As far as mistakes go, Twitter’s notorious two-factor authentication boondoggle could end being a costly one.
Buried deep inside the company’s Monday 10Q filing with the Securities and Exchange Commission is a note that the social media giant might end up on the receiving end of up to $250 million in fines. At issue was Twitter “inadvertently” (it swears) using users’ phone numbers for advertising from 2013 to 2019 — numbers that were only provided for security purposes. The Federal Trade Commission apparently didn’t take kindly to that, and sent a draft complaint Twitter’s way on July 28.
For those blessed to not remember every single Twitter privacy scandal, it’s worth a reminder just how problematic the 2019 revelation that Twitter matched some users to advertisers’ marketing lists based on their 2FA numbers actually was.
Specifically, privacy experts noted that using phone numbers volunteered for security reasons for advertising represents a fundamental betrayal of trust. And that betrayal comes with real consequences.
“Twitter ‘unintentionally’ used the information it got from you to secure your account in order to make money,” Eva Galperin, the EFF’s director of cybersecurity, wrote at the time. “This kind of behavior undermines people’s willingness to use 2FA and makes them less secure in the long run.”
It also, according to Twitter’s Monday filing, might just so happen to violate the company’s 2011 FTC consent order.
“In March 2011, to resolve an investigation into various incidents, we entered into a consent order with the FTC that, among other things, required us to establish an information security program designed to protect non-public consumer information and also requires that we obtain biennial independent security assessments,” reads the 10Q filing. “[On] July 28, 2020, we received a draft complaint from the FTC alleging violations of the 2011 consent order with the FTC and the FTC Act.”
Twitter says the matter “remains unresolved,” and estimates the “probable loss in this matter is $150.0 million to $250.0 million.”
Whether such a fine would be enough to prevent similar privacy mistakes in the future is anyone’s guess, but it would at least be a start.