Twitter is the latest Silicon Valley tech giant to be caught up in a privacy scandal. The Twitter privacy breach involves the inappropriate use of phone numbers and email addresses in order to serve up targeted ads to users. These phone numbers and email addresses were provided to Twitter as part of two-factor authentication security and security procedures, and were never intended to become part of a marketing or advertising database. While Twitter was quick to point out that none of this personal information was actually shared with third parties, it also cannot say with certainty how many of its 330 million users were impacted, raising more doubts about just how firm of a grasp Twitter actually has on user data.
How the Twitter privacy breach occurred
The origin of the Twitter privacy breach begins with the company’s two-factor authentication system, which is a popular way for users to authenticate and log into their accounts. To verify that an account really belongs to them, they agree to receive an SMS message to their phone number or an email to their email address, and then use the code contained within that message to unlock the account. The whole point of this two-factor authentication process is that the phone numbers and email addresses used to authenticate accounts have a single purpose: verification. They are never intended to become part of a targeted ads program.
And yet that is exactly what appeared to be happening at social networking giant Twitter. It is, unfortunately, too common of a practice for companies to pull in phone numbers, email addresses, and other personal information into their marketing databases in order to target advertisements. If that does occur, then certain safeguards should be put into place. For example, say privacy and security experts, Twitter should have tagged this data with some sort of warning along the lines of, “Do not sell this information to marketers or advertisers.” But, apparently, Twitter didn’t take this basic step, and instead, allowed the data to flow into two of its advertising programs – Tailored Audiences and Partner Audiences.
Use of unauthorized information to serve up targeted ads
In the Tailored Audiences advertising program, Twitter enables advertisers to target ads to customers based on the advertisers’ own marketing lists. Thus, for example, an advertiser might have phone numbers and email addresses of a customer. If they compare this information with the personal data provided by Twitter, they can find a match and serve up targeted ads to that user on Twitter. This helps to improve the chances that a Twitter user will actually click on the ad and then purchase a product. Based on the way that this list-based advertising system works, Twitter can plausibly say that no data was actually sold or given to third parties.
This advertising system using marketing lists differs from the traditional Twitter ads program, in which the only information used to serve up targeted ads is publicly disclosed information, such as information included within a personal profile, or activity on the social media platform itself. Thus, “liking” the content of a certain tweet might provide a signal that a user is potentially a good target for a targeted ad. But there are no guarantees here. Just because a Twitter user “liked” a photo of a cat on Twitter doesn’t mean that the user will buy cat food from a company,
That’s why the Tailored Audiences and Partner Audiences programs are so much more lucrative for Twitter than, say, Promoted Tweets. In these targeted ads programs, Twitter enables much more precision for the advertiser, in order to make sure that all targeted ads are being shown to the right people. Someone, for example, who is already in Coca-Cola’s marketing database can be shown targeted ads for Coca-Cola, regardless of what’s in their personal profile. As long as Coca-Cola can match up its marketing data with Twitter’s marketing data, then it’s possible to show an ad.
Privacy and security concerns
As might be expected, Twitter is trying to minimize the impact of this Twitter privacy breach. Instead of reaching out to each and every user who has been impacted by the Twitter privacy breach, it is simply posting about it online. As Twitter would have users believe, the whole process was “inadvertent” and is not much of a big deal.
But that ignores the larger context. The reality is that the social media giant has suffered its fair share of Twitter privacy breaches in the recent past. For example, one misstep occurred in May 2018, when Twitter mistakenly stored user passwords unprotected in plaintext. This led to Twitter reaching out to all of its users, suggesting that they change their passwords, just to be on the safe side. Then, in August 2019, the social media giant suffered another Twitter privacy breach when CEO Jack Dorsey had his Twitter account hacked as part of a “SIM jacking” attack.
As a result, public perception about Twitter’s privacy practices appears to be turning sharply negative. In the wake of this latest Twitter privacy breach, some security and privacy experts have called Twitter “immoral” and “incompetent.” The risk, from Twitter’s perspective, is that it could become the next Facebook, which is now under scrutiny from a wide variety of regulators, legislators and privacy advocates. The Federal Trade Commission (FTC) also fined Facebook $5 billion for its privacy violations.
And some have even raised the prospect that, in Europe, Twitter might be liable for a major General Data Protection Regulation (GDPR) violation. The “purpose limitation” of the GDPR, for example, forbids companies from using data for any illegitimate business purposes for which there is no valid reason. Moreover, the fundamental underpinning of GDPR involves “user consent,” and it’s clear that Twitter uses never gave their consent for their phone numbers and email addresses to be used for targeted ads.
Takeaway lessons from the Twitter privacy breach
Perhaps the biggest takeaway from the Twitter privacy breach is that users should never place blind faith in social media companies to do the “right thing.” They should assume that any data that they provide to these companies – for any purpose whatsoever, even two-factor authentication – will be added to a vast, sprawling database that exists solely to show them targeted ads.