Twitter “Unintentionally” Used Your Phone Number for Targeted Advertising

You give a tech company your personal information to activate a security feature and later find out they were using it “unintentionally” for targeted advertising.

By Gennie Gebhart and Jacob Hoffman-Andrews, Electronic Frontier Foundation:

Stop us if you’ve heard this before: you give a tech company your personal information in order to use two-factor authentication, and later find out that they were using that security information for targeted advertising.

That’s exactly what Twitter fessed up to yesterday in an understated blog post: the company has been taking email addresses and phone numbers that users provided for “safety and security purposes” like two-factor authentication, and using them for its ad tracking systems, known as Tailored Audiences and Partner Audiences.

Twitter claims this was an “unintentional,” “inadvertent” mistake. But whether this was avarice or incompetence on Twitter’s part, the result confirms some users’ worst fears: that taking advantage of a bread-and-butter security measure could expose them to privacy violations. Twitter’s abuse of phone numbers for ad tracking threatens to undermine people’s trust in the critical protections that two-factor authentication offers.

How Did Your 2FA Phone Number End Up in Twitter’s Ad Tracking Systems?!

Here’s how it works. Two-factor authentication (2FA) lets you log in, or “authenticate,” your identity with another piece of information, or “factor,” in addition to your password. It sometimes goes by different names on different platforms—Twitter calls it “login verification.”

There are many different types of 2FA. SMS-based 2FA involves receiving a text with a code that you enter along with your password when you log in. Since it relies on SMS text messages, this type of 2FA requires a phone number. Other types of 2FA—like authenticator apps and hardware tokens—do not require a phone number to work.

No matter what type of 2FA you choose, however, Twitter makes you hand over your phone number anyway. (Twitter now also requires a phone number for new accounts.) And that pushes users who need 2FA security the most into an unnecessary and painful choice between giving up an important security feature or surrendering part of their privacy.

In this case, security phone numbers and email addresses got swept up into two of Twitter’s ad systems: Tailored Audiences, a tool to let an advertiser target Twitter users based on their own marketing list, and Partner Audiences, which lets an advertiser target users based on other advertisers’ marketing lists. Twitter claims the “error” occurred in matching people on Twitter to these marketing lists based on phone numbers or emails they provided for “safety and security purposes.”

Twitter doesn’t say what they mean by “safety and security purposes,” but it is not necessarily limited to 2FA. In addition to 2FA information, it could potentially include the phone number you have to provide to unlock your account if Twitter has incorrectly marked it as a bot. Since Twitter forces many people into providing such a phone number to regain access to their account, it would be particularly pernicious if Twitter was using phone numbers gathered from that system for advertising.

What We Don’t Know

Twitter’s post downplays the problem, leaving out numbers about the scope of the harm, and details about who was affected and for how long. For instance, if Twitter locked you out of your account and required that you add a phone number to get back in, was your phone number misused for advertising? If Twitter required you to add a phone number when you signed up, for anti-spam purposes, was your phone number misused? When is an email address considered “fair game” for ad targeting and when is it not?

Twitter claims it “cannot say with certainty how many people were impacted by this.” That may be true if they are trying to parse finely who actually received an ad. But that’s an excessively narrow view of “impact.” Every user whose phone number was included in this inappropriate targeting should be considered impacted, and Twitter should disclose that number.

2FA is Not the Problem

Based on what we know, and what else we can reasonably guess about how Twitter users’ security information was misused for ad tracking, Twitter’s explanation stretches the meaning of “unintentionally.” After all, the targeted advertising business model embraced by Twitter (and by most other large social media companies) incentivizes ad technology teams to scoop up data from as many places as they can get away with—and sometimes they can get away with quite a lot.

The important conclusion for users is: this is not a reason to turn off or avoid 2FA. The problem here is not 2FA. Instead, the problem is how Twitter and other companies have misused users’ information with no regard for their reasonable security and privacy expectations.

What Next

Twitter needs to come clean about exactly what happened, when, and to how many people. It needs to explain what processes it is putting in place to ensure this doesn’t happen again. And it needs to implement 2FA methods that do not require giving Twitter your phone number. By Gennie Gebhart and Jacob Hoffman-Andrews, Electronic Frontier Foundation.

“Felony Contempt of Business Model”: Lexmark’s Anti-Competitive Legacy. Read… Why Investors Call any Business Dominated by a Tech Giant the “Kill Zone”

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.



  35 comments for “Twitter “Unintentionally” Used Your Phone Number for Targeted Advertising

  1. william witter says:

    The twitter Speech Police, and spying on users is a CIA/NSA/DIA/FBI/ IRS/etc, etc. Operation. I personally believe Facebook, Twitter, and other social media sites are totally monitored by the deep state and are controlled by them.

    All should get rid of these obvious government ops, and do not use them.

    Otherwise, it gives them the precedence to get rid of most of the constitutional rights guaranteed to Americans. This is their ultimate goal.

    • alex in San Jose AKA Digital Detroit says:

      I was on Twitter for a bit and had some fun telling the President how much of a fat ass he is, then I was off, then on again for a bit and now I appear to be off. Who cares? What more does anyone using a computer at all need more than email?

  2. Willy2 says:

    – But, but, but …….. how is Twitter supposed to make a profit when they can’t use your personal information to be sold to third parties ?

    • sierra7 says:

      Willy2:
      My contention is that ALL personal information is just that, “personal” and should be protected by regulations that prohibit ANY business entity using that information UNLESS THEY PAY UP FRONT TO THE HUMAN INDIVIDUALS !
      Just think how “wealthy” All citizens would be?????
      We are just plain stupid! We give away personal information to business ant they use it for profit………No, show me the money first! That’s the way it should be.

  3. Dano says:

    This demonstrates the loathsome twisted mentality these social media companies have to control the lives of their customers.

    • Vespa P200E says:

      Yep that’s why no twerker and fakebook accts in my family and only 1 of 2 daughter uses InstaBS. How I wish the next downturn in SillyCON valley takes billions of market caps from social media parasites they are…

    • Rat Fink says:

      The thing is if people don’t like this, remove the app – permanently.

      Stop using google and switch to Duckduckgo

      Most people simply do not care.

      The rest are like beaten dogs who just accept another kick without even bothering to growl.

      • quack says:

        Get the phone with 2 sim slots, get the cheap phone number sim card in some country you travel to. In some countries it is about $5-10 a month, and use it for your 2FA. Make them call international with there’s add shit. Quack the social media!

  4. raxadian says:

    There is no such a thing as a free online service, you always end paying, one way or another.

    • As the saying goes, if you’re not paying for the product, you are the product. Shame on them, yes, but also on anyone who is surprised, and on those who remain blasé about this type of thing. … Says the guy typing into his spying Android… :( But at least I donated to EFF! ?

  5. Petunia says:

    This is not about Twitter coming clean about who they are tracking. This is about people owning their data and the profiles created on them. Whatever information they collect belongs to the user and the user should be informed of the ways the data is being used and compensated for that use.

    Those phone numbers Twitter gave to others are the paid for property of the users, some of whom pay extra to keep them private. Twitter violated the privacy of every person whose phone number was shared. This is a privacy and safety issue as well because nobody knows who those third parties then sold or shared the data with, or the extent to which other data on the phones was mined.

    Legislation to deal with data ownership is overdue.

    While I’m on a tech rant, l also think all the demonetization that goes on on platforms is theft. Content providers invest a great deal in creating content, and when they are not paid for its use, that’s a form of piracy on the part of the platform. I don’t see why video content providers don’t join the film unions and demand to be paid as film makers and actors. All this free work is impoverishing working people, while the posers in silicon valley make all the money.

    • GirlInOC says:

      Democratic candidate Andrew Yang just released his plan on data ownership. Sounds similar to what you’re talking about, that online data should be considered personal property:
      https://www.yang2020.com/policies/data-property-right/
      This hadn’t been on my radar before the Yang proposal popped up on my newsfeed. Very interesting, and timely, topic to say the least

    • Old Dog says:

      Well said Petunia,

      I would add that the race is on for the privacy-abusing companies to become a quasi-government agency. The price is a monopoly or a duopoly on tools for population control.

      AT&T and its spawn are enjoying a monopoly on telecommunications surveillance. Comcast has a near monopoly on the internet. Visa on credit cards, Google on phones and the three credit bureaus on our financial lives. Add PayPal and a bunch of others.

      The irony is that all these companies are fiercely protective of their privacy. Not yours.

    • Prairies says:

      I share the same concern over all the GPS data mining used in every vehicle with a GPS system. The manufacturers collecting the data have no clue how to price this data, but they sure like to collect it for free. To be honest people pay for the feature so the manufacturer is being paid to sell the data. Pretty slick business to be in, but I am not so keen on my driving being monitored – no different than my phone.

  6. medial axis says:

    It’d be good, wouldn’t it, if we had some form of digital cash that could be sent from A to B without A knowing B nor B knowing A. You know, much like physical cash. That’d enable us to buy stuff on line without need for vendors to store our bank details[1]. That may not help with the likes of the Twitter case above but it’d enable other firms to offer services (similar to Twitter or whatever) that you pay for (with digital cash) as you go. They’d not be selling your data as they’d not have it and you could be sure of that.

    [1] It’s odd anyway, isn’t it, for vendors to be storing our bank details when it’s we who are sending money to them, not them to us!

    • alex in San Jose AKA Digital Detroit says:

      This is why physical cash will never die, and I hope to retire to someplace with a more antiquated, physical cash based, economy.

  7. David Hall says:

    I have the free AT&T Call Protect and Mobile Security app on my smart phone. They alert me if an incoming call is from a fraud number or spammer. I did not answer those calls. I blocked numbers on a regular basis.

    People called me from the Internet using someone else’s number in my local area. It might be a telemarketer in Sri Lanka. They were able to make a spoof call, but were not able to receive phone calls at the phone number they impersonated. If I try to return a spoofed call, I might get a real person who did not call me and does not know why I am calling them. After a while I did not call back strange numbers. If they wanted to leave a message they could.

  8. d says:

    You “Trust” a social media or tech service company, to secure your information and be truthful with you.

    I understand.

    I have this bridge in Brooklyn for sale.

  9. I sort of see this like Elvis throwing towels to the fans. He doesn’t think the towels have any value, they do. Should he charge them for these towels? (maybe he did write it off his taxes?) Is this a way of solving the process involving purloined data taken from users who do not hold that data in high regard? Am I entitled to a data tax break?

  10. Kent says:

    The government should simply set up a non-profit that manages secure authentication for the Internet. There are protocols out there to choose from: OAuth, SAML, Radius and probably others. That should not be the function of individual organizations. The benefit would be a single userid/password for every site on the Net. An improvement on that would also be a database that allows your userid to be hidden behind fake or anonymous userids for individual websites.

    Google, Yahoo and the rest don’t need to know who I am or anything about me. This is all very simple if you can get the libertarians out of the way.

  11. Brant Lee says:

    Good luck everyone with AI about to swoop in on us. Meanwhile, the government is on top of simple Robo Calls… NOT. Just got 2 today.

    In China, there is the ‘social credit system’ on citizens. In the rest of the world, it’s Tech implementing it on us, and the government sit’s back. What’s the difference?

  12. MC01 says:

    I live the word “inadvertent”. It makes me think that either Twitter’s legal team advised them to use the “naive savage” defense to try and stem the lawsuits that are sure to follow. Or that Twitter is so dysfunctional and pathetically organized that they cannot even manage user-supplied phone numbers. To paraphrase Arthur C. Clarke both are equally entertaining.

  13. Unamused says:

    You give a tech company your personal information to activate a security feature and later find out they were using it “unintentionally” for targeted advertising.

    It seems like only yesterday the Financial Times ran an article titled “Beware the digital Stasi in your pocket”.

    Big Brother: “This is too easy.”

  14. joe says:

    Ha Ha. I should have known better. I now have a burner phone.

  15. Michael says:

    It’s a feature not a bug

  16. at&t says:

    I think it was 6+ years ago twitter started asking for and/or demanding the mobile number, so I closed my twitter account, I think there were 2,000+ followers/friends, … whatever don’t matter, killed my facebooks 10+ years ago.

    Now I use NO social networking and it feel’s good.

    One thing not mentioned here is that once the hacker’s get your mobile, then there are ways they can redirect your banking 2FA to their number, and then they can get into your bank account. Thus people should really use a burner phone for setting up this ‘social network garbage’, because seriously you don’t want to be handing out your real mobile number that is used for your real biz.

    Works something like this, so you have an account with ‘robinhood’ for a million, say through talking too much you let on you got $1M cash in your account, the hacker’s only need to get your password which isn’t hard, then then of course they can ‘buy’ mobile numbers from sources such as ‘twitter’. Then when they login to your brokerage account they can forward the 2FA to your phone to their phone by forwarding, long before you even get the email notice that somebody is being logged in, and long before your phone even gets the PIN.

    In summary DO NOT GIVE OUT your real biz phone numbers, to anybody but trusted banks and/or loved ones.

    These days google/amazon all collect & read your email, they know which banks you use, they know what passwords you use, they know all your phones. Whether there are criminals working for ‘chromebook’, or just an easy pass to GOV for ‘taking’, its all just too easy to clear anybody out anytime.

    • d says:

      YOU are still toast, as those accounts are never deleted, only overt public access to them is.

      The slightly smarter people, never had, Social media accounts, mobile phone #’s or, google, Yahoo, or ever Netscape accounts, connectable to them.

      All those supplementary Census question sheets IBM created for their clients, pre 1939, TAUGHT some of the survivors, A LOT.

      • GirlInOC says:

        I was in high school when I got my first online accounts. I guess there were people slightly smarter than me as a teenager.

        • d says:

          “I was in high school when I got my first online accounts.”

          Thats how they do it, with peer pressure, just like big tobacco.

          You allow and encourage Teachers, to use Tobacco, in front of students.

          The Role/Example model does X, then X, is acceptable.

          ++

          Not smarter, they just had parents and grandparents, who took 1 look at that tech stuff, shuddered, and said dont you dare, or I WILL, kill you.

          By high school, those parents and grandparents had educated their offspring about how governments, corporates, groups, and institutions, do things, and that the last thing most governments, Etc, had, was YOUR interest, at heart.

          Getting off the radar takes effort and along time, it is almost impossible to do it entirely. Due to IRS via “no visible means of support” if you are anywhere long enough to be considered tax domicile, or a poor old US global tax slave.

          Step 1. Get photo ID (as nothing works these days without photo ID) that does not link to DMV, SS, or IRS, #.

          2. Get an email account that links to nothing, and keep it that way. Initiated at a public terminal, not near your home, Family home, or workplace.

          1 and 2 can be reversed.

        • d says:

          sometimes teh lack of edit is an issue.

          http://www.ibmandtheholocaust.com/

          I have posted it before, whats more important than his work, is all the bibliography and notes included. Which prove he isn’t blowing smoke.

          I would like it to be publicised, who is really behind Facebook and G, as they know more about most people on the planet, than most Governments do.

          I have a feeling they didnt get into existence and dominance, without the consent, and a very covert relationship with, the NSA, Mossad, five eyes.

          To the mentioned, Wikileaks, is a “Hostile non state intelligence agency ” Buy G and FB are not????

  17. marc says:

    Big tech is big brother.
    Always been.
    NONE of the data we share/they steal from us is safe.
    EVERYTHING gets sold. Everything.
    That’s how they make shadow profits.
    And get in bed with the worst socialist/communist dictatorships on earth.

  18. Gunther says:

    Twitter got caught now, all the voice assistants reportedly listen to bedroom noise, “smart” cameras taping bedroom stuff without user consent and so on. Gboard, the standard keyboard app sends quite a few data back home, add in location, search history, phonebook and so on.
    The banking app does not work on a rooted phone, officially because of some “safety concerns,” practically root is needed to at least limit data collection by apps and google or apple.
    Could it be that google changes search results and newsfeeds based on the info they got? That may start with advertising but goes farther then big brother.

  19. Tyronius says:

    And this is exactly why I’m not on Twitter, Facebook, LinkedIn, or any other social media platform. I’m well aware how this isolates me, so even opting out exacts a severe penalty. It’s too bad that our government is far more concerned about the welfare of huge corporations than it is about that of its own citizens. It also says an awful lot about who’s running our government and their interests.

Comments are closed.