Whoops, Twitter The Latest To Use Two Factor Authentication Phone Numbers For Marketing

from the yeah-maybe-stop-doing-that dept

When you sign up for security services like two-factor authentication (2FA), the phone number you’re providing is supposed to be explicitly used for security. You’re providing that phone number as part of an essential exchange intended to protect yourself and your data, and that information is not supposed to be used for marketing. Since we’ve yet to craft a formal privacy law, there’s nothing really stopping companies from doing that anyway, something Facebook exploited last year when it was caught using consumer phone numbers provided explicitly for 2FA for marketing purposes.

It’s not only a violation of your users’ trust, it incentivizes them to not use two-factor authentication for fear of being spammed, making everybody less secure. As part of Facebook’s recent settlement with the FTC the company was forbidden from using 2FA phone numbers for marketing ever again.

Having just watched Facebook go through this, Twitter has apparently decided to join the fun. In a blog post, the company this week acknowledged that participants of the company’s Tailored Audiences and Partner Audiences advertising system may have had their phone numbers used for 2FA used for marketing as well:

“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties. As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.”

Security conscious folks had already grumbled about the way Twitter sets up 2FA, and those same folks weren’t, well, impressed:

While it’s nice that Twitter came out and admitted the error, you have to think it’s unlikely this would happen were there real federal penalties for being cavalier about user privacy and security.

Last year, the company admitted to storing passwords for 330 million customers unencrypted in plain text, and a bug in the company’s code also exposed subscriber phone number data, something Twitter knew about for two years before doing anything about it. Earlier this year Twitter acknowledged that another bug exposed the location data of its users to an unknown partner. And of course Jack’s own account was hacked thanks to an SMS hijacking problem agencies like the FCC haven’t been doing much (read: anything) about.

While there’s understandable fear about the unintended consequences of poorly crafted privacy legislation, having at least some basic god-damned rules in place (including things like penalties for storing user data in plaintext, or using security-related systems like 2FA as marketing opportunities) would likely go a long way in deterring these kinds of “inadvertent oversights.” Outside of the problematic COPPA (which applies predominately to kids), there are no real federal guidelines disincentivizing the cavalier treatment of user data, though apparently we’re going to stumble through another 10 years of daily privacy scandals before “conventional wisdom” realizes that’s a problem.

Filed Under: , , ,
Companies: twitter

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Whoops, Twitter The Latest To Use Two Factor Authentication Phone Numbers For Marketing”

Subscribe: RSS Leave a comment
Anonymous Coward says:

"[We] are no longer using phone numbers or email addresses collected for safety or security purposes for advertising."

This line should never need to be uttered by anyone ever. It seems so dead-ass obvious that the mere fact they remotely got into the same ballpark as needing to say anything like it is unfathomably ridiculous.

This comment has been deemed insightful by the community.
PaulT (profile) says:

Re: Re:

It’s like any of these kind of issues. If there’s a lot of money to be made in between the stupid decision being made and them being caught, they’ll happily do it. The only way it will stop is if there’s real damage other than a moment of embarrassment when they issue their empty apology.

This comment has been deemed insightful by the community.
Joel Coehoorn says:


I thought they handled this pretty well, considering these facts:

  1. They found the issue themselves. This wasn’t a case where there was a breach or public shaming. Their own audits/reviews found this.
  2. They fixed it.
  3. They publicly promised not to do it again.
  4. It was against policy from the beginning
  5. They talked about the issue publicly.

All in all, while it’s not good that it happened, IMO the response was close to perfect.

Anonymous Coward says:

Re: Impressed

The rest, sure, but this bit I very much doubt:

They found the issue themselves. This wasn’t a case where there was a breach or public shaming. Their own audits/reviews found this.

Many (, many, many) users would refuse to give Twitter their phone number but then add it for the additional security of 2FA on the assumption that’s what the number would be used for. Then, when those users start receiving marketing spam from Twitter they know unequivocally what has occurred. Any user unwilling to give Twitter their number in their profile would have done so specifically to avoid spam. Suddenly receiving it would result in a large number of reports and complaints.

Unless getting a large volume of complaints counts as "their own audits/reviews" then I don’t think your 1. statement is true.

Anonymous Coward says:

Re: Impressed

I’m not impressed with the way they portray it as an error. "Whoops, we wrote some code to make it impossible to set up 2FA without an otherwise-unnecessary phone number, and then we collected user lists including phone numbers from advertisers, and then we wrote code to match that with the numbers we made you provide." And step 3, apparently, is the only step they’re changing.

Anonymous Coward says:

It’s not only a violation of your users’ trust, it incentivizes them to not use two-factor authentication for fear of being spammed, making everybody less secure.

GMail has exactly this problem, too. I’m not aware of any cases of Google actually abusing it, but they are dead set on the idea that you cannot enable any sort of 2FA for the account until after you’ve given them a phone number[1], so the user mistrust issue affects them too. After you’ve given them a phone number, then you can enable much more convenient 2FA methods – but as far as I’ve been able to tell, you can never enable the good methods without having a phone number on file. We had several people at work who kept 2FA disabled until the administrator forced it on for everybody (and locked out several people who missed the deadline because they had real work to do) precisely because of this lack of trust.

[1] There is one lame non-solution that if you instead have the administrator issue everybody some sort of PIN, then supposedly you can avoid the phone number. The administrator didn’t want to bother, so we didn’t get to see if it would work.

As a related bit, their phone-based 2FA sucks. It always starts with a 19 second "Please don’t share this code" message before giving you the code you need.

nerdrage (profile) says:

Re: corporations are predictable

They can be relied upon to serve the interests of their customers, who are defined as the party that provides the money that keeps them in business.

So, in every situation, ask yourself: am I the party that gives this corporation money to keep the lights on? If not, then you are not the customer. You are the product. Be very wary of situations where you are the product. Inanimate objects like products are not generally given much consideration.

nerdrage (profile) says:

simple rule of thunb

When signing up for anything, ask yourself: where is this company getting their money from?

Is it like Netflix, and they get their money from you? Or is it like Twitter and Facebook: free, but where does the money come from?

If the former, you are the customer. If the latter, you are the product and the advertiser is the customer (ie, the source of the money that keeps the servers humming and the lights on).

In both cases, the customer’s interests will be served. Don’t have anything to do with situations where you are not the customer, or if you choose to, be very freaking careful.

Rishnas (user link) says:

how to tell if a vietnamese girl likes you

L really do not can deal so l will begin with my loss

my better half, Leonard, died on March 29,2020. I knew he was looking for weaker, You see he has had cardiovascular,Diabetes and was having trouble with his back. L knew that surely he would die before me. whilst Covid 19, We didn’t receive the support we needed. My sons fell a part. We could only have a graveside service. Since then l have a good and hard time. My heart hurts so bad l feel like I’m going into cardiac arrest. I can’t make steps or focus. I cry for no motive. I don’t know where do you start a new life without my husband. i require help.

I am so sorry for your loss of your husband that has taken you here to this site. I found this safe place to seek comfort and share my feelings in 2015 and it honestly is the only reason I am now living my life and handling my grief. Having had to face this terrible loss while in this awful pandemic is one thing I can hardly imagine. <a href=https://www.bestbrides.net/how-to-tell-if-a-woman-likes-you-based-on-her-zodiac-sign/>how to tell if a libra woman likes you</a> I you must realize how the first months and seasons were for me without my Larry, And the feelings you describe are identical to my feelings then. One of the matters I learned by posting in the group Bereaved Spouses and reading everybody’s replies is that our collective experiences as we grieve our lost spouses are very similar, And this helped my accept that I wasn’t losing my mind or having a breakdown, But was undergoing a sad and painful process that would take time and help to navigate. That is what this safe place is all about are able to offer, get, And accept help from additional without fear of being judged. consider join the Bereaved Spouses group then when you post a comment all other members will see it and can reply if desired. I had trouble learning the process at first because I am not very experienced with computers or social media groups, and so forth. I have since that time learned much, But what I hope you find here is the same comfortable and comforting place that has helped me so very much along with nightmare I found myself facing. Everyone recognizes, true chicago pizzaria? much compassion and support for you.

I wish both you and your sons peace this weekend, And hope you will be patient with yourself and allow yourself to express your feelings freely here should you wish to do so.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...