Hacker News Re-Imagined

FTC fines Twitter $150M for using 2FA phone numbers for ad targeting

  • 1362 points
  • 1 month ago

  • @averysmallbird
  • Created a post

FTC fines Twitter $150M for using 2FA phone numbers for ad targeting

@de6u99er 1 month

Replying to @averysmallbird 🎙

Teitter wanted my phone number once, even by locking my account and asking me for my phone number to unlock it. It felt like blackmail and I threatened Twitter with a GDPR request, not only requesting my data but also the algorithms used for automated decision making.

As soon as my account got restored I let their DPO know that I don't insist on the fulfillment of the GDPR request any more. And that I will follow through if Twitter pulls off this kind of blackmail again on me. Haven't had this issue any more.


@radicaldreamer 1 month

Twitter itself is still doing it, even if you opt-out of all personalized ads in their app, it'll still advertise stuff to you derived from tracking your browser history.


@consultSKI 1 month

Cool. So the defense, "Facebook does much worse!" didn't fly? #justSayin


@octagons 1 month

I don't have the most optimistic outlook for this having any impact, but I really hope this sets a precedent for limiting the use of dark patterns with which companies try to tie your identity to a phone number. I think the total sum for this fine is rather myopic: it ignores the long tail of possible future data leaks and the impact it might have on the people behind the affected accounts.

I created my current Twitter account a few years ago and it remained dormant for a while. It was flagged as "in violation of our policies" despite having not made any tweets or using a handle or nickname that would cause offense to anyone. In order to resolve this, I had to enter my phone number to "secure" my account. I don't know what process triggered this review, but I'll be damned if it didn't smell like an easy way to associate an existing marketing profile with my Twitter account. Of course, it's vitally important to profile a service I used to keep up with industry news and post about Goban puzzles.

I've also run into similar patterns on Discord and similar platforms; "Oops! Something suspicious is happening with the account [you literally just created]. Please add a phone number to your profile to proceed."

Although I follow a reasonable set of practices around identity/password management, I usually architect my risk profile with a "I don't care if I lose this account" approach. If that statement isn't true, then I will happily apply all of the security measures available. However, it seems like the idea of creating "I don't care" accounts is becoming increasingly difficult as we continue to invest in user marketing analytics and lower the barrier of entry to these types of technologies that do not have the consumer's best interests in mind.


@jrochkind1 1 month

I've assumed facebook and google do this too. No? Or it's okay if they haven't promised not to (have they?)


@digb 1 month

Instagram used to do this too


@asasidh 1 month

Elon fixes everything. He is looking for reasons to back out and if this was not disclosed before, he found one more reason.


@gnicholas 1 month

Twitter doesn't let me DM people who don't follow me because I haven't provided a cell phone number. I refuse to give it, mostly on principle. I send messages very rarely and am clearly not a bot. When did demanding a phone number become OK to access basic elements of a service? This happens even when I try to DM people whose DMs are open.


@dbg31415 1 month

I hate all the different ways companies target people.

I recently booked flight on American Airlines for my 80+ year-old father. I requested the golf cart to take him between gates.

Immediately I got a call from "American Airlines Health Alert."

They made it sound like there was an issue with the booking... "An important health alert related to your flight." And there was a "Press 1, if you're over 50" option.

Anyway long story short it was some shady marketing company selling me a panic button in case of falls.

The lady was like"these are very expensive devices"... "we'll give you the device... but you pay a small fee for monitoring every month."

Clearly she'd given the pitch 1,000 times. Didn't give me any time to talk. Finally, I was like, "Hey is there a problem with my Dad's flight, or are you just trying to sell me something?" And she hung up on me.

Fuck American Airlines. Fuck all the airlines really, but it should be illegal to target the elderly just because they asked for help with connection flights.


@mrkramer 1 month

I remember I got scared this might happen when Epic introduced 2FA for claiming free games[0]. FTC check Epic Games too.

[0] https://www.pcgamer.com/uk/for-a-while-epic-games-store-will...


@yalogin 1 month

It’s ok they are going to get 1billion from Musk so they can afford it.

Jokes part I am glad they got fined. These kind of transgressions need to be dealt with publicly and Twitter is a big enough entity to send a message that this is serious. Of course I am sure you very company that got phone numbers already abused them :)


@nickjj 1 month

Who benefits from these fines?

Will these fines end up being paid out to everyone who now needs to deal with a lifetime barrage of spam calls and texts?


@linuxhansl 1 month

Some weeks ago I wanted to deactivate my Twitter account. I hadn't used it for a while, and it claimed that my account was locked. Nothing was sent from it in many months, so it wasn't clear why/how it would be locked now.

For some reason you cannot deactivate your account when it is locked.

So I contacted Twitter demanding that as EU citizen (which is true) I hereby demand all data about me that Twitter or its subsidiaries might have, including account data, to be deleted under the GDPR... Or alternatively unlock my account so that I would be able to deactivate it.

They were actually pretty responsible. My account was unlocked 30 minutes later and I was able to deactivate it.


@heavyset_go 1 month

Guarantee they're doing the same thing with phone numbers used to verify accounts, as well. I'm not talking about the blue check mark verification, but the verification they impose upon new accounts to prove that you're "real" and not a bot.


@brailsafe 1 month

I appreciate the security of 2FA, but I don't like the liability and and I don't like being required to have my phone at all times. Jus one of my gripes with the world


@mark336 1 month

The fines should be paid the Twitter users


@tempodox 1 month

That's the problem I see with most of 2FA, you have to reveal more of yourself instead of less, increasing potential attack surface instead of minimizing it. If anything, recent history has shown that you cannot trust anybody on the internet. Even if they're not outright hostile or abusive, they can still get cracked and their data stolen. For myself, I'd rather rely on strong, well-protected passwords and no 2FA as far as possible, but most people might not know how to do that or find it too inconvenient.


@milesward 1 month

Repeat after me: we need FIDO2 in exactly the same physical form factor as your house key. Give ‘em away all over the place, make it the default conference swag. SMS is not good.


@ta988 1 month

Not a surprise, they were really insistent on getting a phone number for the account.


@netik 1 month

Many employees I talked to described years and years of trying to stop this but eventually the growth team took over. This is so sad.


@aljungberg 1 month

Apple could complement their existing “hide my email” with a “hide my number” feature that makes it easy to create disposable tracking protected phone numbers. This would help counteract the “oh something about your account is suspicious so give us your phone number” dark pattern.


@aurizon 1 month

Interesting, a length of wiggle room for Musk to play with...


@lucb1e 1 month

> [Twitter] agreed to an order that became final in 2011 that would impose substantial financial penalties if it further misrepresented “the extent to which [Twitter] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.”

They violated that order and that's what the fine is for.

I was wondering what kind of authority the FTC has to impose fines based on what as a European I'd consider a GDPR violation (in the USA, this california privacy act thing sounds like it would be the nearest thing, but that's not federal so that couldn't be it). But what was this order about? Clicking the reference in the article:

> The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers had designated private, and the ability to send out phony tweets from any account including those belonging to then-President-elect Barack Obama and Fox News, among others.

> Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information

So this wasn't about privacy initially, the FTC's attention came from allowing some public figures' accounts to be hacked, after which it imposed some broad set of requirements, which are broad enough to now include this privacy issue. Not a bad outcome, but interesting turn of events to get the FTC to act as data protection authority.


@staunch 1 month

At first I thought the fine sounded excessive but after thinking about it, it seems far too low. I'd like to know the the people that were specifically responsible for this scam.

Did Jack Dorsey implement and endorse this scam?


@tinyhouse 1 month

That's a settlement they reached recently on things that happened at least 2 years ago. Just to be clear.


@miked85 1 month

These fines are meaningless and just looked at by the company as the cost of doing business.


@metaphor 1 month

Does the recent 5th Circuit decision[1] related to civil penalties issued by administrative agencies have any relevance here?

The article mentioned that the complaint was "filed by the Department of Justice on behalf of the FTC," which sounds a bit more involved than the FTC saying, "Hey Twitter, here's your sign, now pony up"...I have no idea how the game is actually played though.

[1] https://news.ycombinator.com/item?id=31429091


@MiddleEndian 1 month

Good, but it should be 10x that amount.


@xbar 1 month

Clownish. If I were the CEO, some folks would have already been fired.


Interesting. Is this something that has been an ongoing investigation at the FTC? The timing seems extremely suspicious.


@throwaway290 1 month

Here's hoping they get to Microsoft's fishing phone numbers from Minecraft players by threats and blackmail (alleging unauthorized account access that doesn't actually happen).


I really can't believe companies are still doing this with people's data. Insane that this is still a thing companies abuse.


@oblio 1 month

We need to turn data into a liability.

There's a reason many places work on a "need to know" basis.


@techsupporter 1 month

This is an interesting part to me: "[T]he new order[0] adds more provisions to protect consumers in the future: ... Twitter must provide multi-factor authentication options that don’t require people to provide a phone number."

I would like to see this be a more broad-based rule. No, I am not moved by "SMS is easy" or "getting a number that can receive SMS is harder for scammers to do in bulk." If you must, give users the choice but not the obligation to hand over a mobile number.

0 - https://www.ftc.gov/legal-library/browse/cases-proceedings/2...


@karatinversion 1 month

For context, Twitter‘S revenue in 2021 was $5 billion, on which they made a loss of $220 million.


@rdubs333 1 month

Yeah but where does that water flow. We have guns, we have gravels, but where does it go!?


@soheil 1 month

When you can have Authenticator Chrome extensions [1] what is the point of 2FA? Who decided making it harder to login for an average user is worth the added security? I'm not arguing security is not improved. The question is who weighed the pros/cons of 2FA and decided the entire industry should adopt it? Can we shine some light on the orgs/individuals responsible for this.

> This article is written like a personal reflection, personal essay, or argumentative essay that states a Wikipedia editor's personal feelings or presents an original argument about a topic.

Wikipedia describes 2FA very matter of factly without any background on its history and its advocates [2].

[1] https://chrome.google.com/webstore/detail/authenticator/bhgh...

[2] https://en.wikipedia.org/wiki/Multi-factor_authentication


@pessimizer 1 month

This is surprisingly reasonable. I would like to see a decisionmaker do some time for fraud, though. They locked people out of their accounts and demanded phone numbers for "safeguarding," then used them for targeting in direct contravention of a previously negotiated agreement with the FTC. If that doesn't rise to criminality, the fraud statutes need to be updated.

edit: they should also be required to dump the phone numbers (even to be recollected later, without the deception), but I didn't see that in the article. Are they being allowed to keep the proceeds of a crime?


@bushbaba 1 month

150M just seems too low of a fine. The expected value of being fined is less than rewards and this encourages future abuse by other players.


@wly_cdgr 1 month

Is this something unique to Twitter or is this just Biden or someone else trying to stop the Elon deal?


@wanderr 1 month

A fine is a cost. It's quite possible that Twitter made more than $150m in doing this.


@bobro 1 month

if your first thought is that the fine isn’t enough, often these fines go along with agreements to change business practices. in this case:

>In addition to imposing a $150 million civil penalty for violating the 2011 order, the new order adds more provisions to protect consumers in the future:

>Twitter is prohibited from using the phone numbers and email addresses it illegally collected to serve ads.

>Twitter must notify users about its improper use of phone numbers and email addresses, tell them about the FTC law enforcement action, and explain how they can turn off personalized ads and review their multi-factor authentication settings.

>Twitter must provide multi-factor authentication options that don’t require people to provide a phone number.

>Twitter must implement an enhanced privacy program and a beefed-up information security program that includes multiple new provisions spelled out in the order, get privacy and security assessments by an independent third party approved by the FTC, and report privacy or security incidents to the FTC within 30 days.


@birracerveza 1 month

$150 millions? Heckin wowerino, now that sure made it all not worth it huh, they're never going to do it again, no siree.

The current state of the web is completely laughable.


@ls15 1 month

Apart from security and privacy implications, phone numbers for 2FA are a major issue when you travel to a country where your number is not working. I had to communicate in a very complicated way with my health insurance because of this. Why is that entire practice not banned yet?


@ntoskrnl 1 month

Sigh. Yep. Don't ever give a company your phone number for 2FA. It's insecure anyways due to SIM swapping. Stick to FIDO (e.g. yubikey) or TOTP (e.g. google authenticator)


@pinewurst 1 month

Didn't Facebook do something similar without any apparent comebacks?


@giraffe333 1 month

why aren't these fines percent of revenue, or a multiple of the number of people affected?


@oxfordmale 1 month

Twitter is terrible sorry....for being caught. They promise to do better in the future /sarcasm


About Us

site design / logo © 2022 Box Piper