It seems Facebook is abusing the trust of security-conscious users in a bid to increase engagement. At least, that’s the claim being made by software engineer Gabriel Lewis, who has the proof to back it up.

As The Verge reports, Facebook allows you to set up two-factor authentication (2FA) on your account as an extra layer of security. In order to do that, though, Facebook requires you to supply a phone number.

So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications. Then they posted my replies on my wall. ?? pic.twitter.com/Fy44b07wNg

— Gabriel Lewis ? (@Gabriel__Lewis) February 12, 2018

When Lewis enabled 2FA, though, Facebook assumed it was acceptable to then use his number to send SMS messages informing him when friends posted on the social network. Worse, though, was that when Lewis responded to the texts demanding that Facebook stop sending them, Lewis’s responses were posted on his Facebook page as status updates.

Clearly, when you enable 2FA the focus is on security and you don’t expect to automatically have your phone number become a new engagement channel for Facebook. There was no opt-in or even opt-out presented, it was simply triggered by enabling 2FA.

Is this a bug or a feature? If it’s a feature then Facebook could be facing another lawsuit with regards to violations of the Telephone Consumer Protection Act. I say another as one is already underway regarding the sending of unauthorized birthday reminder text messages.