A phone number can mean much more when it’s stored on Facebook’s servers – even if you only provided it to help secure your account.
Last February, software engineer Gabriel Lewis tweeted that adding your mobile number to your account as a two-step verification method (in which you confirm a login by entering a one-time code sent to your phone) could result in Facebook sending you text-message notifications about everyday activity on the social network.
At the time, Facebook apologized and said the text spam was an error.
This March, another developer, Jeremy Burge, tweeted that numbers you add for two-step verification still aren’t reserved for that security use. Instead, other Facebook users can search for them – and advertisers who upload contacts lists, called Custom Audiences, can also match you that way.
That time, Facebook did not apologize, noting that it hasn’t required you to secure your account with a phone number since May 2018.
After a month of correspondence with USA TODAY, Facebook said it had changed its system to stop numbers newly added for two-step verification from being matched for advertising.
The correct response is to take Facebook up on its earlier, implicit invitation to remove your number from your account – but only after switching to a different form of two-step verification.
Are you hooked? Look how addicted people are to Facebook
Another scandal: Facebook user data reportedly at risk again
The cheapest option is to use the “Code Generator” authentication option built into Facebook’s mobile app, which will compute a one-time code that you can then enter into your browser when Facebook thinks your login falls outside of your usual activity.
This is free and fairly simple, but you need to set this up anew every time you switch phones. And Facebook’s mobile app gathers more data than its mobile Web site.
You should also consider using a security key, a special USB key that confirms your login by matching a unique cryptographic signature for a site. They’re not free but are cheap, starting at $20 from the best-known vendor, Yubico; Amazon sells other models, also certified by the FIDO (Fast IDentity Online) trade group, for as little as $10.
Buy one, add it to your Facebook account, and from then on you can confirm a login by popping it into the USB port on your desktop or laptop. (Some also communicate with phones and tablets via NFC wireless.) The key can’t be fooled by phishing sites because it will ignore pages that don’t sit at the right domain name.
And the key will work even if you change phones or lose yours. Plus, you can use the same key to secure your Google, Twitter and Microsoft accounts, among others.
Apple’s Safari does not yet support this security technology but may soon, as security-key support is now listed as “in development” for Safari’s WebKit open-source framework.
After all that work, will your mobile number then be free of Facebook? Maybe.
That same belated Facebook response reported that advertisers who upload a new Custom Audience database now can’t match a number you added before to secure your account. But those who earlier uploaded a contacts database that harbors your number can continue to land their ads in your feed.
Meanwhile, other users who have your number in their contacts lists can still upload it to Facebook if they take the social network up on its invitation to sync their contacts. That’s exactly why you shouldn’t: Friends don’t hand over their friends’ contact information to gargantuan social networks.
This article originally appeared on USA TODAY: Facebook, lose my digits: Here's how to unlist your phone number