Whoops, Twitter The Latest To Use Two Factor Authentication Phone Numbers For Marketing
from the yeah-maybe-stop-doing-that dept
When you sign up for security services like two-factor authentication (2FA), the phone number you're providing is supposed to be explicitly used for security. You're providing that phone number as part of an essential exchange intended to protect yourself and your data, and that information is not supposed to be used for marketing. Since we've yet to craft a formal privacy law, there's nothing really stopping companies from doing that anyway, something Facebook exploited last year when it was caught using consumer phone numbers provided explicitly for 2FA for marketing purposes.
It's not only a violation of your users' trust, it incentivizes them to not use two-factor authentication for fear of being spammed, making everybody less secure. As part of Facebook's recent settlement with the FTC the company was forbidden from using 2FA phone numbers for marketing ever again.
Having just watched Facebook go through this, Twitter has apparently decided to join the fun. In a blog post, the company this week acknowledged that participants of the company's Tailored Audiences and Partner Audiences advertising system may have had their phone numbers used for 2FA used for marketing as well:
"We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties. As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising."
Security conscious folks had already grumbled about the way Twitter sets up 2FA, and those same folks weren't, well, impressed:
In all seriousness: whose idea was it to use a valuable advertising identifier as an input to a security system. This is like using raw meat to secure your tent against bears.
— Matthew Green (@matthew_d_green) October 8, 2019
While it's nice that Twitter came out and admitted the error, you have to think it's unlikely this would happen were there real federal penalties for being cavalier about user privacy and security.
Last year, the company admitted to storing passwords for 330 million customers unencrypted in plain text, and a bug in the company's code also exposed subscriber phone number data, something Twitter knew about for two years before doing anything about it. Earlier this year Twitter acknowledged that another bug exposed the location data of its users to an unknown partner. And of course Jack's own account was hacked thanks to an SMS hijacking problem agencies like the FCC haven't been doing much (read: anything) about.
While there's understandable fear about the unintended consequences of poorly crafted privacy legislation, having at least some basic god-damned rules in place (including things like penalties for storing user data in plaintext, or using security-related systems like 2FA as marketing opportunities) would likely go a long way in deterring these kinds of "inadvertent oversights." Outside of the problematic COPPA (which applies predominately to kids), there are no real federal guidelines disincentivizing the cavalier treatment of user data, though apparently we're going to stumble through another 10 years of daily privacy scandals before "conventional wisdom" realizes that's a problem.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 2fa, marketing, phone numbers, two factor authentication
Companies: twitter
Reader Comments
Subscribe: RSS
View by: Time | Thread
GDPR?
Sounds like a clear GDPR violation, using personal identifying information for something other than what it was provided for.
[ link to this | view in chronology ]
Re: GDPR?
So facebook can expect yet another call from the Europeans.
[ link to this | view in chronology ]
basic god-damned rules
so a reflexive 'there-oughta-be-a-law' solution to this problem?
more federal laws and penalties are the all-purpose solution to any and all problems?
the government seems to have enormous problems crafting and applying laws of any kind; they can't even handle existing laws
[ link to this | view in chronology ]
Re: basic god-damned rules
Ok. What's your suggestion to solve this problem?
[ link to this | view in chronology ]
"[We] are no longer using phone numbers or email addresses collected for safety or security purposes for advertising."
This line should never need to be uttered by anyone ever. It seems so dead-ass obvious that the mere fact they remotely got into the same ballpark as needing to say anything like it is unfathomably ridiculous.
[ link to this | view in chronology ]
Re:
It's like any of these kind of issues. If there's a lot of money to be made in between the stupid decision being made and them being caught, they'll happily do it. The only way it will stop is if there's real damage other than a moment of embarrassment when they issue their empty apology.
[ link to this | view in chronology ]
Re:
Frankly, I'm shocked they said anything at all. It's the sort of thing you expect a company to quietly fix behind the scenes and not say ANYTHING until the FTC files suit against them, at which point they act shocked and indignant, then deny all the way up until a settlement, or a fine is levied.
[ link to this | view in chronology ]
Impressed
I thought they handled this pretty well, considering these facts:
All in all, while it's not good that it happened, IMO the response was close to perfect.
[ link to this | view in chronology ]
Re: Impressed
The rest, sure, but this bit I very much doubt:
Many (, many, many) users would refuse to give Twitter their phone number but then add it for the additional security of 2FA on the assumption that's what the number would be used for. Then, when those users start receiving marketing spam from Twitter they know unequivocally what has occurred. Any user unwilling to give Twitter their number in their profile would have done so specifically to avoid spam. Suddenly receiving it would result in a large number of reports and complaints.
Unless getting a large volume of complaints counts as "their own audits/reviews" then I don't think your 1. statement is true.
[ link to this | view in chronology ]
Re: Impressed
I'm not impressed with the way they portray it as an error. "Whoops, we wrote some code to make it impossible to set up 2FA without an otherwise-unnecessary phone number, and then we collected user lists including phone numbers from advertisers, and then we wrote code to match that with the numbers we made you provide." And step 3, apparently, is the only step they're changing.
[ link to this | view in chronology ]
GMail has exactly this problem, too. I'm not aware of any cases of Google actually abusing it, but they are dead set on the idea that you cannot enable any sort of 2FA for the account until after you've given them a phone number[1], so the user mistrust issue affects them too. After you've given them a phone number, then you can enable much more convenient 2FA methods - but as far as I've been able to tell, you can never enable the good methods without having a phone number on file. We had several people at work who kept 2FA disabled until the administrator forced it on for everybody (and locked out several people who missed the deadline because they had real work to do) precisely because of this lack of trust.
[1] There is one lame non-solution that if you instead have the administrator issue everybody some sort of PIN, then supposedly you can avoid the phone number. The administrator didn't want to bother, so we didn't get to see if it would work.
As a related bit, their phone-based 2FA sucks. It always starts with a 19 second "Please don't share this code" message before giving you the code you need.
[ link to this | view in chronology ]
Phone number for 2FA...? Bwahahaha, NOPE. Give me standard TOTP (which is to say flash me a QR code ONCE and never mention the matter again, except to ask for six extra digits on each 2FA login) or get lost. Nobody I don't mean to give my phone number has any business knowing it. For ANY purpose.
[ link to this | view in chronology ]
Re:
Apparently this is standard TOTP. Twitter just won't let you set it up unless you give them your phone number (which is not required or used for TOTP).
[ link to this | view in chronology ]
Re: Re:
Dang. If that's true, that's... downright evil!
[ link to this | view in chronology ]
Corporations are not trustworthy.
[ link to this | view in chronology ]
Re:
Why are entities specifically set up to protect their owners money from a lawsuit not trustworthy?
[ link to this | view in chronology ]
Re: Re:
"Why are entities specifically set up to protect their owners money from a lawsuit not trustworthy?"
From whose perspective?
[ link to this | view in chronology ]
Re: corporations are predictable
They can be relied upon to serve the interests of their customers, who are defined as the party that provides the money that keeps them in business.
So, in every situation, ask yourself: am I the party that gives this corporation money to keep the lights on? If not, then you are not the customer. You are the product. Be very wary of situations where you are the product. Inanimate objects like products are not generally given much consideration.
[ link to this | view in chronology ]
So, like, a honeypot?
[ link to this | view in chronology ]
Re:
No, the tent is where I store my phone numbers.
[ link to this | view in chronology ]
simple rule of thunb
When signing up for anything, ask yourself: where is this company getting their money from?
Is it like Netflix, and they get their money from you? Or is it like Twitter and Facebook: free, but where does the money come from?
If the former, you are the customer. If the latter, you are the product and the advertiser is the customer (ie, the source of the money that keeps the servers humming and the lights on).
In both cases, the customer's interests will be served. Don't have anything to do with situations where you are not the customer, or if you choose to, be very freaking careful.
[ link to this | view in chronology ]