Published on the 16/10/2019 | Written by Heather Wright
Twitter ‘inadvertently’ uses 2FA phone numbers, email for marketing…
Two-factor authentication is meant to help keep us safe, but that memo seems to have failed to get through to Twitter, who have fessed up that they have – ‘inadvertently’ – been exploiting the security information for advertising purposes.
The company, which is already under investigation by the Irish Data Protection Commission for data breaches under the GDPR, says users who provided an email address or phone number for safety or security purposes, may have had the data used in Twitter’s Tailored Audiences and Partner Audiences advertising systems.
Twitter’s Tailored Audiences allows advertisers to upload their own email address lists to be matched with Twitter users with the same email, enabling companies to ‘remarket’ to those who have – in theory at least – already expressed interest in their brand.
“We’re very sorry this happened.”
Partner Audiences provides a similar service, but with lists created by third parties.
While the practice is common among social networks, it’s also open to abuse from people buying dodgy email address lists.
For Twitter, however, the issue is far simpler: Not only is the action a serious breach of trust, but under the European Union’s GDPR using information for a purpose other than what it was intended for is a no-no unless users have been informed.
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” Twitter says. “This was an error and we apologise.”
Twitter says it doesn’t know how many people have been impacted. It says the issue was ‘addressed’ as of September 17 – though the issue wasn’t made public until October and then only as an apology on Twitter’s site, rather than a proactive campaign to contact users.
The company says it is no longer using phone numbers or email addresses collected for safety or security purposes for advertising, but is light on any details – including why a database used for the security of customers apparently wasn’t kept completely separate from the database used to sell to those customers.
It’s not the first time a social media platform has been caught dipping into information provided for security reasons. Last September Facebook confirmed it was using phone numbers provided for 2FA to target ads at users.
The Federal Trade Commission took issue with Facebook’s use of 2FA data for marketing purposes with that behaviour one of the key privacy abuses which saw Facebook slammed with a record US$5 billion fine in July. Its 20-year settlement with the FTC explicitly bans it from using security data for ad targeting.
That could be one reason for Twitter’s repeated apologies over the transgression.
Twitter says no personal data was shared externally with partners or other third parties (apart, of course, from your email and phone number…).
This latest privacy breach comes just two months after Twitter admitted it had been sharing user and device data about people who had clicked ads with advertisers without permission for more than a year.