Never Trust a Platform to Put Privacy Ahead of Profit

Twitter used phone numbers provided for two-factor authentication to target ads—just like Facebook did before.
person at twitter front desk
Photograph: Jens Gyarmaty/Redux

At this point, it's painfully unsurprising to hear new examples of tech companies misusing customer data. But a particularly shameful version of the story has become increasingly common: services pulling phone numbers and other data used for two-factor authentication into their marketing databases. On Tuesday, Twitter became the latest tech giant to join those ranks.

The company said in a statement that it accidentally ingested phone numbers and email addresses collected for security measures like two-factor into two of its advertising systems, called Tailored Audiences and Partner Audiences. The company didn't give the information directly to marketers, but used it to help them target ads to Twitter users. Twitter stopped the data bleed on September 17, three weeks before coming forward about it. It's not clear for how long the improper sharing had taken place prior, and Twitter says it doesn't know how many users were affected.

"When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize," the company wrote in its statement. "We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again."

A Twitter spokesperson told WIRED that the company doesn't have further comment on what internal issue caused the mix-up. In September 2018, Facebook admitted that it, too, had used phone numbers customers had shared to set up two-factor authentication for marketing and customization. The Federal Trade Commission fined Facebook a record $5 billion in July over numerous instances of user data mishandling.

And Twitter has committed its own user privacy sins. In May 2018, for example, the company announced that it had mistakenly stored some user passwords unprotected in plaintext in an internal logging system. The incident thankfully doesn't seem to have resulted in a full-on data breach, but it was a major misstep in handling a crucial piece of user data.

Bugs and mistakes happen, but when it comes to misuse of information users provide for security services, it's especially obvious that companies aren't prioritizing user privacy and security ahead of their business goals. Controlling and protecting such a limited, well-defined, and unambiguous data set should be easily manageable for any large tech company.

"If you wanted to secure the phone numbers you’d just put them in a database table called '2FA numbers don’t sell to marketers,'" says Matthew Green, a cryptographer at Johns Hopkins University. "This stuff is like a bank leaving customers’ money lying around and then spending it on snacks. Obviously that could happen. We just try to prevent it from happening because, you know, ethics."

Receiving two-factor codes through SMS texts to your phone number isn't the most secure way to set up the protection in the first place, because texts can be intercepted. It's better to use an authentication app, like Authy or Google Authenticator, that generates codes locally on your phone. That also has the ancillary benefit of allowing you to submit less personal data to tech companies in setting up security protections. But any two-factor is better than no two-factor. More importantly, you shouldn't have to make security decisions based on fear that massive tech companies can't handle basic data siloing.

This isn't the first time this type of violation has occurred, and it won't be the last. But let it be a reminder that every time you give your data to a company, no matter what they say it's for, it could end up being used for other purposes—specifically, other profit-driven purposes. For most people, it's infeasible to avoid giving out data like phone numbers and email addresses in day-to-day life. It's even tough to keep a lock on your Social Security number given how many businesses, utilities, and doctors' offices ask for it. And in a fair world, the onus wouldn't be on you in the first place. But being conscious of what you're giving out, and cutting back when it's possible, can have a real impact on your overall privacy.

Twitter says that it has "addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising." Given the stakes with this type of information, though, particularly corporate over-reliance on phone numbers, the damage has already been done.


More Great WIRED Stories