Better Business Bureau: Regulators say Twitter deceived its users

Randy Hutchinson
·3 min read

The Department of Justice and FTC have reached a settlement with Twitter over allegations that the company misrepresented what it did with data it collected from users for security purposes. The company will pay a $150 million penalty and reform its privacy and data security practices.

According to the DOJ/FTC complaint, in 2013 Twitter began asking users to provide a phone number or email address to improve account security.

The information could be used to help reset passwords and unlock accounts that Twitter might have blocked due to suspicious activity. It could also be used to enable multi-factor authentication, which provides additional security by having Twitter users log in using a security code in addition to a username and password.

Twitter would send the code to the designated phone number or email address. More than 140 million Twitter users provided the information between 2014 and 2019.

The problem is that Twitter didn’t properly disclose that the contact information would also be used for targeted advertising. Advertisers could match the information Twitter provided with data they already had or obtained from data brokers to target Twitter users with specific ads. Twitter earns most of its revenue from advertising on its platform.

Twitter’s privacy policy said that such information could be used “for things like keeping your account secure and showing you more relevant Tweets, people to follow, events, and ads.” But the FTC’s position is that such a generic, broad disclosure buried in a lengthy document didn’t override the specific, security-related reason Twitter said it needed the information.

The FTC said Twitter’s deception violated a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices. In that case, the FTC alleged that  serious lapses in Twitter’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account.

The FTC took a similar action against a company called CafePess that told customers who ordered products online that they needed to provide their email address “for order notifications and receipt.” The company also used the information for marketing purposes.

The proposed order would prohibit Twitter from profiting from deceptively collected data and require it to:

  • allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;

  • notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;

  • implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;

  • limit employee access to users’ personal data; and

  • notify the FTC if the company experiences a data breach.

The FTC endorses the use of multi-factor authentication, but prefers forms that don’t require providing personal information, such as mobile authentication apps or security keys. And it says that consumers who don’t want to receive targeted ads should check their privacy settings to see if they can opt out.

Randy Hutchinson
Randy Hutchinson

Randy Hutchinson President & CEO of the Better Business Bureau of the Mid-South.

This article originally appeared on Jackson Sun: Better Business Bureau: Regulators say Twitter deceived its users