “the system updates supporting our privacy statements were done correctly,” Protti told Reuters. It also “adds more layers of process and rigor to the vetting of our technical work to make sure our public statements match our operations.”
For users who rely on their phone number to power Facebook’s 2FA login, the company isn’t going to fix the issue by default for those affected. Instead, users will have to remove their existing phone number and re-add them, Reuters reports.
“Based on feedback from the privacy and security communities, we have started updating our two-factor authentication feature so that phone numbers people add here won’t be used to suggest friends,” a Facebook spokesperson said in a statement.
The change related to friend suggestions is only going into effect this week for users in Ecuador, Ethiopia, Pakistan, Libya, and Cambodia. Facebook will expand to users around the globe next year. It’s not clear, however, why Facebook is not making the change automatic for all users by default and when exactly it plans to separate 2FA phone numbers from friend suggestions in 2020.