Twitter Hit With $150 Million Fine For Using Two-Factor Authentication Data For Marketing
from the not-helping dept
While a lot of the scandals surrounding “big tech” have been overblown, one that hasn’t been discussed enough is Silicon Valley companies’ abuse of user two-factor authentication data. If you’ve been napping, two-factor authentication (preferably of the email variety) helps protect your accounts from being compromised by hackers.
But when both Facebook and Twitter implemented it, company executives apparently thought it would be a great idea to use the email and phone data collected for marketing purposes. That’s a massive problem, as it completely undermines trust in the two-factor authentication process (and these companies’ security standards in general), making it less likely that users would protect themselves.
For much of the last decade, Twitter told its users that it was collecting their phone and email addresses for account-security purposes. But they didn’t inform users that they would also use this information to send targeted ads to customers. When it was revealed, Twitter claimed it didn’t know this was happening, which if true is still… sloppy and bad in terms of both privacy and security standards.
In 2020, reports emerged that the company would likely be fined up to $250 million for the behavior by the FTC. This week the long-looming action finally dropped, with the FTC announcing that Twitter had struck a $150 million settlement with the DOJ and FTC:
from May 2013 to September 2019, Twitter told its users that it was collecting their telephone numbers and email addresses for account-security purposes, but failed to disclose that it also would use that information to help companies send targeted advertisements to consumers. The complaint further alleges that Twitter falsely claimed to comply with the European Union-U.S. and Swiss-U.S. Privacy Shield Frameworks, which prohibit companies from processing user information in ways that are not compatible with the purposes authorized by the users.
It was underplayed in the scope of other concerns, but big portion of the $5 billion fine levied against Facebook by the FTC also involved this same exploitation of information provided specifically for 2FA.
There are obviously numerous other companies that have chosen to undermine user security by monetizing 2FA information, but given the FTC is too underfunded and understaffed to handle them all, these fines have to be large enough to act as a warning shot over the bow in the absence of federal legislation.
Filed Under: 2fa, ftc, security, two factor authentication
Companies: twitter
Comments on “Twitter Hit With $150 Million Fine For Using Two-Factor Authentication Data For Marketing”
Stupid twice over
Lying to your users on a matter of security is not just short-sighted greed it’s likely to have long-term consequences.
Having been caught once people will be rightly skeptical about any claims that a company needs that information for security purposes, making them less likely to take the steps needed to secure their accounts/information for fear of it being used against them and leaving the platform more likely to suffer the PR and potentially financial hits from their users suffering compromised accounts as a result.
Twitter Hit With $150 Million Fine For Doing Its Best To Prevent Fraud
Just sayin’.
Re:
Aaaaand I just managed to parse the information in the vertically cut through article and recognise that I’m wrong. Sorry, guys.
Re: Re:
It’s a Friday. These things happen.
Re: Re:
There’s no problem in making a mistake, only in pretending it didn’t happen and doubling down when you realise the mistake. Kudos for not doing that.
For anyone else confused, the story is that when they gathered the security data to use for 2FA, Twitter decided to use the data to sell ads as well (or they failed to stop someone who did). It shouldn’t be a surprise that this is very much not something that’s allowed.
Hopefully, this raises the profile of the argument about how, while certainly better than nothing, using personally identifiable accounts elsewhere to act as 2FA is not a great method of doing things and people should be favouring other methods (less trivial to set up and more obtrusive to use, but that’s the tradeoff for effective security).
Re: Actually...
… Twitter did say that it was for security purposes, they just didn’t say who’s security. So, yeah, they did work to prevent a fraud, a “fraud” upon their own financial security!
Re: Re:
To-may-to, to-mah-to.
When it was revealed, Twitter claimed it didn’t know this was happening, which if true is still… sloppy and bad in terms of both privacy and security standards.
As far as security goes, if true, that’s even worse than doing it on purpose. Bloody hell.
The day I got a text from Facebook stumping some random friend’s post, which then posted my “STOP” reply oh-so-helpfully to said post, was the day I removed two-factor and my phone number from Facebook.
I still to this day wonder what the hell these people smoke when they think this is ever a good idea.
This is worse than nothing
$150 million dollar fine? Their current revenue is in the neighborhood of $5 billion, so the fine is 3% of their revenue. Cost of doing business, and they’ll write it off on their taxes.
You want to stop this, prosecute whomever authorized this and send them to prison. 18 U.S. Code § 1029 (access device fraud) specifies penalties of up to 10 years.
That will serve more of a deterrent than any tiny fine the FTC can come up with.
Re:
*Cost of doing business, and they’ll write it off on their taxes.*
Maybe someone should write a bill that prevents businesses writing off losses that are due to court judgments and other fines. Hell, I can dream even if it’ll never happen because no sensible idea is ever taken up by those in power unless one of them comes up with it, and even then it can get pretty much destroyed if a Democrat (for example) comes up with it after a Republican does and actually gets it into law *cough*Affordable Care Act*cough*.
Looking at his dealings with the SEC, fines would only further encourage Musk’s plans to sell off user data like this even harder.
Dont’ya always wonder where these HUGE fines go? It surely isn’t going to the people affected.
Re:
They awards are damages, not fine, and don’t you wonder how much of the damages are actually collected? There are probably a lot of settlement for lessor amounts hidden behind NDA’s.