FTC Fines Twitter $150 Million For Using 2FA Phone Numbers For Ad Targeting

Twitter has agreed to pay a $150 million fine after federal law enforcement officials accused the social media company of illegally selling advertisements based on an improper use of personal data over six years. NPR reports: In court documents made public on Wednesday, the Federal Trade Commission and the Department of Justice say Twitter violated a 2011 agreement with regulators in which the company vowed to not use information gathered for security purposes, like users' phone numbers and email addresses, to help advertisers target people with ads. Federal investigators say Twitter broke that promise.

"As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said FTC Chair Lina Khan. Twitter requires users to provide a telephone number and email address to authenticate accounts. That information also helps people reset their passwords and unlock their accounts when the company blocks logging in due to suspicious activity. But until at least September 2019, Twitter was also using that information to boost its advertising business by allowing advertisers access to users' phone numbers and email addresses. That ran afoul of the agreement the company had with regulators. More than 140 million Twitter users provided this kind of personal information based on "Twitter's deceptive statements," according to federal prosecutors.

So...

[Anonymous Coward]

For this to be considered "just a cost of doing business" Twitter made at least $1.5B out of this practice?

Re:

[Anonymous Coward]

Exactly. If Twitter agreed to pay a 150M fine then they obviously made a lot more than that.

Re:So...

[ClueHammer]

Agreed The fine should be 10x the profit, so it really hurts them vs this slap with a wet noodle.

Re:

[rickb928]

As is always true when big corps are 'caught', this settlement is missing a zero. Maybe two.

We should make them incorporate in Iceland.

Re:

[Errol backfiring]

Not only that, "settlement" also means no conviction. They behaved like criminals and should be punished as such.

What a fucking joke

[Otis B. Dilroy III]

This fine
The FTC
The State of US regulation in general.
All a big fucking joke at the peoples expense.

Re:

[Joce640k]

What about Twitter and Facebook? You conveniently forgot to give us your opinion of them.

Re:

[necro81]

Comedian [youtube.com]? Is that you?

Re:

[rantrantrant]

Why? Did you actually believe the purpose of 2FA was better security? If you give a surveillance driven advertising agency your phone number, what do you expect?

Sad part is getting laughed at because you knew

[ffkom]

I vividly remember the time when corporations like Twitter (and many other) started to harvest mobile phone numbers under the pretense of "something something security". It was clear from the very start that this was just another ploy to lure people into exposing sensitive personal information to those greedy data collectors. Once collected, such data will be on sale, if not today, then soon or latest when the collecting company is sold off to some other company.

But when you tell people why you won't cross the red line to expose such personal information to companies, most are gullible enough to just laugh every concern off. Until they start complaining about the robo-calls, the SMS SPAM and so on.

Re:

[Generic User Account]

I collect phone numbers like a drug dealer. If the number space is going to collapse under its own weight, that's partly my fault, but I have no regrets. Action and reaction. Phone numbers are an anachronism and need to go away.

Re:

[iggymanz]

nah, my landline conference phone is better for some purposes than a screwy unreliable digital two-way radio with bad fidelity, dead spots in coverage, dropping of calls. Talk about backwards step. Phone serves better as pocket computer and two-way pager platform (texting), but actualy making phone calls sucks goat balls.

Re:

[Joce640k]

I vividly remember the time when corporations like Twitter (and many other) started to harvest mobile phone numbers under the pretense of "something something security".

Yep. I remember well the first time google said "to verify something something we'll send you a text message..."

A phone number is the holy grail of data collection. People can easily create fake email accounts but not many people have multiple phones.

Re:

[jbmartin6]

perhaps ironically, I use Google voice accounts in many of these cases. No need for multiple physical phones, it is just software.

Re:

[olsmeister]

I'm not really sure why this is. I never answer my phone unless I recognize who is calling me.

Re:

[Random361]

For several years now I've had to have my cell phone set to "silence if not in contacts" or however the option is phrased. If I turn that off, I get nothing but spam phone calls and SMS all day. In my case, what wound up happening is I've had the same cell number for over 20 years and it got leaked in a number of data breeches over the years. My suggestion for people is to use something like Google Voice and have a list of phone numbers that are used for different categories of things. Unfortunately, with e

Re:Sad part is getting laughed at because you knew

[Anonymous Crowded]

We should move numbers to unicode so everyone's DB breaks . . .

Yes, I'm just being pre-coffee nasty this morning. They deserve it.

Re:

[mjwx]

I vividly remember the time when corporations like Twitter (and many other) started to harvest mobile phone numbers under the pretense of "something something security". It was clear from the very start that this was just another ploy to lure people into exposing sensitive personal information to those greedy data collectors. Once collected, such data will be on sale, if not today, then soon or latest when the collecting company is sold off to some other company.

But when you tell people why you won't cross the red line to expose such personal information to companies, most are gullible enough to just laugh every concern off. Until they start complaining about the robo-calls, the SMS SPAM and so on.

I think it's gotten so bad I need one number to give to companies that are going to spam me and another number I use for my everyday phone. Just like I currently do with email.

Re:Sad part is getting laughed at because you knew

[AmiMoJo]

In the UK we don't really get many spam calls. There is a telephone preference service, but I haven't bothered with it. GDPR seems to have worked well - companies can't sell your phone number without your affirmative consent.

Most of us never get SMS spam or robocalls. I get some recruiters, who have an annoying habit of calling back again immediately if I decline. That gets them insta-blocked. Pixel phones have a call screening function where the phone talks to them and asks what they want, and that usually gets rid of them.

Re:

[Solandri]

The spam calls in the U.S. (at least the ones I get) mostly aren't targeted. The spammers just randomly or systematically dial numbers, so something like the GDPR (preventing the sale of your phone number) wouldn't help.

The problem is the phone companies refuse to implement a system where the call recipient can verify the caller's phone number or ID. The caller ID system is laughably easy to spoof. Blocking the number doesn't help since it's not the number the spammer is actually calling from; and it may

Re:

[mjwx]

In the UK we don't really get many spam calls. There is a telephone preference service, but I haven't bothered with it. GDPR seems to have worked well - companies can't sell your phone number without your affirmative consent.

Most of us never get SMS spam or robocalls. I get some recruiters, who have an annoying habit of calling back again immediately if I decline. That gets them insta-blocked. Pixel phones have a call screening function where the phone talks to them and asks what they want, and that usually gets rid of them.

Even though, I still get those random "We've heard you bin in an accident" calls every few months. Usually with atrocious grammar. I usually ignore unknown calls, but at the moment I'm expecting vendors to call me so I have to pick them up.

I'm guessing you're like me where you don't give out your number to everyone and sundry. I.E. competitions, radio call-ins, et al. as just about anyone can sell your number even with the GDPR as it's impossible to prove who sold it. It's getting harder to avoid using t

Re:

[splutty]

Also exactly the reason why I just leave Discord servers that require me to have "2FA" with my phone number.

No one needs my phone number for 2FA, or for confirmation I am who I am. It's absolute bullshit.

Re:

[MachineShedFred]

At one point in the not-so-distant past, SMS two-factor was something that basically everyone had access to. Now we all have smartphones, so I wish that all these systems that use SMS would just upgrade to the far more secure TOTP standard.

We can all download Google Authenticator for free, or use other standards-compliant TOTP stores such as 1Password that are even shared between devices and automatically backed up. SMS two-factor needs to just go away.

No number for you

[markdavis]

>"FTC Fines Twitter $150 Million For Using 2FA Phone Numbers For Ad Targeting"

This stuff happens ALL THE TIME. This is why I never give my cell number to ANY company. Screw them. They can either use Email or TOTP with a client of *MY* choice. For example, Redhat's open-source one (or the fork) that I know has no clue what device it is on or what phone number is associated with it (if it even has one, since you can even use a tablet).

https://en.wikipedia.org/wiki/... [wikipedia.org]

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[AmiMoJo]

FIDO2 is best. Use a hardware key. You can get an NFC reader for your computer so you don't even have to plug it in, just tap it on the reader. I attached mine to the underside of my desk. Some laptops have NFC built in too.

Really?

[linebackn]

Does anybody actually think that any web site asking for a phone/cell phone number won't use this for nefarious purposes?

"Sign up for FREE weather/news alerts now! Just give us your toy mobile phone number! Spam awaaay!"

At this very moment...

[Dster76]

...Google is forcing users to go to YouTube to perform 2FA.

Facebook needs to be next

[weeboo0104]

For years I've avoided giving phone numbers to social media because I felt that initially, using that number for ads and marketing was EXACTLY why they wanted it.

Sure enough, I finally caved and added my phone number to Facebook for 2FA and I immediately started getting SMS updates from all possible sources in Facebook. I had to manually disable the alerts to stop it.

F-them. Make the fines hurt.

US fine vs EU fines

[Midnight Thunder]

When it comes to fines that businesses worry about it will always be the EU that comes out tops. The US fines always be a gentle slap, rather than anything meaningful.

No notification for users whose numbers were sold?

[bytestorm]

The penalty here should be Twitter is barred from storing user phone numbers *and* has to notify every user whose number they sold with a message saying "We illegally sold your phone number to [list of third party data vendors]. Here's how you contact them to get your information removed from their lists." Hit them where it actually hurts: user goodwill.

Re:

[Errol backfiring]

That, and pay for the costs and inconvenience of getting a new phone number to get rid of the spam.

Slap on the wrist...

[sentiblue]

The fine amount is just breakfast money to them and they will laugh at the government after paying it, then continue doing the same.

The rule should be that if they did something illegally or against agreement, they will be fined 10-100 times more than the amount they made based on the accused activity. Sadly, the FTC, or the SEC or any other 3-letter government agency are just dogs with no teeth. The fine amount that barely scratches their pocket is just weak.