Twitter Fined $150m For Selling User Data

Uploaded on 2022-05-31 in TECHNOLOGY-Key Areas-Social Media, FREE TO VIEW, BUSINESS-Services-Law

Just 6 months ago, in Europe, Twitter was fined £400k for breaking the EU's GDPR data privacy rules in 20121. Now, the US regulatory authorities fined Twitter $150 million (£119 million) for misusing users' data in order to help sell targeted ads. 

Twitter has been collecting users’ email addresses and phone numbers. And then in addition to using phone numbers and email addresses for security, Twitter also used the information to serve users targeted ads, which earned the firm millions of dollars.  

The Federal Trade Commission (FTC) and the Department of Justice (DOJ) say Twitter violated an agreement it had with regulators when the firm secretly exploited the personal data users handed over for security reasons. While Twitter had promised the regulators that it would not give personal information like phone numbers and email addresses to advertisers, the FTC say the social media company broke those rules. 

The FTC is an independent agency of the US government whose mission is the enforcement of anti-trust law and the promotion of consumer protection. It accused Twitter of breaching a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices. “While Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences,” said a court complaint filed by the DoJ.

Twitter generates most of its revenue from advertising on its platform, which allows users ranging from consumers to celebrities to corporations to post 280-character messages, or tweets. Twitter makes 90% of its annual revenue of $5bn (£3.8bn) from advertising. 

According to a complaint filed by the Department of Justice on behalf of the FTC, Twitter in 2013 began asking users to provide either a phone number or email address to improve account security. “Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads.” FTC chair, Lina Khan observed. “This practice affected more than 140 million users while boosting Twitter’s primary source of revenue... Twitter obtained data from users on the pretext of harnessing it for security purposes, but then ended up also using the data to target users with ads".

To authenticate an account, Twitter requires people to provide a telephone number and email address.
That information also helps people reset their passwords and unlock their accounts if required, as well as for enabling two-factor authentication. Two-factor authentication provides an extra layer of security by sending a code to either a phone number or email address to help users log into Twitter along with a username and password.

According to the FTC, until at least September 2019, Twitter was also using that information to boost its advertising business. 

It is accused of allowing advertisers access to users' security information. In addition to the fine, Twitter must also:

  • Prohibit using the phone numbers and email addresses it illegally collected.
  • Tell users about its improper use of security information.
  • Explain to users about the FTC law enforcement action.
  • Tell how to turn off personalised adverts and review multi-factor authentication settings.
  • Provide multi-factor authentication options that do not need a phone number.
  • Implement an enhanced privacy and security programme which includes reporting incidents to the FTC within 30 days.

"The $150m penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of the proposed settlement will help prevent further misleading tactics that threaten users' privacy.... "The Department of Justice is committed to protecting the privacy of consumers' sensitive data," said Vanita Gupta, the US associate attorney general. 

Twitter’s settlement follows years of controversy over the privacy practices of social media and technology companies. 

In 2018 it was disclosed that Facebook, the world’s biggest social network, was using phone numbers provided for two-factor authentication to serve ads enraged privacy advocates. Facebook, now called Meta, similarly settled with the FTC over the issue as part of a $5bn agreement reached in 2019.

Elon Musk,  who has an agreement to buy Twitter for $44b has slammed its advertising based business  model and has promised to diversify its income streams. "If Twitter was not truthful here, what else is not true? This is very concerning news," he said in a recent tweet.

FTC:      Reuters:      Twitter:    BBC:      Guardian:   Business Insider:     Computing:    NPR

You Might Also Read: 

Twitter, Free Speech & Disinformation:
 

« No future For IoT Security Without Secure Access Service Edge (SASE)
Facing Facts On Facial Recognition »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

RIVA Solutions

RIVA Solutions

RIVA provides innovative best practices in IT and management consulting, program support services and emerging technologies.

Software Testing News

Software Testing News

Software Testing News provides the latest news in the industry; from the most up-to-date reports in web security to the latest testing tool that can help you perform better.

SecuriThings

SecuriThings

SecuriThings is a User and Entity Behavioral Analytics (UEBA) solution for IoT security.

ZyberSafe

ZyberSafe

ZyberSafe is an innovative Danish company specialized within building hardware encryption solutions.

Cyberkov

Cyberkov

Cyberkov services include Pentesting, Vulnerability Assessments, Digital Forensics, Incident Response, Source Code Analysis and Security Training.

Maximus Consulting (MX)

Maximus Consulting (MX)

Maximus designs and delivers corporate-wide information security management system with our full-time IRCA Accredited consulting team.

Cequence Security

Cequence Security

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection.

Lithuanian National Accreditation Bureau

Lithuanian National Accreditation Bureau

Lithuanian National Accreditation Bureau is the national accreditation body for Lithuania. The directory of members provides details of organisations offering certification services for ISO 27001.

IntelligInts

IntelligInts

IntelligInts provide 24×7 threat monitoring, hunting, alerting, and mitigation in our world class Security Operations Center.

Trapp Technology

Trapp Technology

Trapp Technology combines the very best cloud, Internet, IT managed services, and IT consulting to provide a true all-in-one IT solution for small to mid-sized businesses.

Insight Enterprises

Insight Enterprises

Insight is a leading solutions integrator, helping you navigate today’s ever-changing business environment with teams of technical experts and decades of industry experience.

Turk Telekom

Turk Telekom

Turk Telekom is the first integrated telecommunications operator in Turkey.

Allot

Allot

Allot are a global provider of leading innovative network intelligence and security solutions for Service Providers and Enterprises worldwide.

Kong

Kong

Kong - powering the API world. Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

Opal Security

Opal Security

Opal is an identity and access management platform that offers a consolidated view and control of your whole ecosystem from on-prem to cloud and SaaS.

Scality

Scality

Scality storage unifies data management from edge to core to cloud. Our market-leading file and object storage software protects data on-premises and in hybrid and multi-cloud environments.