Twitter's Giant Privacy Mistake Could Result In Fines

August 3, 2020

Return to Learning Center

Be careful about the data you give Twitter after this.

Was it on purpose or accidental? As far as mistakes go, Twitter's notorious two-factor authentication screwup could end being a very costly one. Arguably hidden deep inside the company's Monday 10Q filing with the Securities and Exchange Commission is a note that the social media giant might end up on the receiving end of up to $250 million in fines. The topic at hand was Twitter inadvertently using users' phone numbers for advertising from 2013 to 2019 — numbers that were only provided for 2FA security purposes. Multi-factor Authentication is a good thing, but without a proper usage and process, even these security measures could end up being misused. The Federal Trade Commission hates this sort of thing and sent a draft complaint Twitter's way on July 28.

A company using phone numbers volunteered for security reasons for advertising represents a fundamental betrayal of trust.This is on top of many Twitter privacy scandals so many users, and officials, are concerned.

"Twitter 'unintentionally' used the information it got from you to secure your account in order to make money," Eva Galperin, the EFF's director of cybersecurity, said. "This kind of behavior undermines people's willingness to use 2FA and makes them less secure in the long run."

It also, according to Twitter's Monday filing, might just so happen to violate the company's 2011 FTC consent order.

"In March 2011, to resolve an investigation into various incidents, we entered into a consent order with the FTC that, among other things, required us to establish an information security program designed to protect non-public consumer information and also requires that we obtain biennial independent security assessments," reads the 10Q filing. "[On] July 28, 2020, we received a draft complaint from the FTC alleging violations of the 2011 consent order with the FTC and the FTC Act."

Twitter says the matter "remains unresolved," and estimates the "probable loss in this matter is $150.0 million to $250.0 million."

Whether such a fine would be viewed as a minor slap on the wrist, or whether it's enough to prevent similar privacy mistakes in the future is anyone's guess. But it doesn't seem as if Silicon Valley is fully committed to the good behavior it wants to espouse.

We hope you enjoyed reading this guide and learned something new! Check out our Learning Center to learn more about online privacy and security or consider subscribing to our Online Privacy Service to remove your phone number, name, and address from Google, Bing, Yahoo, and DuckDuckGo search results and hundreds of data broker sites.