FTC, DOJ Fine Twitter $150M for Improper Use of Users’ Phone Numbers

The purpose of two-factor authentication is to add another layer of safety for users of platforms, but for five-plus years, Twitter used the phone numbers that people provided for ad-targeting purposes, and now it will have to pay up. The Federal Trade Commission and the Department of Justice ordered Twitter to pay a $150 million penalty and banned it from profiting from the data that was collected under those pretenses. For context, the fine is slightly less than the $170 million Google and YouTube were penalized ($136 million to the FTC and $34 million to New York State) in September 2019 for violations of the Children’s Privacy Law, but it is dwarfed by then-Facebook’s $5 billion settlement with the commission over the Cambridge Analytica data-sharing scandal, which was finalized in April 2020. FTC chair Lina Khan said in a statement, “As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes, but then ended up also using the data to target users with ads. This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.” Twitter chief privacy officer Damien Kieran responded in a blog post, “Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way. In reaching this settlement, we have paid a $150 million penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected.” According to the complaint filed by the DOJ on behalf of the FTC, Twitter began asking users in 2013 to provide a phone number or email address in order to improve account security, with that information to potentially be used for tasks such as resetting passwords and unlocking accounts that were blocked due to suspicious activity. Those phone numbers and email addresses were also used for two-factor authentication, which gives people an extra layer of security by not allowing logins to their accounts without a code shared by Twitter. According to the complaint, more than 140 million Twitter users provided phone numbers or email addresses for those purposes, without knowing that Twitter would use that information to target specific ads to specific people by matching that information with data it already had or procured from data brokers. The FTC said these actions violated the European Union-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, as well as the FTC Act and the terms of Twitter’s settlement with the FTC in March 2011 over failure to safeguard the personal information of its users. Kieran said the issue was addressed as of Sept. 17, 2019. In addition to the $150 million penalty, the proposed order from the FTC would: Prohibit Twitter from profiting from deceptively collected data.Enable people on Twitter to use other multi-factor authentication methods, such as mobile authentication applications or security keys that do not require them to provide their phone numbers.Have Twitter notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about its privacy and security controls.Have Twitter implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products.Limit employee access to users’ personal data.Have Twitter notify the FTC if the company experiences a data breach. Associate Attorney General Vanita Gupta said in a statement, “The DOJ is committed to protecting the privacy of consumers’ sensitive data. The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.” U.S. Attorney for the Northern District of California Stephanie Hinds added, “Consumers who share their private information have a right to know if that information is being used to help advertisers target customers. Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.” And Kieran said in his blog post, “Moving forward, we will continue to make investments in this work, including building and evolving processes, implementing technical measures and conducting regular auditing and reporting in order to ensure that we are mitigating risk at every level and function at Twitter. We will also continue to partner with the FTC, and our security and privacy regulators around the world, on our shared mission of building useful products and services that meet our customers’ needs while keeping the information they share with us secure and respectful of their privacy.”

Platforms

FTC, DOJ Fine Twitter $150M for Improper Use of Users’ Phone Numbers

Information collected for two-factor authentication was used for ad-targeting purposes

David Cohen

About

Subscriptions

Events

Publications

WORK SMARTER - LEARN, GROW AND BE INSPIRED.

Subscribe today!

David Cohen