Twitter About To Be Hit With A ~$250 Million Fine For Using Your Two Factor Authentication Phone Numbers/Emails For Marketing

Twitter About To Be Hit With A ~$250 Million Fine For Using Your Two Factor Authentication Phone Numbers/Emails For Marketing

There are many things that big internet companies do that the media have made out to be scandals that aren't -- but one misuse of data that I think received too little attention was how both Facebook and later Twitter were caught using the phone numbers people gave it for two factor authentication, and later used them for notification/marketing purposes.

In case you're somehow unaware, two-factor authentication is how you should protect your most important accounts. I know many people are too lazy to set it up, but please do so. It's not perfect (Twitter's recent big hack routed around 2FA protections), but it is many times better than just relying on a username and password. In the early days of 2FA, one common way to implement it was to use text messaging as the second factor. That is, when you tried to login on a new machine (or after a certain interval of time), the service would have to text you a code that you would need to enter to prove that you were you.

Over time, people realized that this method was less secure. Many hacks involved people "SIM swapping" (using social engineering to have your phone number ported over to them), and then getting the 2FA code sent to the hacker. These days, good 2FA usually involves using an authenticator app, like Google Authenticator or Twilio's Authy or even better a physical key such as the Yubikey or Google's Titan Key. However, many services and users have stuck with text messaging for 2FA because it's the least complex for users -- and the issue with any security practice is that if it's not user-friendly, no one will use it, and that doesn't do any good either.

But using phone numbers given for 2FA purposes for notifications or marketing is really bad. First of all, it undermines trust -- which is the last thing you want to do when dealing with a security mechanism. People handed over these phone numbers/emails for a very specific and delineated reason: to better protect their account. To then share that phone number or email with the marketing team is a massive violation in trust. And it serves to undermine the entire concept of two factor authentication, in that many users will become less willing to make use of 2FA, fearing how the numbers might be abused.

As we noted when Facebook received the mammoth $5 billion fine from the FTC a year ago, while the media focused almost entirely on the Cambridge Analytica situation as the reason for the fine, if you actually read the FTC's settlement documents, it was other things that really caused the FTC to move, including Facebook's use of 2FA phone numbers for marketing. We were glad that Facebook got punished for that.

And now it's Twitter's turn. Twitter has revealed that the FTC is preparing to fine the company $150 million to $250 million for this practice -- noting that it violated the terms of an earlier consent decree with the FTC in 2011, where the company promised not to mislead users about how it handled personal information. Yet, for years, Twitter used the phone numbers and emails provided for 2FA to help target ads (basically using the phone number/email as an identifier for targeting).

There's no explanation for this other than really bad handling of data at Twitter, and the company should be punished for it. There are many things I think Twitter gets unfairly blamed for, but a practice like this is both bad and dangerous, and I'm all for large fines from the FTC to convince companies to never do this kind of thing again.

Filed Under: 2fa, ftc, marketing, notifications, privacy, security, targeting, two factor authentication