Twitter pulls a Facebook, faces FTC investigation over selling phone numbers collected for 2FA

In case you were wondering... yes, Twitter is also shit.

As reported by arstechnica:

Twitter is facing a Federal Trade Commission probe and believes it will likely owe a fine of up to $250 million after being caught using phone numbers intended for two-factor authentication for advertising purposes.

The company received a draft complaint from the FTC on July 28, it disclosed in its regular quarterly filing with the Securities and Exchange commission [which] alleges that Twitter is in violation of its 2011 settlement with the FTC over the company's "failure to safeguard personal information."

That agreement included a provision banning Twitter from "misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers." In October 2019, however, Twitter admitted that phone numbers and email addresses users provided it with for the purpose of securing their accounts were also used "inadvertently" for advertising purposes between 2013 and 2019.

Harvesting phone numbers from users under the auspices of implementing two-factor authentication, and then selling those numbers to advertisers, is not the sort of thing one can do "inadvertently." This is not a mere "oops." What Twitter have done here is to violate the privacy of users, all while promising to protect their privacy; to describe this as a fundamental violation of trust is not even slightly exaggerated.

Of course, that's not all that Twitter have done here. With this one greedy, short-sighted move, Twitter have also thrown suspicion on the entire idea of two-factor authentication. Security experts will tell you that enabling two-factor authentication, or 2FA, on all of your online accounts is the best way to secure them, but that rather relies on the companies that hold our account data to act honestly when we do so.

Consumers were already inclined to suspicion towards these giant corporations, which is why so many of them don't already have 2FA enabled; this boneheaded move by Twitter will not help that situation at all. Somehow, given all this damage they've potentially caused, a mere $250 million on fines doesn't feel like nearly enough of a penalty.

This week in Facebook

Do you remember when I said that Facebook's ongoing and ever-deepening scandals were going to end with someone from the firm doing jail time? That outcome just became a lot more likely.

As reported by CNN Business:

Federal prosecutors are conducting a criminal investigation into Facebook's data sharing deals with a number of large technology companies, according to a new report in the New York Times.

As part of the investigation, a New York grand jury has subpoenaed two well-known smartphone makers for records related to the investigation, according to the report.

[...]

The grand jury inquiry was on behalf of the US attorney's office for the Eastern District of New York. When contacted by CNN Business, the Eastern District did not have a comment on the case.

Add this to Facebook's big outage of yesterday, and their incredibly stupid decision to block the campaign ad of Democratic Presidential candidate Elizabeth Warren, apparently because it talked bluntly about the need to break up companies like Facebook (way to prove her case, Zuck), and you end up with a week that a New York Times op-ed describes as "biblically bad."

This is how Facebook's week ends

It's been something of a roller-coaster week for Zuck & co. With the revelations of their creepy teen-surveillance Facebook Research app and their complicity in teen credit card fraud book-ending their strong financials and resulting share price gain, it was a little tough to tell whether this week should go on the books as a win or a loss for FB.

Well, it turns out the week wasn't over yet, and the latest report resolves that question in style: this week is definitely an "L" for Facebook.

From Gizmodo:

Amid the constant scandals swirling around social media giant Facebook and its questionable handling of user data, at least six state attorneys general have launched their own investigations of the company, Bloomberg reported this week.

Two distinct groups have formed, according to Bloomberg’s report: Pennsylvania and Illinois have joined Connecticut in an investigation of “existing allegations,” though the report does not mention what those are. Officials in New York, New Jersey, and Massachusetts, “which were already known to be probing Facebook, are seeking to uncover any potential unknown violations,” a source told the news agency.

Oh, my. That doesn't sound good.

Reminder: Facebook's fiasco is an international affair

While a lot of the tech media world was focused on Mark Zuckerberg's testimony before the U.S. Congress last week, it's worth remembering that Facebook are facing investigations in multiple countries, on multiple continents. From CBC News:

Senior members of the Facebook leadership team faced a rough ride from MPs at a Commons committee hearing Thursday over their failure to inform more than 600,000 Canadians that their privacy might have been compromised.

For more than two years, Facebook knew that the personal information of thousands of Canadians may have been in the hands of a third party — without their consent, and in contravention of Canadian privacy law. The social media executives offered little explanation as to why the company sat on this knowledge — and only copped to its role in the affair after it was made public in media reports.

[...]

Kevin Chan, head of public policy for Facebook in Canada, offered an apology to Canadians whose profiles might have been compromised. Chan said Facebook was too idealistic — and "naive" — about how its technology is used, and didn't focus enough on abuse.

"What is alleged to have occurred is a huge breach of trust to our users, and for that we are sorry," Chan, ex-policy director for former Liberal leader Michael Ignatieff, told MPs on the House of Commons privacy committee.

Yes, it was a huge breach of trust. It was also a breach of Canada's privacy laws. More to the point, though, it wasn't anything that Facebook haven't done, apologized for, and then done again... and again... dozens of times since the company was founded. Cambridge Analytica was just the final straw, not the first one. And, Mark Zuckerberg's Congressional cakewalk notwithstanding, Facebook's problems seem to be just beginning.

Facebook is the problem

I don't think my previous post quite made this clear, but there's a very simple reason why I've been posting about the of the Cambridge Analytica story here, on my tech blog, rather than over there, at my political blog. It's because the political angle of this never struck me as being the most important part of the story; because the problem here really isn't Cambridge Analytica, per se.

Yes, Steven Bannon was (and probably still is) a real piece of work, and the company to which he was attached did do some very bad things, but Cambridge Analytica didn't do anything that Facebook didn't allow them to do, at the time. Yes, CA scraped waaayyy more data from FB than Zuckerberg's crew expected, and clearly abused it, and then behaved in almost cartoonishly villainous ways, but the real problem is that FB had the data available to sell in the first place.

To get a real idea of how big, and bad, the problem is, consider the following hypothetical scenario:

1. You "friend" or "follow" your doctor on Facebook. This is useful; it allows you to book appointments more easily, and keeps your doctor's contact info readily available if you need it...
2. ... and you do need it, because you've just been diagnosed with something that's chronic, serious, and both difficult and expensive to treat. Your doctor mentions a few different medications that he might want you to try, and tells you who makes them, so you...
3. ... follow those pharmaceutical companies online. After all, they make medications that you're now intensely interested in.
4. Meanwhile, your doctor has reached out to some of their colleagues via a professional FB group. Your name is never mentioned, of course, just the basic fact that they have "a patient" with a difficult and unusual diagnosis, and they'd appreciate some advice.
5. Facebook now know (a) your name, (b) your doctor's name, and (c) your interest in companies that make medications to treat (d) the condition that your doctor now also wants advice about, because it's a rare diagnosis and they're never seen an actual case before.
6. ( a + b + c + d ) = details of your medical history, which you never divulged to anyone, but which Facebook now has in their database, access to which they now sell to...
7. (e) anyone who might have a financial interest in knowing about the sudden increase in medical bills that you're about to incur. Have you applied for a mortgage recently? Or a job? Or extended medical insurance coverage? Would any or all of those companies maybe appreciate a solid cost-saving heads-up about your circumstance?

This may sound like a far-fetched hypothetical, but it's not. The data that Cambridge Analytica scraped from Facebook's database was of exactly this kind, and you'd better believe that they weren't the only firm to buy access to the data profile that Facebook has built of you, with neither your knowledge nor informed consent, and then sold to God knows who.

This is a problem because data, once sold, can't be un-sold; once Cambridge Analytica had scraped FB's data trove onto their own servers, there was nothing FB could do about it anymore. Do you know how many criminal organizations might have gained access to personal information about Facebook's users, and then re-sold it on the darknet? Because I don't, and neither do Facebook. The fact that they've just recently stopped/are about to stop doing these evil things doesn't begin to un-do all the previous evil they've already done... the effects of which their products users (i.e. you) will now be living with for years to come, at the very least.

Facebook's fiasco

Did I ever mention that I'm not on Facebook? I did have a Facebook account at one point, but I wasn't using it, so I suspended it years ago, and I never told Facebook all that much about myself. And, oh boy, am I ever glad that I'm not heavily invested in the Facebook ecosystem, because OMG what a fucking mess.

Facebook themselves have been really quiet about the whole Cambridge Analytica situation, to such an extent that I keep seeing articles commenting on how weird the silence of their CEO is, at a time of such crisis for the company, but that hasn't prevented the flood of "how to delete Facebook" articles, the start of the class action lawsuits (from their shareholders, natch, complaining that FB's mishandling of the matter amounts to negligence and is costing their shareholders money), and at least three official investigations from the governments of the United Kingdom, Canada, and the United States. So much for their hopes that an "independent" (yet still internal) audit would be enough to keep the steadily building outrage to manageable levels.

Suddenly, the probably-inevitable failure of their VR adventure (along with everyone else's VR adventures) is looking like the least of Facebook's problems. Mark Zuckerberg has gone from being a rumoured Presidential hopeful just last year, to being a dead CEO walking at the company he himself founded, with CNBC calling for him to step aside and let Facebook COO Sheryl Sandberg take over. And an industry that was built on collecting, and then selling, their customers' private and personal information is suddenly facing the very real prospect that they'll find themselves regulated, and heavily, within the year.

And all I can say is, it's about damn time.

Seriously, the Big Brother nature of Facebook and Twitter creeps me all the way out. I mean, Google might want to collect as much information about you as possible, but they're not literally selling your private deets to companies outside Google, they're not leveraging using your contact list to gather information about you without your knowledge or consent, and they're not doing this all behind a black-box wall of obscurity that allows you no visibility or control over the process at all.

My Google account settings have turned all of the data collection off, because Google lets me do that. Google lets you opt out. Facebook doesn't let you opt out, and will collect information about you that you didn't know they could access, all without even asking first. The fact that they're in the business of selling your information to others, and not just advertising services powered by that information, has always been all the way wrong, and crying out for regulation. And, as far as I can see, regulations really can't come soon enough.

And so, the last of the Wild West dot com boomers will be brought to heel, and we will spend the next decade (at least) grappling with the fallout from their recklessness, arrogance, and greed.

In the meantime, here's The Verge's guide to deleting Facebook.