Twitter in the United States has been fined $150 million (£119 million) after law enforcement authorities found to be guilty of illegally using user data to sell targeted ads.
According to court documents, the Federal Trade Commission (FTC) and the Department of Justice claim that Twitter violated an agreement with regulators.
Twitter had previously stated that it would not provide personal information such as phone numbers and email addresses to advertisers.
According to federal investigators, the social media company violated these rules.
In December 2020, Twitter was fined £400,000 for violating Europe’s GDPR data privacy rules.
The FTC is an independent US government agency whose mission is to enforce antitrust law and promote consumer protection.
It charges Twitter with violating a 2011 FTC order that expressly prohibits the company from misrepresenting its privacy and security practices.
Twitter’s operating system, which enables visitors ranging from consumers to famous people to corporate entities to post 280-character messages, or tweets, generates the majority of its revenue.
According to a complaint filed on behalf of the FTC by the Department of Justice, Twitter began asking users in 2013 to provide either a phone number or an email address to improve account security.
“As the complaint states, Twitter obtained data from users under the guise of harnessing it for security purposes, but then used the data to target users with ads,” said FTC Chair Lina Khan.
“This practice impacted over 140 million Twitter users while increasing Twitter’s primary revenue source.”
Authentication violation
“Once more, Twitter is breaching the confidence that their users have in their platform through using their private data to their own advantage and increasing their own revenue,” Ian Reynolds, managing director of computer security firm Secure Team, told the BBC.
“Twitter did lead their users into a false sense of security by acquiring their data under the guise of security and account protection, but actually ended up using the data to target their users with ads,” he added.
“This reality demonstrates the power that companies continue to have over your data and that there is still a long way to go before users can be confident that they have complete control of their own digital footprint.”
Twitter requires users to provide a phone number and an email address in order to authenticate their accounts.
This information is also useful for resetting passwords and unlocking accounts, as well as enabling two-factor authentication.
Two-factor authentication adds an extra layer of security by delivering a code either to a phone number or an email address to assist users in logging into Twitter in addition to a username and password.
However, according to the FTC, Twitter has also used that information to increase its advertising business till at least September 2019.
It has been accused of providing advertisers with availability to users’ security information.
Twitter must also: in addition to the fine:
stop using the illegally obtained phone numbers and email addresses notify the user about its inappropriate use of security information inform users about the FTC law enforcement action
explain how to disable personalized advertisements and go over multi-factor authentication settings.
provide options for multi-factor authentication that do not require a phone number
implement a more robust privacy and security program that includes reporting issues to FTC within 30 days
“The Department of Justice is dedicated to defending the privacy of users’ sensitive data,” said US Associate Attorney General Vanita Gupta.
“The $150 million penalty reflects the gravity of the allegations against Twitter, and the significant new compliance measures that will be sanctioned as a result of the proposed resolution will help to prevent further misleading tactics that endanger users’ privacy.”
