Whoops, Twitter The Latest To Use Two Factor Authentication Phone Numbers For Marketing

from the yeah-maybe-stop-doing-that dept

When you sign up for security services like two-factor authentication (2FA), the phone number you’re providing is supposed to be explicitly used for security. You’re providing that phone number as part of an essential exchange intended to protect yourself and your data, and that information is not supposed to be used for marketing. Since we’ve yet to craft a formal privacy law, there’s nothing really stopping companies from doing that anyway, something Facebook exploited last year when it was caught using consumer phone numbers provided explicitly for 2FA for marketing purposes.

It’s not only a violation of your users’ trust, it incentivizes them to not use two-factor authentication for fear of being spammed, making everybody less secure. As part of Facebook’s recent settlement with the FTC the company was forbidden from using 2FA phone numbers for marketing ever again.

Having just watched Facebook go through this, Twitter has apparently decided to join the fun. In a blog post, the company this week acknowledged that participants of the company’s Tailored Audiences and Partner Audiences advertising system may have had their phone numbers used for 2FA used for marketing as well:

“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties. As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.”

Security conscious folks had already grumbled about the way Twitter sets up 2FA, and those same folks weren’t, well, impressed:

While it’s nice that Twitter came out and admitted the error, you have to think it’s unlikely this would happen were there real federal penalties for being cavalier about user privacy and security.

Last year, the company admitted to storing passwords for 330 million customers unencrypted in plain text, and a bug in the company’s code also exposed subscriber phone number data, something Twitter knew about for two years before doing anything about it. Earlier this year Twitter acknowledged that another bug exposed the location data of its users to an unknown partner. And of course Jack’s own account was hacked thanks to an SMS hijacking problem agencies like the FCC haven’t been doing much (read: anything) about.

While there’s understandable fear about the unintended consequences of poorly crafted privacy legislation, having at least some basic god-damned rules in place (including things like penalties for storing user data in plaintext, or using security-related systems like 2FA as marketing opportunities) would likely go a long way in deterring these kinds of “inadvertent oversights.” Outside of the problematic COPPA (which applies predominately to kids), there are no real federal guidelines disincentivizing the cavalier treatment of user data, though apparently we’re going to stumble through another 10 years of daily privacy scandals before “conventional wisdom” realizes that’s a problem.

Filed Under: , , ,
Companies: twitter

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Whoops, Twitter The Latest To Use Two Factor Authentication Phone Numbers For Marketing”

Subscribe: RSS Leave a comment

"[We] are no longer using phone numbers or email addresses collected for safety or security purposes for advertising."

This line should never need to be uttered by anyone ever. It seems so dead-ass obvious that the mere fact they remotely got into the same ballpark as needing to say anything like it is unfathomably ridiculous.

Joel Coehoornsays:


I thought they handled this pretty well, considering these facts:

  1. They found the issue themselves. This wasn’t a case where there was a breach or public shaming. Their own audits/reviews found this.
  2. They fixed it.
  3. They publicly promised not to do it again.
  4. It was against policy from the beginning
  5. They talked about the issue publicly.

All in all, while it’s not good that it happened, IMO the response was close to perfect.


Re: Re: Impressed

The rest, sure, but this bit I very much doubt:

They found the issue themselves. This wasn’t a case where there was a breach or public shaming. Their own audits/reviews found this.

Many (, many, many) users would refuse to give Twitter their phone number but then add it for the additional security of 2FA on the assumption that’s what the number would be used for. Then, when those users start receiving marketing spam from Twitter they know unequivocally what has occurred. Any user unwilling to give Twitter their number in their profile would have done so specifically to avoid spam. Suddenly receiving it would result in a large number of reports and complaints.

Unless getting a large volume of complaints counts as "their own audits/reviews" then I don’t think your 1. statement is true.


Re: Re: Impressed

I’m not impressed with the way they portray it as an error. "Whoops, we wrote some code to make it impossible to set up 2FA without an otherwise-unnecessary phone number, and then we collected user lists including phone numbers from advertisers, and then we wrote code to match that with the numbers we made you provide." And step 3, apparently, is the only step they’re changing.


It’s not only a violation of your users’ trust, it incentivizes them to not use two-factor authentication for fear of being spammed, making everybody less secure.

GMail has exactly this problem, too. I’m not aware of any cases of Google actually abusing it, but they are dead set on the idea that you cannot enable any sort of 2FA for the account until after you’ve given them a phone number[1], so the user mistrust issue affects them too. After you’ve given them a phone number, then you can enable much more convenient 2FA methods – but as far as I’ve been able to tell, you can never enable the good methods without having a phone number on file. We had several people at work who kept 2FA disabled until the administrator forced it on for everybody (and locked out several people who missed the deadline because they had real work to do) precisely because of this lack of trust.

[1] There is one lame non-solution that if you instead have the administrator issue everybody some sort of PIN, then supposedly you can avoid the phone number. The administrator didn’t want to bother, so we didn’t get to see if it would work.

As a related bit, their phone-based 2FA sucks. It always starts with a 19 second "Please don’t share this code" message before giving you the code you need.


Re: Re: corporations are predictable

They can be relied upon to serve the interests of their customers, who are defined as the party that provides the money that keeps them in business.

So, in every situation, ask yourself: am I the party that gives this corporation money to keep the lights on? If not, then you are not the customer. You are the product. Be very wary of situations where you are the product. Inanimate objects like products are not generally given much consideration.


simple rule of thunb

When signing up for anything, ask yourself: where is this company getting their money from?

Is it like Netflix, and they get their money from you? Or is it like Twitter and Facebook: free, but where does the money come from?

If the former, you are the customer. If the latter, you are the product and the advertiser is the customer (ie, the source of the money that keeps the servers humming and the lights on).

In both cases, the customer’s interests will be served. Don’t have anything to do with situations where you are not the customer, or if you choose to, be very freaking careful.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow