Facebook’s Very Revealing Text Messaging Privacy Fail

As I’ve frequently noted, one of the reasons that it can be difficult to convince users to provide their phone numbers for account recovery and/or 2-step, multiple-factor authentication/verification login systems, is that many persons fear that the firms involved will abuse those numbers for other purposes.

In the case of Google, I’ve emphasized that their excellent privacy practices and related internal controls (Google’s privacy team is world class), make any such concerns utterly unwarranted.

Such is obviously not the case with Facebook. They’ve now admitted that a “bug” caused mobile numbers provided by users for multiple-factor verification to also be used for spamming those users with unrelated text messages. Even worse, when users replied to those texts their replies frequently ended up being posted on their own Facebook feeds! Ouch.

What’s most revealing here is what this situation suggests about Facebook’s own internal privacy practices. Proper proactive privacy design would have compartmentalized those phone numbers and associated data in a manner that would have prevented a “bug” like this from ever triggering such abuse of those numbers.

Facebook’s sloppiness in this regard has now been exposed to the entire world.

And naturally this raises a much more general concern.

What other sorts of systemic privacy design failures are buried in Facebook’s code, waiting for other “bugs” capable of freeing them to harass innocent Facebook users yet again?

These are all more illustrations of why I don’t use Facebook. If you still do, I recommend continuous diligence regarding your privacy on that platform — and lotsa luck — you’re going to need it!