Facebook is coming under fire for exploiting some users' two-factor authentication info and sending them spam notifications. It's a grotesquely intrusive implementation that might have been persisting for quite some time unnoticed until a software engineer complained about on Twitter.
The engineer, Gabriel Lewis, noticed earlier this week that Facebook was using his phone number — the same one he used for two-factor authentication — to notify him about posts from other people. For the uninitiated, two-factor authentication is a more secure login method that requires input of secondary information rather than just a password alone.
Facebook Allegedly Exploits Two-Factor Authentication To Send Spam
Facebook's spammy implementation appear to go beyond than just sending notifications. If a user replies to the text message with any kind of text, it gets automatically posted to their Facebook profile. Check out Lewis's screenshots to see this in action.
Other users have popped up on Twitter making similar complaints, saying it's not just Facebook that's doing this but also Instagram, which it owns. Lewis says he never opted for any kind of text notifications to begin with.
The issue got some slight traction on Twitter recently after Turkish techno-sociologist Zeynep Tufekci slammed Facebook for forcing user engagement:
"This is how a business model can be so poisonous and harmful. This is unacceptable."
"This is horrible. You give Facebook your phone number for login authentication; instead, it abuses it to SMS spam to drive up 'engagement', and when you reply to spam, is posts it on your wall," she said.
Is It A Bug?
It remains uncertain whether Facebook's spammy behavior is a bug or whether it's a way to deliberately push users to post more often on the site. In any case, the idea of giving Facebook your phone number now seems stupid, given the fact that the company can exploit it willy-nilly. If Facebook is indeed using people's phone numbers and getting them to post without their consent, it could be ample legal grounds for a potential lawsuit.
The company says it's now looking into the issue and assures users that they don't have to use their phone number for two-factor authentication but instead a code generator.
"We give people control over their notifications, including those that relate to security features like two-factor authentication," said a Facebook representative.
Matthew Green, a professor of cryptography at the Johns Hopkins University, also slammed Facebook for exploiting users' phone numbers and claimed that the issue being the result of a bug is "bullsh-t."
"Abusing a security technology like [two-factor authentication] by turning it into a marketing opportunity is pretty much the most short-term clever, long-term foolish thing Facebook could do."