Twitter has been misusing the phone numbers and email addresses people provided expressly to secure their accounts for targeted advertising.
The transgression, which Twitter described as “inadvertent” in a recent disclosure, reveals the insidious voracity of surveillance capitalism. Companies that make money by mining users’ personal information tend always to put profits before privacy. It’s simply the nature of the business.
In Twitter’s case, the company used the information people provided for security reasons to match them against lists of contact information uploaded by marketers, allowing for the sale and display of targeted ads. Twitter said it stopped the practice on September 17th, although it declined to estimate how long the misuse had gone on, when it discovered the issue, or how many people were affected. “This was an error and we apologize,” the company said. “We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.”
This breach of trust was, at its core, a bait-and-switch. Twitter requires anyone who wishes to use two-factor authentication—a sensible security measure that demands a second logon code, via text message, authenticator app, or hardware security key, in addition to a password—to provide a working phone number. People seeking additional account protections had, in other words, no choice but to divulge their digits. It’s hard to view Twitter’s barefaced data-grab as a “mistake” and not as a shameless attempt to improve its ad-targeting and, thereby, make more money.
Twitter plans to change its security policy, a spokesperson tells Fortune. The company has historically required a person to keep a phone number on file, as a fallback, in case they “got locked out of their account with no way to recover,” the spokesperson said. This policy “is not ideal anymore and we’re working towards decoupling the two going ahead.”
Twitter is not unique in its transgression. Facebook, surveillance capitalist par excellence, fessed up to doing the same thing in September 2018. With nary a hint of contrition, Facebook said at the time, “We use the information people provide to offer a better, more personalized experience on Facebook, including ads.” The company then reminded people they can “manage and delete the contact information you’ve uploaded at any time.”
The irony is that using a phone number for two-factor authentication is, while far better than using nothing, not ideal. “SIM-jackers” can hijack people’s phone numbers by tricking mobile carriers into transferring ownership—just ask Twitter CEO Jack Dorsey. And hackers can also exploit a flaw in “signaling system 7,” or SS7, a cellular networking protocol, to intercept people’s messages.
Any data one gives out can be misused. But, to be clear: There is no better way to secure oneself against phishing, hacking, account takeovers, and digital infiltration than implementing two-factor authentication. Using a phone-based factor is way, way, way better than using nothing at all (though security keys are best of all).
It’s a shame to think the unscrupulous, profit-mongering actions of companies like Twitter and Facebook could make consumers think twice before taking measures that will boost their security.
Robert Hackett | @rhhackett | email@example.com
You've been serve-veilled. Newly declassified files show that a federal judge last year ruled the FBI's searches of a database of intercepted email messages to be in violation of the Fourth Amendment, the one protecting Americans against warrantless searches and seizures. The once-hidden legal spat, elucidated by the New York Times, concerns Section 702 of the FISA Amendments Act, a policy that enabled warrantless surveillance in the aftermath of the Sept. 11 terrorist attacks.
Start spreading the (fake) news. An 85-page report released Tuesday by the Senate Intelligence Committee criticizes tech giants for spreading misinformation during the 2016 presidential election and urges them to do better during next year's contest. While past reports focused mainly on Facebook and Twitter, the new one takes other firms to task, including Google's YouTube, Reddit, Microsoft's LinkedIn, and Pinterest.
As one Russian operative reportedly put it after Trump won, "We uncorked a bottle of champagne...[and] we uttered almost in unison: 'We made America great.'"
GDP-Bragh. Ireland’s Data Protection Commission has finished investigating Facebook's WhatsApp and Twitter for potential breaches of EU data privacy laws, respectively involving their data-sharing disclosures and breach notifications. The process has moved into the decision-making phase, spokespeople said, and possible fine recommendations are likely to come by end of year.
Walking on eggshells. Chinese censorship has been creeping across the border. Senator Marco Rubio has asked the government to investigate social media phenom TikTok over censorship claims. Apple has reportedly asked show producers not to get on the Communist Party's bad side. The New York Times' Farhad Manjoo writes that "dealing with China isn't worth the moral cost." (Of course, the Times is already banned there.)
Share today’s Cyber Saturday with a friend: http://fortune.com/newsletter/cybersaturday/
Looking for previous Data Sheets? Click here.
Ash Carter, a former U.S. Secretary of Defense and current director of the Belfer Center for Science and International Affairs at the Harvard Kennedy School, says we need to cheer on technology projects designed with public ethics in mind. So his school is debuting, in conjunction with Wired, a "tech spotlight" to "recognize products, initiatives, and policies that embrace principles such as privacy, security, safety, transparency, accountability, and inclusion—and that aim to minimize technological harms." Here he describes the initiative's rationale.
Technology and all of objective science are caught in a crisis of reputation. From investigations into competition practices to legislative scrutiny over the application and safety of new products, innovators are facing a reckoning for their seeming absence of principles such as privacy, security, inclusion, transparency, and accountability. But it is possible to bend the arc of innovation toward overall public purpose.
The Power Grid Is Evolving. Cybersecurity Must Too by Neil Chatterjee
Why Did Google Offer Black People $5 to Harvest Their Faces? by Jeremy Kahn
Privacy, Civil Rights Groups Press Amazon’s Ring to End Its Local Police Partnerships by Lisa Marie Segarra
What It’s Like at the Center of the Surveillance Economy by Adam Lashinsky
‘Mr. Robot’ Creator Sam Esmail on the Show’s Fourth and Final Season by Paula Bernstein
ONE MORE THING
On a completely unrelated note, LitHub, a literary blog, just published the contents of an old talk delivered by Philip Pullman, a favorite author of mine, circa middle school, and creator of His Dark Materials trilogy, which will be released as an HBO TV series next month. (Pullman also has a new novel out.) The subject of the lecture: What separates children's literature from adult literature? Is the former less sophisticated than the latter? Is it, as one critic put it, unserious?
For those who cannot get enough Pullman, The New Yorker recently interviewed him for a Q&A. I like the bit about J.R.R. Tolkien, who, Pullman believes, wrote "very, very, thin stuff."