Use of 2FA information for commercial purposes is unacceptable

News & Analysis
Twitter Headquarters - Christinatt (photo by Troy Holden)

The latest news of Twitter “inadvertently” sharing email addresses or phone numbers provided for safety or security purposes (for example, two-factor authentication) for advertising purposes is extremely concerning for several reasons.

First of all, it is not the first time for Twitter's used people's data in ways they wouldn't expect or that ignores their choices: in August, the company disclosed that it may have shared data on users with advertising partners, even if they had opted out from personalised ads, and shown people advertising based on inferences made about the devices they use without permission. 

In May 2019, Twitter also disclosed a bug that resulted in an account’s location data being shared with a Twitter ad partner, in certain circumstances.

As we wrote at the time, Twitter's latest disclosures show how urgently the industry needs to change, but until then, there's more that Twitter could already do right now. We believe that social media platforms like Twitter need to do much more to increase transparency around how ads are targeted at users, something we have been campaigning for a long time. Our recent analysis shows just how far Twitter (as well as Google and Facebook) have to go when it comes to providing users with ads transparency, as well as the shocking disparity in application of policies globally.

When it comes to targeted ads as a minimum people should be able to understand how their data's being used, why they are seeing a particular ad and have meaningful choices that are respected. 


Undermining trust in 2FA

Second, and very importantly: these practices such as those in the recent Twitter disclosure undermine people’s trust in two-factor authentication (2FA), a critical security feature, and makes them less secure in the long term. 

This is concerning for everyone, and particularly worrying for activists, dissidents and communities at risk all over the world which have a clear need to protect their security and who use social networks to communicate and organise.

And Twitter is far from being the only one: for instance, Facebook has history when it comes to the blurring of lines between contact information provided for security, and contact information provided for other purposes. Earlier this year, it emerged that Facebook was making mobile phone numbers (which users believed to be) provided for the express purpose of 2FA both searchable, and a target for advertising by default.

One of the myriad of ways Facebook displays targeted adverts to users is through so-called "Custom Audiences". These "custom audiences" are lists of contact details, including phone numbers and email addresses, uploaded by advertisers. Facebook then matches this "custom audience" with the details they hold, to target adverts at accounts associated with this contact information.

We asked Facebook to explain what they did with people's phone numbers and had a long (and somewhat... confusing) exchange with them.

We are not aware exactly when Facebook started asking for users's mobile phone numbers; how many users provided these and when. We are also unable to interrogate when and why each user uploaded their phone number, what percentage believed this was solely for the purposes of 2FA, and why they believed this. However, it is clear that many people provided their phone numbers believing that it would make their accounts more secure, and as a result, many companies were able to conduct targeted advertising based on this user data.

Disclosing or using information provided for security purposes for any other purpose, including advertising is unacceptable: we believe that companies should protect their users' safety and never use critical security features for profit.


Photo: Twitter Headquarters - Christinatt, photo by Troy Holden (CC -Share Alike 3.0 Unported)