At this point, it is painfully surprising to hear new examples of technology companies misusing customer data. But a particularly shameful version of history has become increasingly common: services that pull phone numbers and other data used for two-factor authentication in marketing databases. On Tuesday, Twitter became the latest tech giant to join these ranks.
The company said in a statement that it accidentally included telephone numbers and email addresses collected for security measures as a two-factor in two of its advertising systems, called Customized Audiences and Partner Groups. The company did not provide the information directly to marketers, but used it to help them target ads to Twitter users. Twitter stopped data bleeding on September 1
"When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email address or phone number provided by the Twitter account holder for security and security purposes. This was a mistake, and we apologize," the company wrote in the statement. "We regret that this happened and take steps to ensure that we do not make a mistake like this again."
A Twitter spokeswoman told WIRED that the company has no further comments on the internal issue that caused the mix. In September 2018, Facebook admitted that it had also used phone numbers customers had shared to set up two-factor authentication for marketing and customization. The Federal Trade Commission offered Facebook a record high of $ 5 billion in July over multiple cases of user data abuse.
And Twitter has committed its own sins of privacy. For example, in May 2018, the company announced that it had incorrectly stored some user passwords without clear text protection in an internal logging system. Fortunately, the incident does not appear to have resulted in a complete data breach, but there was a major flaw in handling an important piece of user data.
Errors and errors occur, but when it comes to misuse of information users provide security services, it is especially obvious that companies do not prioritize users' privacy and security ahead of their business goals. Control and protection of such a limited, well-defined and unambiguous data set should be easily manageable for any large technical company.
"If you wanted to secure the phone numbers, you would just put them in a database table called & # 39; 2FA numbers don't sell to marketers," said Matthew Green, a cryptographer at Johns Hopkins University. "This is like a bank leaving customers' money and then spending them on snacks. Obviously it can happen. We're just trying to prevent it from happening because you know ethics."
Receiving two-factor codes through SMS texts to your phone number is not the surest way to configure protection initially, because texts can be intercepted. It's better to use an authentication app, like Authy or Google Authenticator, that generates codes locally on your phone. It also has the advantage that you can submit smaller personal information to technology companies when setting up security protection. But any two-factor is better than no two-factor. More importantly, you do not have to make security decisions based on the fear that massive technology companies will not be able to handle basic data silos.
This is not the first time this type of violation has occurred, and it will not be the last. But let it be a reminder that every time you give your data to a company, no matter what they say they are for, it can always end up being used for other purposes – more specifically other profit-driven purposes. For most people it is impossible to avoid giving out data such as telephone numbers and e-mail addresses in everyday life. It is even tough to keep the lock on your social security number given how many companies, tools and medical offices request it. And in a fair world, the business won't be on you in the first place. But being aware of what you spend and cutting back when possible can have a real impact on your overall privacy.