Twitter is pending an investigation by the Federal Trade Commission and is likely to pay a fine of up to $ 250 million after being caught using phone numbers for two-factor authentication for advertising purposes.
The company received a draft complaint from the FTC on July 28, which was published in its regular quarterly filing with the Securities and Exchange Commission. The complaint alleges that Twitter is violating the 2011 agreement with the FTC because the company "did not protect personal information."
This agreement included a provision that forbids Twitter to "mislead consumers about the extent to which it protects the security, privacy, and confidentiality of non-public consumer information, including measures taken to prevent unauthorized access to and from consumer information to comply with data protection decisions. " . "However, in October 2019, Twitter admitted that phone numbers and email addresses that users provided to secure their accounts were also" accidentally "used for advertising purposes between 2013 and 2019.
In the filing, Twitter estimates that the "probable loss range" to which the probe is exposed is between $ 150 and $ 250 million, but adds that "the matter remains unsolved and there is no assurance as to the timing or timing Conditions of can give any final result. "
A common problem
Twitter is not the first social media company to be investigated to exploit users of personal information provided for security reasons. Last year, the FTC imposed a record $ 5 billion fine on Facebook for repeated data breaches.
Facebook not only started sending notifications to the phone numbers provided for 2FA purposes in 2018, it also used these numbers for a shadow profile that connected other people and advertisers to you.
The bulk of the fine related to Facebook's actions in the Cambridge Analytica scandal, but the FTC also included in its allegations the same actions that Twitter is now accused of. Facebook also agreed with the FTC in 2011 on allegations that they had misused user data and it was found that the use of personal data provided to it for security purposes violated this agreement.