Two-Factor authentication has always been a platform ruse for gathering data on platform users. Twitter was just one company amid a large number of on-line platforms who pushed “two factor authentication” as a security measure. The real motive of TFA was to gain the user cell phone number in order to gain more specific information about the user.
Today multiple media outlets are reporting the FTC and Twitter have agreed to a settlement where Twitter will pay a $150 million settlement for violating user privacy and selling user data. Twitter collected cell phone and email account information for users under the auspices of user security. However, Twitter actually planned to use the cell phone and email data to sell a more comprehensive package of user identification to advertisers.
(Reuters) – […] The company will pay $150 million as part of the settlement announced by the Justice Department and the Federal Trade Commission (FTC). In addition to the monetary settlement, the agreement requires Twitter to improve its compliance practices.
The complaint said that the misrepresentations violated the FTC Act and a 2011 settlement with the agency.
“Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences,” the complaint said.
[…] “Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said FTC Chair Lina Khan in a statement. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
The complaint also alleges that Twitter falsely said it complied with the European Union-U.S. and Swiss-U.S. Privacy Shield Frameworks, which bar companies from using data in ways that consumers do not authorize.
Twitter’s settlement follows years of fallout over the privacy practices of tech companies.
Revelations in 2018 that Facebook, the world’s biggest social network, was using phone numbers provided for two-factor authentication to serve ads enraged privacy advocates.
Facebook, now called Meta (FB.O), similarly settled with the FTC over the issue as part of a $5 billion agreement reached in 2019. (read more)
Two Factor Authentication (TfA) and the 5G telecommunications network work hand in glove.
By connecting the registered user id to their cell phone number, advertisers can target platform users with far more granular detail. 3G networks tracked user history to build the user portfolio. 5G networks bridge the space between user identity, cell phone, and geolocation services and apps on cell phones.
Cell phones are registered to people. The TfA purpose was to identify the actual people behind the registered accounts and then monitor them for enhanced targeting. The data of the user is monetized and your unique identity is sold to advertisers.
This is one of the reasons CTH does not track anyone, or ask for any data on any user. We do not monetize users at The Conservative Treehouse, and all of our engagement systems, including the comment system, are built around the principle that user privacy is our number one priority.
Any engagement platform that asks you to enter your cell phone as part of the registration process is going to have the ability to sell your data and user identity to a third party. It really is that simple.
At one time, I worked for mega-bank Chase. My legal name includes a last name suffix. In my employee profile, my suffix was typed incorrectly. Then I started getting mail from obscure companies which included my incorrect last name suffix just like Chase incorrectly set it up. That was in 2003. To this day, I still occasionally receive mail with my last name suffix (which I never use with the exception of required legal documents) appearing like this. This means Chase was selling their own employee information. Maybe that’s a common, accepted practice. I don’t know. But this typo of my name is still circulating “out there” almost 20-years later.
I have had the same experience, MB. A long-ago employer had incorrectly appended my “Jr” to my last name and all of the company correspondence I ever received while I was working for them had this error in it, even though I attempted numerous times to have it corrected.
Some time later, after I was no longer employed by this company, I began receiving mail with this error in my name – there’s only one place that could have come from. So, like you, I concluded that they must sell employee (or past employee) information. Sick.
I’m not a tech wizard. I’ve commented on this site very few times over the years. Very few. I could count them on one hand. Yet, I’ve changed my username for various reasons. But my email address is part of the required comment process, so that is unchanged. What if I entered a fake email address? What would happen?
Use a throw away email like proton, mail or yahoo (there are tons)… never use the one provided by the your internet service provider.
This comment is being made with an email address of “[email protected]”. Does this answer your question?
I recommend that you use the same email address to comment even it is fake as a new address apparently is suspended until an admin checks it out.
Pull your credit reports – all three – and scour them. Make sure that someone hasn’t assumed your identity or used credit in that name. Just a thot. Big companies buy credit bureau data as well as social media data as well as all public data. I wish that were a criminal offense.
That happened to me once. I found out when the person defaulted on an account that was opened in my name.
This is very important in the age of illegals and their massive use of SS#s for fake docs, which, if used and belong to a real person, constitutes IDENTITY THEFT…A FELONY.
I keep wondering if Joe is issuing illegals real, but confidential SS#s, so they can work, and later be added on for benefits. Its a consideration.
Nah, he’s just letting them use ours. It helps accelerate the collapse of everything if the credit system is messed up too.
Nice try, Georgia. We know that’s YOU!
Why is it when companies do wrong and are caught, the government collects lots of money for the rule breaking, while the rules broken were against certain people, not the government. Shouldn’t the people affected be the ones who get the money, not the government?
Ah, I posted my similar comment before I read yours! I am in total agreement!
Corporations are a legal entity.
I note not only that they broke the law, as stated in the article, but also a 2011 agreement where they specifically acknowledged, presumably, this was not to be done. This is “wilfull conduct” and would result in greater punishment for an unprotected entity. This appears to be merely the illusion of legality, negotiated with one of our corrupt agencies. I expect this is done as a pre-emptive move to clean house at Twitter for illegality as they brace for litigation with Musk. Let’s see if they come clean about the bots.
hmmmm…sounds like the argument the reparations crowd likes to use as well.
be careful what you wish for.
Remember Sessions shut down the shakedown operation of the Obama administration (which sued companies and pressured them into settling by giving to select leftie charities instead)? Looks like it’s back on.
This. What do you get for them grabbing your info? That fine is to them like 20 bucks is to most people. They use it to write down their tax liability and shuffle right along as before.
Yep, it’s just a “cost of business” for them. The $1.2B fine on HSBC Bank for money laundering is substantial, but it’s a drop in the bucket for them.
I agree – when reading this “fine”, I immediately thought it would be paid out like a class-action settlement.
The money will go to fringe left groups. BLM needs another mansion.
Now, that’s a REALLY BIG PROBLEM, ESPECIALLY with leftists. The CFPB, with assesses financial crimes on the part of big companies, collect big fines, but the money goes to left activist orgs, NOT THE VICTIMS THEMSELVES. It’s a huge problem.
The fine — great, so the government gets the money? What about the 140 million users? Hand that money over to the individuals. Wouldn’t that be an uptick to the economy? LOL!
Where does the money go?
$150 million is a lot of money.
Do those whose info was marketed for $ without their permission receive any of the money?
Curious minds want to know.
That’s $1 per affected user. Think about the ROÍ on that $1. Seems like crime pays well for tech companies.
NO matter what I’m against socialism Twitter,
Sorry…have to depart from the otherwise wise council at CTH.
MFA/TFA was a technical response to evident weaknesses in password based authentication systems. MFA is a class term that, by definition, can assume more than one technical implementation. From enrollment through authentication any such system-of-systems involves identity management functions (from near non-existent to heavily robust); any such system-of-systems will have strengths and weaknesses.
It is in the political sphere that societies struggle with the evident tradeoffs between confirmed identity and privacy; it is in the technical sphere that the tradeoffs attempt to address the ever-changing legal/regulatory landscape: how many attributes? what credentials? what protections for attributes that are inherently privacy bound or can be aggregated?
Identity management is a critical security foundation. What happened here is that Twatter monetized the privacy information it collected. Slam their arses for privacy violations – that’s what is at the heart of the matter.
Drive home privacy – that’s the real ground zero. There is a mountain of regulatory edicts on privacy. Anyone inside the system, however, knows that these privacy controls are generally given lip service when it comes to no-kidding assessment and authorization.
Don’t throw the technical baby out with the bathwater.
The political dimensions of the tradeoffs should receive greater inspection – today – as we venture into CBDC coupled to robust identity management systems.
That is truly scary – way beyond anything Twatter can do (whether Twatter is an IC stooge or not).
This is social media. It doesn’t require the same security as your banking apps.
Indeed, 2FA/MFA is not inherently a bad thing (especially on valuable accounts such as banking), but using 2fa specifically via phone number, in order to have data to sell on users – THAT is the problem here.
At one time, in the beginning, SS#s were forbidden from being used as an identifying number of any kind. Of course, once it is discovered that that information can be used to make money for the government.
I remember when the odious “civil asset forfeiture laws” were implemented in 1990 or so, both conservative privacy groups and the ACLU joined together to fight it. Once the ACLU discovered that they could get money shared with them, they stopped protesting.
It’s now a legalized revenue extortion system, with revenue-sharing between federal, state, and local gov’t orgs. Law enforcement enthusiasticly participated.. Our gov’t is a criminal,prgqnization, at every level.
And so where is the $150mil going? Will it go to the “victims” of the crime, or will the corrupt and criminal cabal of Congress (or the Democrat party) reap these rewards?
Typical Obama/Holder move – levy a fine on a large corporation, allow the money to be paid to the Democrat party supporters and claim they did a good thing for the American people.
Rubbish.
I read this article with amusement how it is couched in terms of commerce. The tracking information is more saliently shared with we all know who for the purposes of accusations of white supremacy, etc. i.e. targeting political dissidents.
Another example of Orwell’s amazing prescience of the TV that could never be turned off but actually was an electronic spy. I am persuaded that this is what the driverless electric cars are for. Consumers certainly were not asking for these advert prisons.
Indeed!
That is simply not possible for retired people, to keep $100,000 in a home safe. We need income from our savings to eat and live. We can do it to some extent, but not that.
As I tell my kids, “when you go on social media, the thing that’s for sale is YOU. Are you for sale?”
I do not have a Fakebook account and I do not have a Twitter account. The people I know still using them are getting frustrated that so many of us aren’t on the platforms, so they have to hunt us down via phone/text or email. I view this as a positive.
My running club has 30-40 members. One of the guys, in response to a group email about a race posted on the Fakebook page replied, “I don’t use Fakebook, you need a better way to get info out.” Someone else replied, “I’m glad I’m not the only person who has his s$$t together and doesn’t use Fakebook.”
Progress.
For Twitter, the FTC ruling shows how willing they are to lie and withhold information from users and advertisers giving Musk even more leverage to take the price down $10B-$20B and blow up most of the “management” team there.
“This practice affected more than 140 million Twitter users.”
That is those who gave up the number.
Lately Twit logged me out.
Then they would not take my correctly typed username and password. Then they required TFID to log me back in.
Now I see.
I bvb wonder what part of the $150 MM I’ll be getting?
That is also a data point for Elon Musk.
How many users was he told he was getting?
It’s not just engagement platforms that want phone numbers. Stores like Tractor Supply do it, too. When they first started asking everyone for phone numbers, I refused. Then one day, I had to return something. I had the receipt, but the idiot manager tried to tell me she couldn’t refund my money without a phone number. Bull hockey! I bought it without a phone number; I can return it without one.
Tractor Supply still asks, and I’ve been telling them NO for years; however, I think I’ll start rattling out random numbers every time. Sorry if I give ’em yours!
The whole phone number requirement is why I don’t use google e-mail anymore. Actually, I never used it much anyway, but now I don’t use it at all.
Meter money fines to collect their protection money, by the US Government.
This is no different than the ANNUAL shakedowns by EU Governments via their courts for violation of “privacy” and “anti-trust” regulations that have been going on for the past 10-15+ years.
Year after year the fines are collected for the same behavior but the behavior NEVER CHANGES.
A dedicated curious cat needed for this one.
I knew they were trying to get phone numbers and with that, they could harvest geolocation data, etc. This is why I never got a twitter account. I only read publicly available accounts, and even then I use the Brave browser to block their tracking data. Although, I know that whenever you visit a website, the server(s) record the I.P. Address of your location. All in all, the Internet is great and if we could 100% anonymize it, that would be better without having to setup layers of security at home (VPNs, encryption, etc.)
Having your phone number on its own doesn’t allow them to track your location (unless it’s the government you’re talking about – in which case they can do whatever), but having the number is more valuable for cross-referencing your identity with other data they have so they can target ads better.
On the other hand, using an app can potentially allow them to track your location even without telling them your phone number.
Makes me wonder if the demand for a phone number from campaigns is to sell it to data brokers. Like the RNC?
Twitter, like most “social media” operations, is a sewer.
Does this make Twitter look even less palatable as an investment?
It is my policy never to give out my cell phone number unless I absolutely have to. That includes Twitter! As a result, I get very few nuisance phone calls.
“Two-Factor authentication has always been a platform ruse for gathering data on platform users.” I worked in IT for decades and spent many years dealing with security systems of one type or another. In an ordinary corporate setting, using two-factor authentication for a system or, frequently, a physical location with sensitive contents, isn’t about collecting data on users with a couple of simple exceptions. Those exceptions amount to knowing who was in what location and/or running what program on what device at what time. However, as correctly noted, for scum like the management of twitter and other “social” media, it quite clearly is.
Yes. Twitter is acting as though they have the same rights over their users as a company has over its employees.
So where does the fine money go to? Does it go to the Twitter users? Of course not! Fines usually go to a lefty organization. So the “punishment” is forcing lefty Twitter to donate to a lefty organization.
I recall a lot of reports from existing users saying they were suddenly being locked out of their accounts. Twitter was demanding a phone number to log back in.
These users refused to do so b/c of privacy concerns. Their accounts were still showing as active (not suspended), but they couldn’t actually use it.
A rather convenient way of silencing wrong-think, while keeping the overall number of supposed Twitter users high.
Advertisers were not only paying for bots, but many “ghost accounts” too.
Exactly who gets that $150 million? Does it go to pay off the national debt, or does it get routed to some faceless, nameless “agency?”
A just over $1 fine/per customer affected by data sold without their consent is laughable. This fine is nothing but a slap on a finger, not even wrist.
So despite their open embrace of socialism/Marxism, Twitter is nothing but a bunch of capitalists.
Bahahahaha!!
and what about the people Twitter violated? What do we get?
Who gets the money collected in these fines, the people who were violated, or the government that allows these companies the special status upon which they operate?
Twitter value decreases by the day. Win/win.
CTH,
You use Google Ads & Google Analytics. Google tracks all of your users.
As of Google Analytics, you are in a good company. Most government websites host Google Analytics, and call Google on each page turn.
https://defyccc.com/google-spies-on-us-on-gov-sites/
BTW, $150M fine is a slap on the wrist.
only 150 million.
This is why you must NEVER give any social media company your phone number just to have an account.
Thanks for letting us know that. Google gets its hand slapped once in a while, doing things it shouldn’t do, gets fined. Pays fine, and finds a new way to collect data, gets caught, ad nauseum.