Twitter fined $150M for two-faced two-factor authentication

Twitter encouraged its users to provide their phone numbers to add a layer of security to their accounts by implementing two-factor authentication but it also used the numbers in ad sales without disclosing that use, the Federal Trade Commission and Department of Justice say in announcing a $150 million settlement with the company.

“The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed,” says Associate Attorney General Vanita Gupta.

The agreement, if approved by a federal judge, would end a several-year investigation by the two agencies that began after the FTC questioned whether Twitter was adhering to a 2011 FTC settlement over allegations it deceived consumers and risked their privacy by failing to safeguard their personal information, resulting in data breaches.

“Twitter failed to live up to its obligations” in that 2011 order, say FTC commissioners Christine Wilson and Noah Joshua Phillips in a statement.

Private info requested

As detailed in the settlement, Twitter characterized two-factor authentication as a way to improve account security and either didn’t disclose, or didn’t disclose adequately, that it was also using the data it generated for ad sales. It was also asking account holders to add their emails for the same purpose.

The additional contact information gives it data to use in its Tailored Audiences and Partner Audiences programs. Tailored Audiences lets advertisers target groups of Twitter users by matching their phone numbers and emails to their existing contacts, and Partner Audiences lets advertisers import marketing lists from data brokers like Acxiom and Datalogix to match against Twitter account holders’ contact info.

“Twitter … used this information to serve targeted advertising and further its own business interests,” the FTC complaint said.

The deceptive use of private information affected 140 million account holders out of the company's 330 million monthly active users. Of its $3.4 billion in 2019 revenue, just under $3 billion was from ad sales, so the audience programs are integral to Twitter's business model.

New privacy processes

In addition to the fine, the agreement requires Twitter to tell its users it misused their private information and to let them use security keys and other authentication types that don’t require the sharing of private information. It also limits employee access to users’ private information, among other things.

What the agreement doesn’t do is stop Twitter from using the information for its ad programs as long as it discloses to users that it’s using the data for that purpose in addition to security. Nor does the company admit guilt, and no executives are held liable for what the company did.

The FTC has entered into similar agreements with other social media companies, including with Facebook in 2019. That previous agreement was criticized for letting the company settle without admitting guilt and not holding executives personally liable. It was also hit for allowing Facebook to keep doing what it was doing as long as it added disclosures.

In their statement on the twitter agreement, commissioners Wilson and Phillips defended the FTC’s approach.

“We reject the view that the provisions … constitute ‘mere paperwork,’” they said. Among other things, they said, the agreement requires executives to certify compliance with privacy procedures put in place and for third-party experts to assess whether the procedures are being met.

“These processes force [Twitter] to consider privacy, account for privacy, and be accountable for failing to protect it,” they said.