Twitter is in the hot seat again for violating users’ privacy by misusing personal data that was submitted for security purposes.
Three years ago, Twitter admitted that personal information provided by users for two-factor authentication (2FA) purposes was “inadvertently” used in targeted advertisements. Now, it might be paying the penalty.
The Department of Justice (DOJ) announced Wednesday that Twitter violated a 2011 Federal Trade Commission (FTC) order that prohibited the social media company from deceptively using personal information. Twitter and the DOJ agreed on a $150 million penalty that will now be reviewed in federal court.
A complaint filed by the U.S. District Court for the Northern District of California alleged that Twitter financially profited from users’ telephone numbers and email addresses after collecting the information solely for security purposes. The alleged infractions occurred between May 2013 and September 2019.
A press release by the FTC Wednesday criticized Twitter’s practices, claiming that the social media giant used users’ 2FA phone numbers and email addresses to allow advertisers to deliver specific advertising to them.
In a separate blog post Wednesday, Lesley Fair, senior attorney with the FTC’s Bureau of Consumer Protection, revealed that more than 140 million users were affected by the Twitter 2FA violation. While they did provide personal information to enable account recovery, the users did not authorize its use in targeted advertisements. Therefore, Twitter is also being accused of failing to comply with the European Union-U.S. and Swiss-U.S. Privacy Shield Frameworks.
“Would that same number of people have given Twitter that information if they knew how else Twitter was going to use it? We don’t think so,” Fair wrote in the blog.
Fair also addressed the FTC’s settlement with Twitter in 2010, which marked a first for the FTC against a social networking service. Twitter was charged with deceiving users and putting their privacy at risk “by failing to safeguard their personal information.” The FTC order Twitter is accused of violating was enacted the following year.
Brett Callow, threat analyst at Emsisoft, echoed Fair’s sentiment on Twitter Wednesday and stated that the penalty was warranted.
“Misusing info. users provided for security purposes means it’s less likely they’ll provide that info. in future, which makes everybody less secure,” Callow said in a tweet.
In addition to the $150 million penalty, the DOJ said Twitter will be required to enact a “comprehensive privacy and information-security program,” along with regular assessments conducted by an independent assessor.
Multifactor authentication is a common and widely used practice to safeguard accounts, but infosec experts have expressed concerns over organizations potentially misusing private data such as mobile phone numbers, which could then hamper adoption of MFA. However, Twitter is not the only social media site to be caught turning personal information into profit.
In 2018, Facebook first denied then later admitted that it intentionally used 2FA mobile phone numbers for targeted advertisement purposes. The FTC imposed a $5 billion fine on Facebook the following year for a number of violations of users’ privacy.