In case you were wondering... yes, Twitter is also shit.
Twitter is facing a Federal Trade Commission probe and believes it will likely owe a fine of up to $250 million after being caught using phone numbers intended for two-factor authentication for advertising purposes.
The company received a draft complaint from the FTC on July 28, it disclosed in its regular quarterly filing with the Securities and Exchange commission [which] alleges that Twitter is in violation of its 2011 settlement with the FTC over the company's "failure to safeguard personal information."
That agreement included a provision banning Twitter from "misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers." In October 2019, however, Twitter admitted that phone numbers and email addresses users provided it with for the purpose of securing their accounts were also used "inadvertently" for advertising purposes between 2013 and 2019.
Harvesting phone numbers from users under the
auspices of implementing two-factor authentication, and then selling
those numbers to advertisers, is not the sort of thing one can do
"inadvertently." This is not a mere "oops." What Twitter have done here
is to violate the privacy of users, all while promising to protect their
privacy; to describe this as a fundamental violation of trust is not
even slightly exaggerated.
Of course,
that's not all that Twitter have done here. With this one greedy,
short-sighted move, Twitter have also thrown suspicion on the entire
idea of two-factor authentication. Security experts will tell you that
enabling two-factor authentication, or 2FA, on all of your online
accounts is the best way to secure them, but that rather relies on the
companies that hold our account data to act honestly when we do so.
Consumers
were already inclined to suspicion towards these giant corporations,
which is why so many of them don't already have 2FA enabled; this
boneheaded move by Twitter will not help that situation at all. Somehow,
given all this damage they've potentially caused, a mere $250 million
on fines doesn't feel like nearly enough of a penalty.