These things are never spelled out in any plans. They're done piecemeal, by separate teams, incrementally over long development cycles.
One team implements 2FA, and they add a way for users to enter their phone numbers as a second factor. The engineers are fine with this because it's for the users' benefit, so they can secure their account.
Another team implements the mobile notifications, which a user has to turn on explicitly. The engineers there do this for the users' benefit, for those users that want notifications by phone. They're opting in, after all.
Sometime in here, the fact that the phone numbers are being collected for 2FA gets forgotten. This sets the stage for a third team, who is tasked with improving engagement numbers. They see that lots of inactive users have phone numbers associated with their accounts. Maybe they might be interested in something their friends are doing? So they try an experiment where they send a notification to these users, and a large percentage of them engage with it! That must mean that the users were interested in the notification right? After all, they opened the link or replied. So they roll it out to a wider audience, and the engagement numbers go up. Awesome! Pats on the back all around.
To be clear, I have no idea about how this actually happened, or if this is the right chronology, or anything else. It really doesn't matter, my point is that this is how this sort of thing happens in large organizations. No one has the whole picture, and in their own world view everyone thinks they're doing something good for their users.
But if you put them all together, and sprinkle in a little willful ignorance, you get Facebook spamming their users on their 2FA numbers.
To me, Occam's razor says that a grand, company-wide initiative is unlikely, and it's more likely a series of isolated projects that individually make sense and that well-meaning engineers can work on in good conscience.
This is actually a scarier prospect: it means that a large organization can do unethical things even when almost all individuals involved act ethically. This makes it hard for an individual engineer to ensure that their own actions don't contribute to unethical behaviour.
One team implements 2FA, and they add a way for users to enter their phone numbers as a second factor. The engineers are fine with this because it's for the users' benefit, so they can secure their account.
Another team implements the mobile notifications, which a user has to turn on explicitly. The engineers there do this for the users' benefit, for those users that want notifications by phone. They're opting in, after all.
Sometime in here, the fact that the phone numbers are being collected for 2FA gets forgotten. This sets the stage for a third team, who is tasked with improving engagement numbers. They see that lots of inactive users have phone numbers associated with their accounts. Maybe they might be interested in something their friends are doing? So they try an experiment where they send a notification to these users, and a large percentage of them engage with it! That must mean that the users were interested in the notification right? After all, they opened the link or replied. So they roll it out to a wider audience, and the engagement numbers go up. Awesome! Pats on the back all around.
To be clear, I have no idea about how this actually happened, or if this is the right chronology, or anything else. It really doesn't matter, my point is that this is how this sort of thing happens in large organizations. No one has the whole picture, and in their own world view everyone thinks they're doing something good for their users.
But if you put them all together, and sprinkle in a little willful ignorance, you get Facebook spamming their users on their 2FA numbers.