Twitter does not seem to know exactly what it does or does not do with its users' data. In any case, in a recent note, the US company says that data users provided to back up their accounts was "possibly inadvertently" used for advertising purposes.
These data are e-mail addresses and telephone numbers that users deposit with Twitter, for example for so-called two-factor authentication. The system, called "sign-up confirmation" on Twitter, helps to better protect accounts against unauthorized access.
Twitter explains, "If an advertiser has uploaded their marketing list, we may have matched the advertiser's list with the users on Twitter based on the email address or phone number that the Twitter user specified for security purposes." Marketing lists are based on data that advertisers have already collected from other sources and may include email addresses and phone numbers.
Extent unclear
Apparently, Twitter has used data for advertising purposes, which were clearly not intended. Many details remain unclear. Thus, the company provides in its German-language reference no clue how many users could be affected. Anyone who ever left their phone number - what could millions of users be? A certain proportion of users? Only those that fall into certain categories?
Twitter writes that the use of data for advertising purposes is particularly about his "advertising system for tailor-made target groups and partner target groups". In the English equivalent of the note says at least: "We can not say for sure how many people were affected, but in the interests of transparency we wanted to enlighten everyone." But it is also completely unclear in this version of the note, since when "possibly inadvertently" the data got mixed up.
We recently found that some email addresses and accountancy services have been used unintentionally for advertising purposes. Https://t.co/bBLQHwDHeQ. This situation is no longer happening
- Twitter Support (@TwitterSupport) October 8, 2019Turning point 17th September
The most concrete thing Twitter tells its users is this: "The issue that caused this bug has been resolved since September 17. We no longer use phone numbers or email addresses collected for security purposes for promotional purposes No personal information has been disclosed to any of our partners. "
That's not a real enlightenment. The process itself and its public processing should weaken the trust of users both in Twitter, as well as in the two-factor authentication generally recommended for account assurance. Twitter is also guilty of explaining why its users are only now being informed, three weeks apart.
In his note, the company finally apologizes. In addition, it is said that they are working on "measures to prevent a repetition of this error": Anyone who has questions, can use a form to contact the Privacy Officer of Twitter.
Also Facebook had trouble with the topic
For the use of information for the two-factor authentication also for advertising purposes, has been in the past already Facebook massively in the criticism - including the US Trade Commission FTC, which had collected a number of allegations against the group.
Facebook had according to researchers according to the account under "security and login" deposited phone numbers for personalized advertising - and this procedure also defended. Anyone who bothered that Facebook use the number deposited for advertising purposes should choose instead of SMS codes just another method for two-factor authentication, a Facebook spokesman said just under a year ago on request of "Gizmodo".
A bypassing of the SMS code procedure is practically useful also on Twitter - in particular from the viewpoint of the information security, since the SMS procedure is regarded as comparatively susceptible to attacks. On Twitter can be used to confirm their own login, among other mobile security apps such as the Google Authenticator. But before that the service uses a phone number "possibly accidentally" for advertising purposes, the alternative route does not necessarily protect: For the first activation of the "registration confirmation" requires Twitter namely first linking a phone number with your own account.
