Twitter is sometimes lauded for using contextual advertising rather than collecting personal user information for targeted advertising, basing the ads it displays on what the user has already engaged within the walls of the platform. Turns out that picture wasn’t quite accurate, though. The social media platform is fined $150 million by the Department of Justice (DoJ) for privacy breaches that took place from 2013 to 2019, involving the use of account contact details to deliver personalized advertisements.
Twitter’s privacy breaches involved users’ phone numbers and email accounts
Twitter has always required users to provide a valid email address to sign up, and in recent years has begun to periodically require phone number verifications (via text) for “account security”. What users haven’t always been aware of is that these elements have been added to Twitter’s internal personalized advertising system.
This has been a problem with Twitter since its launch in the late 2000s; the company was previously warned of this practice by the Federal Trade Commission (FTC) in 2011 and received an administrative order to stop. The DOJ finds that privacy breaches of this nature resumed from May 2013 to September 2019, as Twitter failed to notify users that this profile information was again included in its targeted advertising systems.
The 2011 FTC order called such data collection a “deceptive act or practice” and clarified that Twitter may not misrepresent its protection of “security, privacy, confidentiality, or integrity” of non-public user data. The current privacy breach complaint was settled by Twitter with an agreement to pay $150 million in fines and implement regular audits of its privacy program as well as other new compliance measures (such as stricter requirements for reporting data breaches to the FTC). It should also offer users alternative secondary means of securing their accounts that do not involve a phone number, such as using a hardware key or a mobile ID app without a password.
Mandatory regulatory disclosure in 2020 revealed that Twitter had been aware of the privacy breaches since at least 2019, but believed they were unintentional and stopped upon discovery, and that the company was willing to pay up to $250 million dollars to settle the case.
Attention, the fines do not seem to be a major prejudice for Twitter
Considering the ultimate amount of the fine, which is only about 13% of Twitter’s quarterly revenue, it’s possible to believe that Twitter didn’t care that much about the consequences of regulatory action. The amount represents just over a dollar for each user of the platform likely to be affected by privacy breaches; Twitter earns far more than that per user each year, not to mention the multi-year breach window.
Ilia Kolochenko, Founder, CEO and Chief Architect of ImmuniWeb, explained why the fine amount ended up being relatively small: “The $150 million settlement is just a small fraction of the record 8 billion dollars from the FTC with Facebook in 2019, also resulting from privacy violations. Likely, the annual revenues and profitability of Twitter were taken into consideration by the FTC when calculating the amount. This settlement is, however, an unambiguous and expressive message that the FTC has been and will continue to regulate privacy in the United States amid fragmented state privacy legislation and the absence of federal privacy law. in Europe or the LGPD in Brazil, the FTC law does not contain direct privacy protection provisions, but is powerful for the police to sanction deceptive or fraudulent commercial practices. oyales: when, for example, a social network misleads its users about how their personal data will be used or protected. It is interesting to know whether privacy-sensitive European regulators, continuing their tough enforcement policy, will start a new investigation into Twitter into the possibly previously unknown facts exposed by this regulation. In the EU, the fine can be significantly higher.
It’s unclear what impact, if any, the privacy breaches could have on Elon Musk’s high-profile bid to take over the company. The sale was not expected to close until late summer at the earliest, and Musk has since shown signs of hesitation about how many bots populate the platform’s user base. The company’s history of breaches and breaches of privacy has not been raised as a potential issue, at least not at this time. Musk has offered a $44 billion price tag for the company, promising $33.5 billion of his own money. But he also “liked” and responded positively to Twitter posts from users suggesting the company’s valuation should be reduced given the number of bots that appear to be impersonating real users.
Musk said Twitter’s privacy breach lie was “worrying” and publicly wondered what else the company might be lying about. Recent history gives reason for suspicion. The breach resulted in privacy breaches for a number of celebrities and high-value accounts, some of which were used in an attempted cryptocurrency scam, but the attackers also leaked screenshots. screen that seem to confirm that Twitter has administrative tools that “shadowban” users. Twitter has long denied the practice of shadowbanning, or removing the scope of content without giving the user any indication it’s happening, to the point that former CEO Jack Dorsey even testified to Congress that it wasn’t. a real thing. However, users have long suspected that this practice occurs, based on various third-party testing techniques.
The settlement is awaiting federal court approval. If it continues, all Twitter users who joined the service before September 17, 2019 will be automatically notified of the settlement and given new options to secure their accounts.