Whoops, Twitter The Latest To Use Two Factor Authentication Phone Numbers For Marketing

from the yeah-maybe-stop-doing-that dept

When you sign up for security services like two-factor authentication (2FA), the phone number you're providing is supposed to be explicitly used for security. You're providing that phone number as part of an essential exchange intended to protect yourself and your data, and that information is not supposed to be used for marketing. Since we've yet to craft a formal privacy law, there's nothing really stopping companies from doing that anyway, something Facebook exploited last year when it was caught using consumer phone numbers provided explicitly for 2FA for marketing purposes.

It's not only a violation of your users' trust, it incentivizes them to not use two-factor authentication for fear of being spammed, making everybody less secure. As part of Facebook's recent settlement with the FTC the company was forbidden from using 2FA phone numbers for marketing ever again.

Having just watched Facebook go through this, Twitter has apparently decided to join the fun. In a blog post, the company this week acknowledged that participants of the company's Tailored Audiences and Partner Audiences advertising system may have had their phone numbers used for 2FA used for marketing as well:

"We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties. As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising."

Security conscious folks had already grumbled about the way Twitter sets up 2FA, and those same folks weren't, well, impressed:

While it's nice that Twitter came out and admitted the error, you have to think it's unlikely this would happen were there real federal penalties for being cavalier about user privacy and security.

Last year, the company admitted to storing passwords for 330 million customers unencrypted in plain text, and a bug in the company's code also exposed subscriber phone number data, something Twitter knew about for two years before doing anything about it. Earlier this year Twitter acknowledged that another bug exposed the location data of its users to an unknown partner. And of course Jack's own account was hacked thanks to an SMS hijacking problem agencies like the FCC haven't been doing much (read: anything) about.

While there's understandable fear about the unintended consequences of poorly crafted privacy legislation, having at least some basic god-damned rules in place (including things like penalties for storing user data in plaintext, or using security-related systems like 2FA as marketing opportunities) would likely go a long way in deterring these kinds of "inadvertent oversights." Outside of the problematic COPPA (which applies predominately to kids), there are no real federal guidelines disincentivizing the cavalier treatment of user data, though apparently we're going to stumble through another 10 years of daily privacy scandals before "conventional wisdom" realizes that's a problem.

Filed Under: 2fa, marketing, phone numbers, two factor authentication
Companies: twitter


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 10 Oct 2019 @ 6:30am

    GDPR?

    Sounds like a clear GDPR violation, using personal identifying information for something other than what it was provided for.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2019 @ 6:33am

    basic god-damned rules

    so a reflexive 'there-oughta-be-a-law' solution to this problem?

    more federal laws and penalties are the all-purpose solution to any and all problems?

    the government seems to have enormous problems crafting and applying laws of any kind; they can't even handle existing laws

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2019 @ 6:48am

    "[We] are no longer using phone numbers or email addresses collected for safety or security purposes for advertising."

    This line should never need to be uttered by anyone ever. It seems so dead-ass obvious that the mere fact they remotely got into the same ballpark as needing to say anything like it is unfathomably ridiculous.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 10 Oct 2019 @ 7:06am

      Re:

      It's like any of these kind of issues. If there's a lot of money to be made in between the stupid decision being made and them being caught, they'll happily do it. The only way it will stop is if there's real damage other than a moment of embarrassment when they issue their empty apology.

      reply to this | link to this | view in chronology ]

    • icon
      JoeCool (profile), 10 Oct 2019 @ 7:30am

      Re:

      Frankly, I'm shocked they said anything at all. It's the sort of thing you expect a company to quietly fix behind the scenes and not say ANYTHING until the FTC files suit against them, at which point they act shocked and indignant, then deny all the way up until a settlement, or a fine is levied.

      reply to this | link to this | view in chronology ]

  • identicon
    Joel Coehoorn, 10 Oct 2019 @ 8:26am

    Impressed

    I thought they handled this pretty well, considering these facts:

    1. They found the issue themselves. This wasn't a case where there was a breach or public shaming. Their own audits/reviews found this.
    2. They fixed it.
    3. They publicly promised not to do it again.
    4. It was against policy from the beginning
    5. They talked about the issue publicly.

    All in all, while it's not good that it happened, IMO the response was close to perfect.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2019 @ 8:56am

      Re: Impressed

      The rest, sure, but this bit I very much doubt:

      They found the issue themselves. This wasn't a case where there was a breach or public shaming. Their own audits/reviews found this.

      Many (, many, many) users would refuse to give Twitter their phone number but then add it for the additional security of 2FA on the assumption that's what the number would be used for. Then, when those users start receiving marketing spam from Twitter they know unequivocally what has occurred. Any user unwilling to give Twitter their number in their profile would have done so specifically to avoid spam. Suddenly receiving it would result in a large number of reports and complaints.

      Unless getting a large volume of complaints counts as "their own audits/reviews" then I don't think your 1. statement is true.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Oct 2019 @ 10:32am

      Re: Impressed

      I'm not impressed with the way they portray it as an error. "Whoops, we wrote some code to make it impossible to set up 2FA without an otherwise-unnecessary phone number, and then we collected user lists including phone numbers from advertisers, and then we wrote code to match that with the numbers we made you provide." And step 3, apparently, is the only step they're changing.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2019 @ 9:03am

    It's not only a violation of your users' trust, it incentivizes them to not use two-factor authentication for fear of being spammed, making everybody less secure.

    GMail has exactly this problem, too. I'm not aware of any cases of Google actually abusing it, but they are dead set on the idea that you cannot enable any sort of 2FA for the account until after you've given them a phone number[1], so the user mistrust issue affects them too. After you've given them a phone number, then you can enable much more convenient 2FA methods - but as far as I've been able to tell, you can never enable the good methods without having a phone number on file. We had several people at work who kept 2FA disabled until the administrator forced it on for everybody (and locked out several people who missed the deadline because they had real work to do) precisely because of this lack of trust.

    [1] There is one lame non-solution that if you instead have the administrator issue everybody some sort of PIN, then supposedly you can avoid the phone number. The administrator didn't want to bother, so we didn't get to see if it would work.


    As a related bit, their phone-based 2FA sucks. It always starts with a 19 second "Please don't share this code" message before giving you the code you need.

    reply to this | link to this | view in chronology ]

  • identicon
    Max, 10 Oct 2019 @ 10:06am

    Phone number for 2FA...? Bwahahaha, NOPE. Give me standard TOTP (which is to say flash me a QR code ONCE and never mention the matter again, except to ask for six extra digits on each 2FA login) or get lost. Nobody I don't mean to give my phone number has any business knowing it. For ANY purpose.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Oct 2019 @ 11:10am

    Corporations are not trustworthy.

    reply to this | link to this | view in chronology ]

    • identicon
      A Guy, 10 Oct 2019 @ 1:50pm

      Re:

      Why are entities specifically set up to protect their owners money from a lawsuit not trustworthy?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Oct 2019 @ 6:43am

        Re: Re:

        "Why are entities specifically set up to protect their owners money from a lawsuit not trustworthy?"

        From whose perspective?

        reply to this | link to this | view in chronology ]

    • icon
      nerdrage (profile), 13 Oct 2019 @ 12:47pm

      Re: corporations are predictable

      They can be relied upon to serve the interests of their customers, who are defined as the party that provides the money that keeps them in business.

      So, in every situation, ask yourself: am I the party that gives this corporation money to keep the lights on? If not, then you are not the customer. You are the product. Be very wary of situations where you are the product. Inanimate objects like products are not generally given much consideration.

      reply to this | link to this | view in chronology ]

  • identicon
    Daydream, 10 Oct 2019 @ 1:58pm

    This is like using raw meat to secure your tent against bears.

    So, like, a honeypot?

    reply to this | link to this | view in chronology ]

  • icon
    nerdrage (profile), 13 Oct 2019 @ 12:45pm

    simple rule of thunb

    When signing up for anything, ask yourself: where is this company getting their money from?

    Is it like Netflix, and they get their money from you? Or is it like Twitter and Facebook: free, but where does the money come from?

    If the former, you are the customer. If the latter, you are the product and the advertiser is the customer (ie, the source of the money that keeps the servers humming and the lights on).

    In both cases, the customer's interests will be served. Don't have anything to do with situations where you are not the customer, or if you choose to, be very freaking careful.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.