Twitter has been fined $211 million (US$150 million) because it used information collected for security purposes to deliver targeted advertising.
Phone numbers and email addresses Twitter gathered to help users secure their accounts – like for account recovery and two-factor authentication – were matched against lists compiled by marketers for accurately targeting users.
Last week, the US Federal Trade Commission (FTC) announced it had fined Twitter for profiting off this “deceptively collected data”.
“Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” FTC Chair Lina Khan said in a statement.
“This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
Deceptive businesses practices, like misleading advertisements, are frowned upon by the FTC.
It found Twitter saying it was collecting data for one purpose and using it for another was deceptive in a way that contravened US law.
“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” US Attorney Stephanie Hinds said.
“Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”
In October 2019, Twitter publicly admitted to, and apologised for, using security information in its advertising systems.
“We cannot say with certainty how many people were impacted by this,” Twitter said at the time. “But in an effort to be transparent, we wanted to make everyone aware.
“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.”
We recently found that some email addresses and phone numbers provided for account security may have been used unintentionally for advertising purposes. This is no longer happening and we wanted to give you more clarity around the situation: https://t.co/bBLQHwDHeQ— Twitter Support (@TwitterSupport) October 8, 2019
Along with being a violation of US law, this misuse of user data was also a contravention of a previous settlement the FTC made with Twitter back in 2011.
That settlement was specifically about Twitter’s lax security standards which, at the time, included giving “almost all of its employees” administrator privileges on the platform.
Employees with admin rights could reset account passwords, view non-public data, and send tweets on the user’s behalf.
While the extension of these privileges to a range of employees may be expected at a social media company in order to facilitate account resets, for example, Twitter hadn’t been issuing company email addresses to log into the platform in its first couple of years as a company.
Instead, employees would log in with their personal email addresses – over which Twitter had zero accountability – and those email addresses would appear in employee email signatures.
So when a hacker compromised an employee’s personal account in 2009, they were able to infer that person’s admin password and gain access to Twitter’s entire backend.
If this sounds familiar, it may be because you remember the story of a 17-year-old who gained access to a similar control dashboard in 2020.
Graham Clark used his newfound admin powers to engineer a mass Bitcoin scam using prominent Twitter accounts belonging to Elon Musk, Jeff Bezos, and tech giant Apple, netting some 12.8 Bitcoin in the process.