Facebook is reportedly spamming some users by text, using a cell number they provided only for use in two-factor authentication.
In common with many services, Facebook allows you to protect your account by requiring a code when you first login from a new device. That code is texted to a cell number you provide for the purpose – but a number of users have reported it being used without their permission for notifications about posts by friends …
Software engineer Gabriel Lewis seems to have been the first to report it.
So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications. Then they posted my replies on my wall.
The Verge reports that the issue got more attention thanks to a subsequent series of tweets.
Lewis’ case gained steam today when prominent technology critic and sociologist Zeynep Tufekci tweeted about it in a series of harsh criticisms of Facebook and its behavior regarding alleged “juicing” of its user engagement metrics.
Gizmodo’s Kate Conger found the same thing happening to her, stating that it started when she had a largely unused account.
At first, I only got one or two texts from Facebook per month. But as my profile stagnated, I got more and more messages. In January, Facebook texted me six times—mostly with updates about what my ex was posting. This month, I’ve already gotten four texts from Facebook. One is about a post from a former intern; I don’t recognise the name of one of the other “friends” Facebook messaged me about.
She said that not only was the spam unwelcome, it was insensitive.
It’s painful to see my ex’s name popping up on my phone all the time, and while my intern was great at her job, I’m not invested in keeping up with her personal life.
To make matters worse, some people have replied to the spam texts with STOP messages or similar – and these have ended up posted on Facebook.
I’d just gotten a text from Facebook letting me know that my former boss had commented on a post. “Abusing a security tool like 2fa to spam users is a really shitty, shortsighted thing to do,” I texted back.
One minute later, I got a text from my former boss. “Hey did someone break into your FB?” he asked. My rant about two-factor authentication had showed up as a comment on vacation photos he’d posted two weeks ago.
Replies ending up as comments appears to be a bizarre bug, but the spamming seems intentional.
In many countries, misusing a phone number in this way is illegal. In the UK, for example, it would contravene the Data Protection Act. In all countries, it’s at the very least unethical. It’s particularly unwelcome if it discourages people from using 2FA – an important security tool.
Facebook gave the same vague and unsatisfactory statement to both sites.
We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.