Twitter Hit With $150 Million Fine For Using Two-Factor Authentication Data For Marketing

from the not-helping dept

While a lot of the scandals surrounding “big tech” have been overblown, one that hasn’t been discussed enough is Silicon Valley companies’ abuse of user two-factor authentication data. If you’ve been napping, two-factor authentication (preferably of the email variety) helps protect your accounts from being compromised by hackers.

But when both Facebook and Twitter implemented it, company executives apparently thought it would be a great idea to use the email and phone data collected for marketing purposes. That’s a massive problem, as it completely undermines trust in the two-factor authentication process (and these companies’ security standards in general), making it less likely that users would protect themselves.

For much of the last decade, Twitter told its users that it was collecting their phone and email addresses for account-security purposes. But they didn’t inform users that they would also use this information to send targeted ads to customers. When it was revealed, Twitter claimed it didn’t know this was happening, which if true is still… sloppy and bad in terms of both privacy and security standards.

In 2020, reports emerged that the company would likely be fined up to $250 million for the behavior by the FTC. This week the long-looming action finally dropped, with the FTC announcing that Twitter had struck a $150 million settlement with the DOJ and FTC:

from May 2013 to September 2019, Twitter told its users that it was collecting their telephone numbers and email addresses for account-security purposes, but failed to disclose that it also would use that information to help companies send targeted advertisements to consumers. The complaint further alleges that Twitter falsely claimed to comply with the European Union-U.S. and Swiss-U.S. Privacy Shield Frameworks, which prohibit companies from processing user information in ways that are not compatible with the purposes authorized by the users. 

It was underplayed in the scope of other concerns, but big portion of the $5 billion fine levied against Facebook by the FTC also involved this same exploitation of information provided specifically for 2FA.

There are obviously numerous other companies that have chosen to undermine user security by monetizing 2FA information, but given the FTC is too underfunded and understaffed to handle them all, these fines have to be large enough to act as a warning shot over the bow in the absence of federal legislation.

Filed Under: , , ,
Companies: twitter

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Twitter Hit With $150 Million Fine For Using Two-Factor Authentication Data For Marketing”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Stupid twice over

Lying to your users on a matter of security is not just short-sighted greed it’s likely to have long-term consequences.

Having been caught once people will be rightly skeptical about any claims that a company needs that information for security purposes, making them less likely to take the steps needed to secure their accounts/information for fear of it being used against them and leaving the platform more likely to suffer the PR and potentially financial hits from their users suffering compromised accounts as a result.

PaulT (profile) says:

Re: Re:

There’s no problem in making a mistake, only in pretending it didn’t happen and doubling down when you realise the mistake. Kudos for not doing that.

For anyone else confused, the story is that when they gathered the security data to use for 2FA, Twitter decided to use the data to sell ads as well (or they failed to stop someone who did). It shouldn’t be a surprise that this is very much not something that’s allowed.

Hopefully, this raises the profile of the argument about how, while certainly better than nothing, using personally identifiable accounts elsewhere to act as 2FA is not a great method of doing things and people should be favouring other methods (less trivial to set up and more obtrusive to use, but that’s the tradeoff for effective security).

TaboToka (profile) says:

This is worse than nothing

$150 million dollar fine? Their current revenue is in the neighborhood of $5 billion, so the fine is 3% of their revenue. Cost of doing business, and they’ll write it off on their taxes.

You want to stop this, prosecute whomever authorized this and send them to prison. 18 U.S. Code § 1029 (access device fraud) specifies penalties of up to 10 years.

That will serve more of a deterrent than any tiny fine the FTC can come up with.

Naughty Autie says:


*Cost of doing business, and they’ll write it off on their taxes.*

Maybe someone should write a bill that prevents businesses writing off losses that are due to court judgments and other fines. Hell, I can dream even if it’ll never happen because no sensible idea is ever taken up by those in power unless one of them comes up with it, and even then it can get pretty much destroyed if a Democrat (for example) comes up with it after a Republican does and actually gets it into law *cough*Affordable Care Act*cough*.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...