FTC fines Twitter $150M for using 2FA info for targeted advertising

The Federal Trade Commission has fined Twitter $150 million for using phone numbers and email addresses collected to enable two-factor authentication for targeted advertising.

According to court documents [PDF], Twitter asked over 140 million users for this information to protect their accounts starting in 2013, but it failed to inform them that the data would also be used to allow advertisers to target them with ads.

This is a direct violation of the FTC Act and a 2011 Commission administrative order which banned the company from misrepresenting its security and privacy practices and profiting from deceptively collected data.

The order was issued following a settlement for failing to safeguard its users' personal information after hackers gained admin control of Twitter between January and May of 2009.

"As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads. This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue," said FTC Chair Lina M. Khan.

"The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy," added U.S. Attorney Stephanie M. Hinds.

Additional provisions of FTC's proposed order also would:

• prohibit Twitter from profiting from deceptively collected data;
• allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
• notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
• implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
• limit employee access to users’ personal data; and
• notify the FTC if the company experiences a data breach.

Twitter has agreed to settle the FTC's allegations by paying a $150 million civil penalty and implementing significant new compliance measures to improve its data privacy practices after the settlement is approved by a federal court.

In October 2019, Twitter apologized for using phone numbers and email addresses provided for account security like two-factor authentication for advertising, saying they "may have been used accidentally for ad targeting."

"We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system," said the company at the time.

Twitter's Tailored Audiences is an advertising product that enables advertisers to send targeted ads to customers in their marketing lists based on information such as email addresses and phone numbers.

The Partner Audiences advertising system allows advertisers to target users from lists provided by their third-party partners.

Twitter apologized for this error and said that it would be taking measures to ensure that a similar mistake would not happen again.

Something very similar happened in 2018 when Facebook built complex advertising profiles for all its users with everything from their 2FA phone numbers to info harvested from their friends' profiles.

Facebook later used the users' 2FA phone numbers as an additional vector to deliver targeted ads.