Twitter has been fined $150 million by the United States Federal Trade Commission (FTC), after it used phone numbers submitted by users to set up two-factor authentication… for targeted advertising.
As FTC Chair Lina M. Khan describes:
“Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads. This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
What?? You’ve got to be kidding me?
Sadly not. Dumb isn’t it?
Everyone who works in technology knows that it’s a good idea to harden the security of your online accounts by enabling two-factor authentication (2FA). It’s one of the simplest ways in which you can better protect your account from being hacked.
So why on *earth* would a company like Twitter want to undermine the general public’s confidence in 2FA, by helping advertisers target people through phone numbers and email addresses that had been collected to better secure their accounts?
This is stupid.
Yes, I can’t think of any other company which would be so dumb as to allow advertisers to target individuals by exploiting phone numbers only shared for the purposes of 2FA.
Oh, hang on. Yes, I can.
Facebook did this too?
In 2018, researchers at Northeastern University discovered that was exactly what Facebook had been doing.
Words fail me.
The thing is, it’s hard to believe that both Twitter and Facebook didn’t know what they were doing – and yet they carried on regardless.
Twitter failed to disclose how it was going to exploit users’ phone numbers collected for 2FA purposes from May 2013, all the way until September 2019. Then, in October 2019, it revealed what it had been doing all those years, and apologised.
So should I disable 2FA on my Twitter account?
Definitely not. Twitter says it hasn’t been misusing your phone number since 2019. Which is jolly nice of them.
And any form of two-factor authentication is better than none at all.
But you might be smarter to enable 2FA on Twitter through an authentication app or security key, rather than your phone number.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.