Twitter in deep mess yet again: You can’t promise people one thing and then utilize their personal information for something else. When it comes to digital bait-and-switch, the FTC says that’s exactly what Twitter did to nave customers.
Twitter solicited personal information from its users in the name of account security, but it also utilized that information to offer advertisements that were specifically tailored to Twitter’s business interests.
Although this isn’t Twitter’s first FTC Act breach, the corporation will be fined $150 million for this one. The FTC filed a lawsuit against Twitter in 2010.
According to Twitter’s policy at the time, only the receiver of a private message may read a user’s tweets. Although Twitter had appropriate controls to guarantee that users’ preferences were respected, according to the FTC, Twitter did not.
According to the lawsuit filed in 2010, Twitter’s acts and inactions have resulted in the illegal access of personal information.
Twitter agreed in 2011 to a final order that would punish the company if it lied about “the degree to which [Twitter] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.” This order became final in 2012.
The Department of Justice filed a new lawsuit on behalf of the FTC, saying that Twitter had violated the prior injunction by collecting personal information from consumers for the purported purpose of security and then commercially exploiting it.
For more information, you’ll have to check out the FTC’s complaint, but here’s an overview of how the agency believes Twitter misled its users. Users were asked for their phone numbers or email addresses between May 2013 and September 2019 for security considerations, such as enabling multi-factor authentication.
In order to access a user’s account, they must provide two different means of identification: a password and a code delivered to an email address that has been validated by the user.
Additionally, Twitter informed users that it would utilize their personal information to assist with account recovery (for example, if users lost their passwords) or to restore full account accessibility in the event that Twitter discovered suspicious behavior on a user’s account.
People were allegedly coerced into providing their phone numbers and email addresses by Twitter, which said the information was needed to “safeguard your account,” according to the FTC. Because “an additional layer of protection helps ensure that you and only you can access your Twitter account,” Twitter urged users to do so.
The FTC, on the other hand, claims that there was a lot more going on. People’s phone numbers and email addresses were collected by Twitter.
The firm claimed they were used for “protective reasons,” but they were also used to show them tailored advertisements, which profited the corporation by many millions.
How convincing was Twitter’s defense of its security? For security reasons, more than 140 million Twitter users provided their email addresses or phone numbers for security reasons during the time period covered by the lawsuit.
Had they known how Twitter intended to utilize the data, would the same number of individuals have provided it? No, we don’t believe that’s the case. The FTC was aware of the irony when a company used customers’ worries about privacy in a way that led to more privacy invasions.
Besides issuing a $150 million fine for breaking the 2011 injunction, the new order includes additional requirements to safeguard customers in the future.
Twitter is not allowed to send ads to the phone numbers and email addresses it got by breaking the law.
As part of the FTC’s action, Twitter must tell its users about the wrong way it used their phone numbers and email addresses, as well as what they can do to stop personalized ads and check their multi-factor authentication settings.
Multi-factor authentication alternatives that don’t require phone numbers should be available on Twitter.
As a result of the order, Twitter has to create a more comprehensive privacy and security program with several new rules.
It also has to get privacy and security assessments from a third party approved by the FTC and tell the agency about any privacy or security incidents within 30 days of learning about them.