Whoops, Twitter The Latest To Use Two Factor Authentication Phone Numbers For Marketing
from the yeah-maybe-stop-doing-that dept
When you sign up for security services like two-factor authentication (2FA), the phone number you’re providing is supposed to be explicitly used for security. You’re providing that phone number as part of an essential exchange intended to protect yourself and your data, and that information is not supposed to be used for marketing. Since we’ve yet to craft a formal privacy law, there’s nothing really stopping companies from doing that anyway, something Facebook exploited last year when it was caught using consumer phone numbers provided explicitly for 2FA for marketing purposes.
It’s not only a violation of your users’ trust, it incentivizes them to not use two-factor authentication for fear of being spammed, making everybody less secure. As part of Facebook’s recent settlement with the FTC the company was forbidden from using 2FA phone numbers for marketing ever again.
Having just watched Facebook go through this, Twitter has apparently decided to join the fun. In a blog post, the company this week acknowledged that participants of the company’s Tailored Audiences and Partner Audiences advertising system may have had their phone numbers used for 2FA used for marketing as well:
“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties. As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.”
Security conscious folks had already grumbled about the way Twitter sets up 2FA, and those same folks weren’t, well, impressed:
In all seriousness: whose idea was it to use a valuable advertising identifier as an input to a security system. This is like using raw meat to secure your tent against bears.
— Matthew Green (@matthew_d_green) October 8, 2019
While it’s nice that Twitter came out and admitted the error, you have to think it’s unlikely this would happen were there real federal penalties for being cavalier about user privacy and security.
Last year, the company admitted to storing passwords for 330 million customers unencrypted in plain text, and a bug in the company’s code also exposed subscriber phone number data, something Twitter knew about for two years before doing anything about it. Earlier this year Twitter acknowledged that another bug exposed the location data of its users to an unknown partner. And of course Jack’s own account was hacked thanks to an SMS hijacking problem agencies like the FCC haven’t been doing much (read: anything) about.
While there’s understandable fear about the unintended consequences of poorly crafted privacy legislation, having at least some basic god-damned rules in place (including things like penalties for storing user data in plaintext, or using security-related systems like 2FA as marketing opportunities) would likely go a long way in deterring these kinds of “inadvertent oversights.” Outside of the problematic COPPA (which applies predominately to kids), there are no real federal guidelines disincentivizing the cavalier treatment of user data, though apparently we’re going to stumble through another 10 years of daily privacy scandals before “conventional wisdom” realizes that’s a problem.
Filed Under: 2fa, marketing, phone numbers, two factor authentication
Companies: twitter
Comments on “Whoops, Twitter The Latest To Use Two Factor Authentication Phone Numbers For Marketing”
GDPR?
Sounds like a clear GDPR violation, using personal identifying information for something other than what it was provided for.
Re: GDPR?
So facebook can expect yet another call from the Europeans.
basic god-damned rules
so a reflexive ‘there-oughta-be-a-law’ solution to this problem?
more federal laws and penalties are the all-purpose solution to any and all problems?
the government seems to have enormous problems crafting and applying laws of any kind; they can’t even handle existing laws
Re: basic god-damned rules
Ok. What’s your suggestion to solve this problem?
"[We] are no longer using phone numbers or email addresses collected for safety or security purposes for advertising."
This line should never need to be uttered by anyone ever. It seems so dead-ass obvious that the mere fact they remotely got into the same ballpark as needing to say anything like it is unfathomably ridiculous.
Re: Re:
It’s like any of these kind of issues. If there’s a lot of money to be made in between the stupid decision being made and them being caught, they’ll happily do it. The only way it will stop is if there’s real damage other than a moment of embarrassment when they issue their empty apology.
Re: Re:
Frankly, I’m shocked they said anything at all. It’s the sort of thing you expect a company to quietly fix behind the scenes and not say ANYTHING until the FTC files suit against them, at which point they act shocked and indignant, then deny all the way up until a settlement, or a fine is levied.
Impressed
I thought they handled this pretty well, considering these facts:
All in all, while it’s not good that it happened, IMO the response was close to perfect.
Re: Impressed
The rest, sure, but this bit I very much doubt:
Many (, many, many) users would refuse to give Twitter their phone number but then add it for the additional security of 2FA on the assumption that’s what the number would be used for. Then, when those users start receiving marketing spam from Twitter they know unequivocally what has occurred. Any user unwilling to give Twitter their number in their profile would have done so specifically to avoid spam. Suddenly receiving it would result in a large number of reports and complaints.
Unless getting a large volume of complaints counts as "their own audits/reviews" then I don’t think your 1. statement is true.
Re: Impressed
I’m not impressed with the way they portray it as an error. "Whoops, we wrote some code to make it impossible to set up 2FA without an otherwise-unnecessary phone number, and then we collected user lists including phone numbers from advertisers, and then we wrote code to match that with the numbers we made you provide." And step 3, apparently, is the only step they’re changing.
GMail has exactly this problem, too. I’m not aware of any cases of Google actually abusing it, but they are dead set on the idea that you cannot enable any sort of 2FA for the account until after you’ve given them a phone number[1], so the user mistrust issue affects them too. After you’ve given them a phone number, then you can enable much more convenient 2FA methods – but as far as I’ve been able to tell, you can never enable the good methods without having a phone number on file. We had several people at work who kept 2FA disabled until the administrator forced it on for everybody (and locked out several people who missed the deadline because they had real work to do) precisely because of this lack of trust.
[1] There is one lame non-solution that if you instead have the administrator issue everybody some sort of PIN, then supposedly you can avoid the phone number. The administrator didn’t want to bother, so we didn’t get to see if it would work.
As a related bit, their phone-based 2FA sucks. It always starts with a 19 second "Please don’t share this code" message before giving you the code you need.
Phone number for 2FA…? Bwahahaha, NOPE. Give me standard TOTP (which is to say flash me a QR code ONCE and never mention the matter again, except to ask for six extra digits on each 2FA login) or get lost. Nobody I don’t mean to give my phone number has any business knowing it. For ANY purpose.
Re: Re:
Apparently this is standard TOTP. Twitter just won’t let you set it up unless you give them your phone number (which is not required or used for TOTP).
Re: Re: Re:
Dang. If that’s true, that’s… downright evil!
Corporations are not trustworthy.
Re: Re:
Why are entities specifically set up to protect their owners money from a lawsuit not trustworthy?
Re: Re: Re:
"Why are entities specifically set up to protect their owners money from a lawsuit not trustworthy?"
From whose perspective?
Re: corporations are predictable
They can be relied upon to serve the interests of their customers, who are defined as the party that provides the money that keeps them in business.
So, in every situation, ask yourself: am I the party that gives this corporation money to keep the lights on? If not, then you are not the customer. You are the product. Be very wary of situations where you are the product. Inanimate objects like products are not generally given much consideration.
So, like, a honeypot?
Re: Re:
No, the tent is where I store my phone numbers.
simple rule of thunb
When signing up for anything, ask yourself: where is this company getting their money from?
Is it like Netflix, and they get their money from you? Or is it like Twitter and Facebook: free, but where does the money come from?
If the former, you are the customer. If the latter, you are the product and the advertiser is the customer (ie, the source of the money that keeps the servers humming and the lights on).
In both cases, the customer’s interests will be served. Don’t have anything to do with situations where you are not the customer, or if you choose to, be very freaking careful.
how to tell if a vietnamese girl likes you
L really do not can deal so l will begin with my loss
my better half, Leonard, died on March 29,2020. I knew he was looking for weaker, You see he has had cardiovascular,Diabetes and was having trouble with his back. L knew that surely he would die before me. whilst Covid 19, We didn’t receive the support we needed. My sons fell a part. We could only have a graveside service. Since then l have a good and hard time. My heart hurts so bad l feel like I’m going into cardiac arrest. I can’t make steps or focus. I cry for no motive. I don’t know where do you start a new life without my husband. i require help.
I am so sorry for your loss of your husband that has taken you here to this site. I found this safe place to seek comfort and share my feelings in 2015 and it honestly is the only reason I am now living my life and handling my grief. Having had to face this terrible loss while in this awful pandemic is one thing I can hardly imagine. <a href=https://www.bestbrides.net/how-to-tell-if-a-woman-likes-you-based-on-her-zodiac-sign/>how to tell if a libra woman likes you</a> I you must realize how the first months and seasons were for me without my Larry, And the feelings you describe are identical to my feelings then. One of the matters I learned by posting in the group Bereaved Spouses and reading everybody’s replies is that our collective experiences as we grieve our lost spouses are very similar, And this helped my accept that I wasn’t losing my mind or having a breakdown, But was undergoing a sad and painful process that would take time and help to navigate. That is what this safe place is all about are able to offer, get, And accept help from additional without fear of being judged. consider join the Bereaved Spouses group then when you post a comment all other members will see it and can reply if desired. I had trouble learning the process at first because I am not very experienced with computers or social media groups, and so forth. I have since that time learned much, But what I hope you find here is the same comfortable and comforting place that has helped me so very much along with nightmare I found myself facing. Everyone recognizes, true chicago pizzaria? much compassion and support for you.
I wish both you and your sons peace this weekend, And hope you will be patient with yourself and allow yourself to express your feelings freely here should you wish to do so.
[—-]