(Reuters) — Facebook will no longer feed user phone numbers provided to it for two-factor authentication into its “people you may know” feature, as part of a wide-ranging overhaul of its privacy practices, the company told Reuters.

Revelations last year that Facebook was using personal data obtained for two-factor authentication to serve advertisements enraged privacy advocates, who called the practice deceptive and said it eroded trust in an essential digital security tool. It had already stopped allowing those phone numbers to be used for advertising purposes in June, the company said, and is now beginning to extend that separation to friend suggestions.

Facebook initiated the updates in connection with its $5 billion settlement with the U.S. Federal Trade Commission, which required it to boost safeguards on user data to resolve a government probe into its privacy practices. The FTC order, which is still pending approval in court, said Facebook failed to disclose that the phone numbers provided for two-factor authentication also would be used for advertising, and specifically barred that approach to security tools.

Michel Protti, a long-time Facebook executive who took over as chief privacy officer for product this summer and is leading the overhaul, told Reuters the two-factor authentication update was an example of the company’s new privacy model at work.

The change – which is happening in Ecuador, Ethiopia, Pakistan, Libya and Cambodia this week and will be introduced globally early next year – will prevent any phone numbers provided during sign-up for two-factor authentication from being used to make friend suggestions. Existing users of the tool will not be affected, but can de-link their two-factor authentication numbers from the friend suggestion feature by deleting them and adding them again.

The separation of two-factor authentication from advertising this summer applied to both new and existing users, a company spokeswoman said. Before the latest change, Facebook conducted a review to ensure “the system updates supporting our privacy statements were done correctly,” said Protti, which “adds more layers of process and rigor to the vetting of our technical work to make sure our public statements match our operations.” The beefed-up reviews of new products aim to minimize any data collected, document where the data goes and provide sufficient transparency around how products work, he said.

That process led to changes in the phrasing Facebook used to inform people of the update, the spokeswoman added, although Facebook declined to specify how the disclosures were altered. Protti, who along with Chief Executive Mark Zuckerberg will sign quarterly privacy certifications to the FTC, said his team has completed an assessment begun in August of Facebook’s privacy risks and started cataloguing protections in place to mitigate those risks. Protti declined to share the assessment’s findings, but said examples included areas where Facebook should make its policies clearer, invest in training and institute “stronger technical controls over how the data flows through our pipes.”

Gennie Gebhart, a researcher at the Electronic Frontier Foundation who gave feedback to Facebook on its two-factor authentication updates, said she welcomed those changes as well as the new privacy protocols, but found them “incomplete.” She cited other examples of “phone number abuse,” such as the ability to find users by uploading their two-factor authentication phone numbers, and called for public disclosure around the review process and any certifications Facebook submits to the FTC. “It’s not enough for only Facebook and the government to have this information,” said Gebhart. “Does Facebook really expect us to take it at its word?”


You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here