Given how much of our lives many of us share with our social media followers, you would hope the platforms that are holding our data are taking measures to ensure that any data we do upload is only shared with others according to the permissions we grant. Everyone understands that there is a trade-off involved in posting to social media: if we want to upload personal information and data to the internet, then we have to accept that our privacy can be compromised. It can be easily scraped and used for various business or personal matters.
However, we have a reasonable expectation that the platforms asking for our data will be clear and honest with us about how they will use it, and how other people can potentially use it as well. Many people would think twice about what they put on social media if they didn’t think that the platform in question could look after their data properly.
"We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system," Twitter's announcement reads.
Into the BreachSince the Facebook/Cambridge Analytica scandal in the aftermath of the 2016 US presidential election, many industry analysts had hoped that we were witnessing a tipping point. Surely, after the biggest social media platform in the world was caught being criminally negligent with user data, with effects that go beyond breaching individual user privacy, things would change.
And yet the torrent of data breaches involving major social media platforms has continued unabated. It still feels as if every other week we are hearing about a new oversight or security lapse that has exposed a huge trove of personal data to the world. Facebook has been involved in a number of such breaches since Cambridge Analytica. Earlier this year it announced that as many as 500 million users could have had their data exposed by a third-party.
That’s exactly what Twitter fessed up to yesterday in an understated blog post: the company has been taking email addresses and phone numbers that users provided for “safety and security purposes” like two-factor authentication, and using them for its ad tracking systems, known as Tailored Audiences and Partner Audiences.
Twitter TroublesWhen it comes to personal data breaches, Twitter has generally been one of the better platforms. This is in no doubt partly due to the nature of the platform – Twitter doesn’t encourage users to upload their entire lives and all associated media to the service in the way that Facebook and others do. Many Twitter users are only sharing text posts or using Twitter to follow other people. On the whole, Twitter has maintained a better reputation than many others in the industry.
However, Twitter is by no means immune from the lapses in judgment that have caused headaches for other platforms. A recent data breach involving Twitter highlights that using any social media platform, or any online service at all, carries with it a certain level of unavoidable risk.
Two-factor authentication is a popular method of adding an extra layer to account security. When two-factor authentication is enabled, users who log in to a service using their account credentials are also sent a link or authentication code that they need to use to confirm the login. This means that even if an attacker has valid login credentials, they won’t be able to access accounts that they shouldn’t.
The authentication message for a 2-FA account is usually sent via email or text message. As a result, using 2-FA requires users to hand over their contact details. Most people prefer to use the SMS-based option because they are more likely to keep their cell phone safe than their email account.
As with other services that provide the 2-FA option, Twitter asks users who want to use it for an associated phone number that confirmation messages can be sent to. When Twitter ask for this information from their users, they are asking for it on the understanding that it will only be used for account authentication processes. However, it turns out that Twitter has been sharing this information with advertisers.
Twitter hasn’t exactly been giving people’s numbers out. Instead, they have enabled marketers to compare data they hold with Twitter’s data to look for matches. So, let’s say you signed up for a loyalty card with a particular retailer and gave them your phone number. You then added 2-FA to your Twitter account. Should the retailer in question use one of Twitter’s advertising programs and upload their own list of marketing contact information, Twitter would cross-reference this information and match it with their own records.
While the issue seems to have been resolved as of September 17th, 2019, it is worth noting that Twitter is not the only platform this has happened to. Something similar was found to be occurring at Facebook, with policies only changing in response to public pressure. Both of these issues highlight just how important it is to carefully consider what information you share online and who you decide to share it with.
What makes this case particularly egregious is that online security is very important and social media platforms are often encouraging users to take security more seriously. It doesn’t help matters if, when they do take security seriously, users are punished for it by the incompetence of the business. If you are ever in any doubt about the security of your information, don’t hand it over.
Last Updated on 10th January 2020