Twitter Apologizes for Repurposing Phone NumbersPhone Numbers Provided for Security Were Used for Targeted Advertising
Twitter apologized on Tuesday for repurposing phone numbers provided by users for security features for use in targeted advertising, claiming the move was a mistake.
The phone numbers, which Twitter at times prompted users to divulge, were fed into its targeted advertising tool called Tailored Audiences. The tool enables advertisers to upload their customer contact lists, and Twitter identifies the corresponding likely user using details on file, such as email addresses and phone numbers. Users can then be targeted with ads.
"We're very sorry this happened and are taking steps to make sure we don't make a mistake like this again."
Twitter doesn't reveal to the advertisers the contact information it has collected. Such systems often work by hashing personal information on either side and then confirming identifications by matching the hashes.
"We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware," Twitter says in a blog post. "No personal data was ever shared externally with our partners or any other third parties."
"As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising," Twitter adds. "We're very sorry this happened and are taking steps to make sure we don't make a mistake like this again."
What Twitter did is sometimes referred to as "secondary" use of information, says Jason Cronk, a lawyer and privacy engineer. It's generally considered a violation of privacy norms, he says. Users may not have consented or realized their information was being used for a purpose other than the purpose for which which they provided the data.
In the U.S., however, Cronk says there is no prohibition on such a practice. But it could be a violation of Europe's General Data Protection Regulation under the purpose limitation principle, Cronk says. If Twitter could successfully argue it has another lawful basis - such as legitimate interest - it could be allowed under GDPR, he points out.
"The point is, it's complicated legally, though not so complicated from a social norm perspective - people would expect it to be used for one purpose and it's being used for another purpose," Cronk says (see: 'Privacy by Design': Building Better Apps ).
Facebook: Fined for Same Error
Twitter's disclosure comes just three months after Facebook received a $5 billion fine from the U.S. Federal Trade Commission for a range of transgressions, including using phone numbers provided for security for targeted advertising. The FTC's investigation sprouted out of the Cambridge Analytica scandal, where the U.K. political marketing firm procured Facebook data on 87 million individuals (see: It's Official: FTC Fines Facebook $5 Billion).
Because the U.S. lacks a federal privacy law aimed at online companies, the FTC has undertaken action against U.S. tech companies for violations of the FTC Act, which prohibits deceptive practices. The FTC's action against Facebook largely focused on whether it violated a 2012 consent decree, which prohibited it from changing privacy settings and sharing data with third parties without consent.
Under the August 2012 consent order with the FTC, Facebook was required to obtain permission from consumers before making changes to privacy settings or sharing their data with third parties.
In its complaint against Facebook, the FTC alleged the social media company asked users for their phone number in order for security reasons, including two-step verification, but that it "did not effectively disclose that such information would also use be used for advertising."
Facebook's practices were uncovered last year by researchers from Northeastern University and Princeton University, who investigated how personally identifiable information, such as email addresses and phone numbers, is leveraged by targeted advertising systems.
It's unclear yet if Twitter's admission will draw the attention of the FTC. But in Europe, Ireland's Data Protection Commission has ongoing investigations into Twitter as well as Facebook, Apple and LinkedIn. The DPC is looking into those companies compliance with GDPR (see: 15 GDPR Probes in Ireland Target Facebook, Twitter, Others).
What's Your Number?
At least a year ago, Twitter users posted in a thread on Reddit that they couldn't access their accounts unless they provided a phone number, tweets Ashkan Soltani, a privacy expert and former chief technologist at the FTC.
It appears, that at least on some occasion, Twitter forced users to provide their phone numbers in order to access their accounts (under the premise of increased security).https://t.co/iByKWgvAd0— ashkan soltani (@ashk4n) October 8, 2019
"I've reluctantly added my phone number to unlock my suddenly locked account after years of avoiding this," writes one user going by the name Lyazi. "[I] think it's very likely Twitter does it on purpose."