Twitter is sometimes lauded for using contextual advertising rather than collecting user personal information for targeted advertising, basing the ads it displays on what the user has already engaged with inside the platform’s walls. It turns out that this picture was not quite accurate, however. The social media platform is being fined $150 million by the Department of Justice (DoJ) for privacy violations taking place from 2013 to 2019, involving use of account contact information to deliver personalized ads.
Twitter privacy violations involved user phone numbers, email accounts
Twitter has always required users to provide a valid email address to sign up, and in recent years has begun periodically requiring phone number checks (via text message) for “account security.” What users have not always been aware of is that these items have been added in to Twitter’s internal personalized advertising system.
This has been an issue with Twitter since it launched in the late 2000s; the company was already warned about the practice by the Federal Trade Commission (FTC) in 2011, handed an administrative order to stop. The DOJ finds that privacy violations of this nature resumed from May 2013 to September 2019, with Twitter failing to notify users that this profile information was once again being included in its targeted advertising systems.
The 2011 FTC order characterized this data collection as “deceptive acts or practices” and specified that Twitter cannot misrepresent its protection of the “security, privacy, confidentiality, or integrity” of non-public user data. The current privacy violations complaint was settled by Twitter with an agreement to pay $150 million in fines and implement regular audits of its privacy program along with other new compliance measures (such as stricter requirements for reporting data breaches to the FTC). It will also need to offer users alternate secondary means of securing their accounts that do not involve a phone number, such as the use of a hardware key or a passwordless mobile identification app.
A mandatory regulatory disclosure in 2020 revealed that Twitter had been aware of the privacy violations since at least 2019 but believed that they were unintentional and halted upon discovery, and that the company was prepared to pay up to $250 million to settle the matter.
Warning, fine do not appear to be a major detriment to Twitter
Given the ultimate fine amount of only about 13% of Twitter’s quarterly revenue, it is possible to believe that Twitter did not care all that much about the consequences of regulatory action. The amount represents just a little over a dollar for every user of the platform thought to be impacted by privacy violations; Twitter makes much more than that per user each year, let alone over the course of the multi-year breach window.
Ilia Kolochenko, Founder, CEO and Chief Architect at ImmuniWeb, provided some thoughts on why the fine amount ultimately ended up being relatively low: “The $150 million settlement is just a small fraction of the record $8 billion FTC’s settlement with Facebook in 2019, also stemming from privacy violations. Probably, Twitter’s annual revenue and profitability were taken into consideration by the FTC when calculating the amount. This settlement is, however, an unambiguous and expressive message that the FTC has been and will continue regulating privacy in the US amid the fragmented state privacy legislation and missing federal privacy law. Contrasted to GDPR in Europe or LGPD in Brazil, the FTC Act does not have direct privacy protection provisions, but is powerful to police for penalizing deceptive or unfair trade practices: when, for instance, a social network misleads its users about how their personal data will be used or protected. It is interesting whether privacy-sensitive European regulators, pursuing their harsh enforcement policy, will commence a new probe on Twitter over the possibly previously unknown facts exposed by this settlement. In the EU, the fine may be significantly higher.”
It is unclear what impact, if any, the privacy violations might have on Elon Musk’s highly publicized bid to take over the company. The sale was not set to be finalized until the end of summer at the earliest, and Musk has since shown some signs of hesitancy over the amount of bots that are populating the platform’s user base. The company’s history of breaches and privacy violations has not been raised as a potential issue, however, at least not as of yet. Musk has proposed a $44 billion price for the company, pledging $33.5 billion of his own money. But he has also “liked” and positively replied to the Twitter posts of users suggesting that the company’s valuation should be reduced given the amount of bots that appear to be masquerading as real users.
Musk said that Twitter’s untruthfulness in the privacy violations matter was “concerning” and publicly wondered what else the company might be untruthful about. Recent history provides some reason for suspicion. The breach resulted in privacy violations for a number of celebrity and high-value accounts, some of which were used in an attempted cryptocurrency scam, but the attackers also leaked screenshots that appear to confirm that Twitter has administrative tools that “shadowban” users. Twitter has long denied the practice of shadowbanning, or suppressing the reach of content without giving the user any indication it is happening, to the point that former CEO Jack Dorsey even testified to Congress that it was not a real thing. Users have long suspected the practice does occur, however, based on a variety of third-party testing techniques.
The settlement awaits approval from a federal court. If it proceeds, all Twitter users that joined the service prior to Sept. 17, 2019 will be automatically notified of the settlement and provided with new options for securing their accounts.