Twitter Fined $150 Million for Using Two Factor Authentication for Marketing Purposes

Two factor authentication is often pushed for security purposes. Twitter, however, used that information for more.

A number of large platforms and services have been pushing two factor authentication (sometimes referred to as 2FA) for years now. The idea is that if you simply use a password to protect your account, then it is generally easier for malicious third parties to get in to eventually. However, if you throw in something like a cell phone or a secondary question, then it’s, in theory, more difficult to break in to that account.

From a strictly technological perspective, there isn’t much inherently wrong with 2FA. Probably the biggest problem is if you use your cell phone as a secondary method of authentication, then there is an increased chance of accidentally getting locked out of your own account. Still, those in the security field do generally agree that this system does add an additional layer of security. You can read up about this kind of technology on the Electronic Frontier Foundation site.

A spinoff effect of 2FA is that enabling such systems builds trust in a given service or platform. After all, while it is a bit of a pain, it’s easy to simply look at a platform offering such a system at face value. There’s no reason to really believe that a platform that uses 2FA would use that information for anything other than security, right? In fact, of all the notifications to enable this security feature we’ve seen, we have never seen anything to suggest that such information would be used for anything other than adding security to an account.

Unfortunately, there are apparently those who would actually use that information for things other than security. It’s easy to see why the temptation is there. If the system you set up requires the use of a cell phone, then this offers access to millions of people’s SIM cards. So, you know that the information is going to be quite good for reaching out to individual users. As it turns out, some platforms wound up using that information for marketing purposes.

In 2019, Facebook was ordered by the FTC to stop using 2FA information for marketing purposes. This was after an investigation by journalists that uncovered this apparent misuse of such data. In the same year, Twitter was also busted for using information found in their 2FA system and using it for advertising.

The revelations, unsurprisingly, sparked mistrust of an otherwise sound security system. What’s more is that when any service asked for you cell phone for security purposes, some look at those requests with suspicion. Thanks to the revelations of Facebook and Twitter, users do have good reason to ask questions. Let’s face it, who could blame them? After all, if two large platforms are doing it, what reason do users have to think that no other platform is simply doing the same thing?

Now, we are learning that Twitter has now reached a settlement with the FTC and the DOJ over the misuse of that personal information. Karl Bode of Techdirt notes that Twitter has said that it didn’t know that this was happening. The article also links to a DOJ press release which says, among other things, the following:

In a complaint filed today in the U.S. District Court for the Northern District of California, the government alleges that Twitter violated the FTC Act and the 2011 order by deceiving users about the extent to which Twitter maintained and protected the security and privacy of users’ nonpublic contact information. Specifically, the complaint alleges that, from May 2013 to September 2019, Twitter told its users that it was collecting their telephone numbers and email addresses for account-security purposes, but failed to disclose that it also would use that information to help companies send targeted advertisements to consumers. The complaint further alleges that Twitter falsely claimed to comply with the European Union-U.S. and Swiss-U.S. Privacy Shield Frameworks, which prohibit companies from processing user information in ways that are not compatible with the purposes authorized by the users.

“The Department of Justice is committed to protecting the privacy of consumers’ sensitive data,” said Associate Attorney General Vanita Gupta. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.”

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said FTC Chair Lina M. Khan. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”

Twitter has agreed to settle the government’s allegations by paying a $150 million civil penalty and implementing significant new compliance measures intended to ensure that Twitter improves its data privacy practices. For instance, Twitter will be required to develop and maintain a comprehensive privacy and information-security program, conduct a privacy review with a written report prior to implementing any new product or service that collects users’ private information, and conduct regular testing of its data privacy safeguards. Twitter also will be required to obtain regular assessments of its data privacy program from an independent assessor, provide annual certifications of compliance from a senior officer, provide reports after any data privacy incidents affecting 250 or more users, and comply with numerous other reporting and record-keeping requirements. The settlement also will require Twitter to notify all U.S. customers who joined Twitter before Sept. 17, 2019, about the settlement and to provide users with options for protecting their privacy and security. Under the settlement terms, the Department of Justice and FTC will each have responsibility for monitoring and enforcing Twitter’s compliance.

It’s worth pointing out that there is a certain tragedy in all of this. These developments threaten to undermine trust in 2FA security altogether. The security behind all of this is sound. The problem really lies with the websites and services that decide to misuse this for their own gains at the expense of the users. There are no doubt plenty of services that use 2FA for legitimate security reasons and nothing else. Yet, the risk is is that users will look at these legitimate security recommendations and be skeptical because of what happened with Facebook and Twitter.

It’s going to take a while for these hits to the reputation of 2FA to heal – especially when large platforms ask for these details. It’s unclear how long before that lost trust is restored. The security damage as a result of that is going to sting for a while. We can only hope that the time period between now and when trust is more or less restored is minimal, but that could be a hard sell.

Drew Wilson on Twitter: @icecube85 and Facebook.



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: