Facebook In Authentication Spamming Row

Facebook is facing criticism for allegedly using sign-ups to 2 factor authentication as an opportunity to send spam SMS notifications.

What 2FA?

Facebook has been allowing users to sign up for SMS-based two-factor authentication to mitigate the risk of phishing attempts and to help protect people from having their accounts compromised.

Spam Too

Unfortunately, in addition to receiving the authentication texts / security tokens that they expected, some sign-ups have also reported receiving what are essentially extra spam texts from Facebook with links to other things happening on the social network.

To make matters even worse, any replies to the spam texts e.g. requests to stop the texts, were reported to have been posted onto the user’s Facebook profile page.

Facebook Sorry

After complaints were received, Facebook released a statement saying that it was sorry for any inconvenience caused, and that it was not their intention to send non-security-related SMS notifications to the phone numbers that customers had submitted as part of the two-factor authentication service.

With regards to posting customer replies to the spam texts on their own Facebook profiles, Facebook explained that this was a throwback to a time before the ubiquity of smartphones when Facebook supported posting to profiles via text message. Facebook admitted, however, that this feature is now less useful, and that it would soon be deprecated..

Bad Publicity In Europe

This incident comes on top of plenty of recent bad publicity in Europe for Facebook. Firstly, after a dispute dating back to 2015 where Facebook fell foul of Verbraucherzentrale Bundesverband (vzbv), or Federation of German Consumer Organisations, a German court has just ruled that Facebook didn’t do enough to alert people to the pre-ticked privacy settings on its mobile app. It also found that eight clauses in Facebook’s terms of service were invalid, including terms that allow Facebook to transmit data to the US and use personal data for commercial purposes.

In a separate long-running spat, this time in Belgium, Facebook lost in a court case with Belgium’s privacy watchdog, the Belgian commission for the protection of privacy (CPP), where it was ruled that Facebook failed to comply with Belgian privacy laws. This time, it was found that Facebook had been using cookies to track people who may or may not have been Facebook users without their consent, and then stored the tracked personal data that it obtained illegally in the first place.

What Does This Mean For Your Business?

As well as highlighting how it appears that the behaviour of some big US Internet companies in Europe are being closely monitored (and needs to be), it highlights how data privacy laws and courts differ in different countries.

This story also brings into focus the importance of the imminent introduction of GDPR in May this year, which should go some way to making data privacy and security laws more uniform and consistent across the EU region. Even though the UK won’t be in the EU soon, GDPR will apply initially, and then the Data Protection Bill (DPB) will replace the Data Protection Act 1998, and will essentially transfer the EU’s GDPR into UK law for the future.

On the subject of GDPR, businesses should be reminded that we have now passed what is known as ‘X-Day’ (100 days from GDPR’s introduction), and that businesses and organisations need to quickly adopt an automated, classification-based, policy-driven approach so that they can meet the regulatory demands within the short time frame available.

In relation to the Facebook case of ‘accidental’ spam after sign-ups for the SMS-based two-factor authentication service, this behaviour would contravene GDPR because, under GDPR, the users would have only given consent for the 2FA service, and not for anything else. GDPR may, therefore, make companies think very seriously about what SMS and email messages they send to user groups based on their initial consent. The whole area of consent and GDPR is something that will need more discussion and clarification to help businesses understand the new boundaries for their online marketing.