The so-called two-factor authentication is intended to better protect online accounts from attacks. Facebook also offers the procedure – the promised security but has its price.
Many Facebook users have linked their account to their phone number – that carries risks, privacy advocates warn
Data protection did not appear to be a high priority on Facebook for a long time. The rather casual handling of data paid the company with many negative headlines: Be it the scandal around the data analysis company Cambridge Analytica , millions of times unlawful Facebook data could evaluate, the vulnerability that affected 50 million users or the merger of Facebook Data with other services such as Whatsapp and Instagram, which the Federal Cartel Office prohibited – Facebook’s reputation for data protection is battered. The EU is also fighting regularly with the tech giants for compliance with data protection rules.
How two-factor authentication works
Now there is another case that is not likely to boost users’ trust in the social network. It is all about a process that should actually provide more security: the so-called two-factor authentication. This should better protect your Facebook account from external access. What sounds complicated, is actually quite simple: users can protect their account not only with a password, but must confirm in the two-factor authentication at each login through another way that they really are the users of the account. On Facebook, one way to do this is as follows: As soon as you want to log in with your password in your account, the social network sends an SMS to the user’s mobile phone, in which another, temporary access code is.
If a user decides to use this type of two-factor authentication, he deposits his telephone number on Facebook. But who believes that the company would use the number only for this purpose, is wrong. Already last year, a US study showed that Facebook uses the numbers for advertising purposes.
Function can not be turned off
And now there is apparently another use for the mobile number, which is not explicitly communicated to users when setting up the process: as soon as they specify their number – even if they only want to protect their account – they are from now on this number in the social Network findable. So if you know the phone number, you can enter it on Facebook in the search and get the corresponding profile.
However, the use of the number for the search function can not be displayed. The default setting is that the search via telephone number is possible for all Facebook users. Account holders can only limit that they only want to be found for friends or friends of friends.
Criticism of Hamburg’s data protection officer
“Here, the data protection is played against the protection of the privacy of the users of Facebook,” said the Hamburg Data Protection Commissioner Johannes Caspar DW. “People who opt for two-factor authentication have a clear purpose in using their mobile phone number, which will now be ‘incorporated’ into the range of users’ data that can be used for commercial purposes, without Facebook that the consent of the users is requested in advance. ” With regard to compliance with the provisions of the General Data Protection Regulation, there are “significant concerns” about the procedure, says Caspar.
According to Facebook, all this is not new. US media cite from a statement of the company: The procedure should make it easier to find users that you already know, but with whom you are not yet friends on Facebook. If you do not want that, you can delete the phone number again. In fact, there is now a second authentication process using other non-Facebook authentication apps. However, Facebook has always called its users to authenticate via SMS.
Data protectors advise against authentication by SMS
Basically, privacy guards recommend two-factor authentication. It is not only offered by social networks, but also by many other online services, such as banks. But the authentication via SMS has long been considered not secure – regardless of what the respective company does with it. SMS messages are often displayed on the lock screen of a smartphone, making them visible to others. Even more: SMS are not encrypted. They can also be intercepted by hackers remotely. Privacy advocates therefore plead completely for the abolition of authentication via SMS and recommend the authentication apps that are available in every app store.
Specifying the mobile number for online services is generally considered a risk among privacy advocates – not just for two-factor authentication. For example, it is not possible for Telekom to create an e-mail address without specifying a mobile number. Even the mail provider GMX or Web.de and Google urge their users straight to deposit a phone number, even for the ability to reset the password.
“The mobile number is the universal identifier,” said Markus Reuter of DW’s online platform netzpolitik.org. One does not change the telephone number so often – it is a long-term information about the user, which is used across all devices and services. And above all, they “deanonymise” the users. “That’s why companies – especially those that rely on data like Facebook – are so keen on it.”
Facebook currently without security chief
This was also emphasized by the tech entrepreneur Jeremy Burge, who revolted on Twitter loudly about the process – whereupon a storm of indignation broke loose. The process turns a supposed feature for more security into a threat to privacy.
Facebook’s ex-security chief Alex Stamos also criticized his former employer. Facebook is not credible if it does not separate authentication from search and advertising.
The Turkish techno-sociologist and writer Zeynep Tufekci, who teaches in the US, went one step further: she lamented risks for dissidents that could be identified.
Incidentally, Alex Stamos was not the only top manager to turn his back on Facebook last year. Also Elliot Schrage, former head of communications, and Jan Koum, who had sold the technology company Whatsapp, left Facebook because of different ideas in dealing with user data, the New York Times reported . Stamos’ post as security chief has not been filled. Priorities just.