Facebook separates security tool from friend suggestions
Facebook Inc will no longer feed user phone numbers provided to it for two-factor authentication into its "people you may know" feature, as part of a wide-ranging overhaul of its privacy practices, the company told Reuters.
Revelations last year that Facebook was using personal data obtained for two- factor authentication to serve advertisements enraged privacy advocates, who called the practice deceptive and said it eroded trust in an essential digital security tool.
It had already stopped allowing those phone numbers to be used for advertising purposes in June, the company said, and is now beginning to extend that separation to friend suggestions.
Facebook initiated the updates in connection with its $5 billion settlement with the U.S. Federal Trade Commission, which required it to boost safeguards on user data to resolve a government probe into its privacy practices.
The FTC order, which is still pending approval in court, said Facebook failed to disclose that the phone numbers provided for twofactor authentication also would be used for advertising, and specifically barred that approach to security tools.
Michel Protti, a long-time Facebook executive who took over as chief privacy officer for product this summer and is leading the overhaul, told Reuters the two-factor authentication update was an example of the company's new privacy model at work.
The change - which is happening in Ecuador, Ethiopia, Pakistan, Libya and Cambodia this week and will be introduced globally early next year - will prevent any phone numbers provided during sign-up for two-factor authentication from being used to make friend suggestions.
Existing users of the tool will not be affected, but can de-link their two-factor authentication numbers from the friend suggestion feature by deleting them and adding them again.
The separation of two-factor authentication from advertising this summer applied to both new and existing users, a company spokeswoman said.
Before the latest change, Facebook conducted a review to ensure "the system updates supporting our privacy statements were done correctly," said Protti, which "adds more layers of process and rigor to the vetting of our technical work to make sure our public statements match our operations."
The beefed-up reviews of new products aim to minimize any data collected, document where the data goes and provide sufficient transparency around how products work, he said.
That process led to changes in the phrasing Facebook used to inform people of the update, the spokeswoman added, although Facebook declined to specify how the disclosures were altered.
Protti, who along with Chief Executive Mark Zuckerberg will sign quarterly privacy certifications to the FTC, said his team has completed an assessment begun in August of Facebook's privacy risks and started cataloguing protections in place to mitigate those risks.
Protti declined to share the assessment's findings, but said examples included areas where Facebook should make its policies clearer, invest in training and institute "stronger technical controls over how the data flows through our pipes."
Gennie Gebhart, a researcher at the Electronic Frontier Foundation who gave feedback to Facebook on its two-factor authentication updates, said she welcomed those changes as well as the new privacy protocols, but found them "incomplete."
She cited other examples of "phone number abuse," such as the ability to find users by uploading their two-factor authentication phone numbers, and called for public disclosure around the review process and any certifications Facebook submits to the FTC.
"It's not enough for only Facebook and the government to have this information," said Gebhart. "Does Facebook really expect us to take it at its word?"
Meanwhile, Facebook and Instagram have banned misinformation related to the 2020 census. They won't allow posts or ads with false information about when, where and how people should participate in the census, who can do so or what information and materials people need to take part.
In addition, Facebook is prohibiting anything suggesting that completing the census might "result in law enforcement consequences" along with misinformation about how the government uses data from it. It also banned ads on Facebook and Instagram that urge people not to participate, or that doing so would be "useless or meaningless."
Facebook will start enforcing the policy next month, when the census gets underway in Alaska.
It'll try to remove content that contravenes the rules before anyone actually sees it, using a combination of humans and algorithms to spot such posts and ads. It's adopting a similar approach to census information as it does with voter interference: content that breaks the rules won't be treated as newsworthy and will be removed from Facebook and Instagram, while politicians aren't exempt.
Posts and ads that don't violate the policy but which may include inaccurate information might be assessed by third-party fact-checkers. If they determine the content includes false details, the post may be labeled as such and downranked in the News Feed, so fewer people see it.
Facebook also plans to share accurate information on how to complete the census. It's working with the Census Bureau to limit interference and encourage participation.
US residents are required to complete the census every 10 years. Accurate census data is an important factor in, for instance, determining how public services are provided. The 2020 census marks the first time people can submit their responses online or over the phone, as well as via the traditional paper-based method.