Two-factor authentication for online platforms was designed to increase user security. But Facebook is using it to try to bring back users, spamming those who gave the company their mobile numbers for a safer experience.
What’s more, when people try to stop the spam messages, their text replies to Facebook get posted publicly on the platform.
On Feb. 12, Twitter user Gabriel Lewis, who signed up for Facebook’s two-factor authentication, tweeted that Facebook sent him a notification on his mobile phone. When he texted the number back to stop the notifications, the texts ended up on his wall.
After seeing the tweet, Gizmodo reporter Kate Conger, who had been getting similar messages for several months, tried to reply to a Facebook notification as well. It was a notification about an ex-boss’s comment on a post, and her strongly-worded reply to Facebook ended up as a comment on her ex-boss’s vacation pictures.
Instagram uses similar notifications, another Twitter user pointed out.
Facebook’s use of two-factor authentication to drive users to check their accounts quickly spurred criticism from social media observers. Zeynep Tufekci, a sociologist at the University of North Carolina at Chapel Hill who examines the effect of online platforms on societies, said in a Twitter thread that misusing these phone numbers is “unconscionable,” “soulless,” and “is prioritizing ‘engagement’ over people’s safety and security.” She says that the practice opens people up to phishing attempts.
“We give people control over their notifications, including those that relate to security features like two-factor authentication,” a Facebook spokesperson told Quartz. “We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.”
Facebook user growth is slowing, with daily user numbers even falling in the US this year, and the company is using a variety of tactics to bring users back to the platform. Bloomberg reported earlier this year that the platform was sending users who had deleted the Facebook app emails aggressively informing them about new notifications, and even trying to trick them into thinking someone else was trying to log on to their account, the users said.