Facebook finally agrees to end its most frustrating security practice

Facebook is ending one of its most frustrating growth practices, promising to no longer use phone numbers provided by users for extra security to also suggest potential friends on the social network. The company admitted last year that it used numbers registered as part of two-factor authentication (2FA) to also power the "people you may know" feature that attempts to bolster users' friends lists.

Two-factor authentication is one of the first suggested security steps experts recommend when it comes to preventing unauthorized access to an account. As well as a username and password, it means Facebook requires a special, time-sensitive code that is sent to a phone number. Without that code, the user cannot log in.

The downside was how Facebook was also using numbers registered for 2FA. What users didn't realize was that Facebook had also been relying on them to help connect people on the social network. By comparing people's numbers with other users' contacts, it could help populate friends lists.

Now, that's changing. Facebook confirmed to Reuters that it will no longer be using 2FA numbers for that, beginning in Ecuador, Ethiopia, Pakistan, Libya, and Cambodia this week. A global roll-out of the new policy will follow early in 2020.

Facebook already committed to no longer using numbers provided for 2FA for advertising purposes, one of the more uncomfortable aspects of its old privacy policy. Then, both new and existing users saw their numbers automatically disconnected from advertising. For those who have already had their phone number connected with the "people you may know" feature, however, they'll apparently have to manually delete it and then add it again.

It's unclear at this stage why Facebook has taken a different approach, though it's hard not to see it as a way for the social network to try to minimize the number of people who remove themselves from the "people you may know" tool. Facebook is required to provide quarterly privacy certifications to the US Federal Trade Commission (FTC), after agreeing a $5 billion settlement – still to be finalized – over claims it mishandled user privacy.

The "people you may know" feature uses a variety of data to populate a suggested friends list. As well as matching any contacts a user may have uploaded – typically as part of installing the Facebook app on their smartphone – it can use friends in common, people who are in the same Facebook group or who have been tagged in the same photo, or people from common networks such as schools or work. To delete contacts that have been uploaded to Facebook you have to go to the "Uploading and Managing Your Contacts" screen and then choose "Delete All"; "continuous contact uploading" on any device running the Facebook app must also be switched off, else they'll simply be uploaded again the next time the app is run.