Twitter has disclosed it’s facing a potential fine of more than a hundred million dollars as a result of a probe by the Federal Trade Commission (FTC), which believes the company violated a 2011 consent order by using data provided by users for a security purpose to target them with ads.
In an SEC filing, reported on earlier by The New York Times, Twitter revealed it received the draft complaint from the FTC late last month. The activity the regulator is complaining about is alleged to have taken place between 2013 and 2019.
Last October the social media firm publicly disclosed it had used phone numbers and email addresses provided by users to set up two-factor authentication to bolster the security of their accounts in order to serve targeted ads — blaming the SNAFU on a tailored audiences program, which allows companies to target ads against their own marketing lists.
Twitter found that when advertisers uploaded their own marketing lists (of emails and/or phone numbers) it matched users to data they had submitted purely to set up two-factor authentication on their Twitter account.
“The allegations relate to the Company’s use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019,” Twitter writes in the SEC filing. “The Company estimates that the range of probable loss in this matter is $150.0 million to $250.0 million and has recorded an accrual of $150.0 million.”
“The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome,” it adds.
We’ve reached out to Twitter with questions. Update: A company spokeswoman said it had nothing to add outside this statement:
Following the announcement of our Q2 financial results, we received a draft complaint from the FTC alleging violations of our 2011 consent order. Following standard accounting rules we included an estimated range for settlement in our 10Q filed on August 3.
The company has had a torrid few weeks on the security front, suffering a major security incident last month after hackers gained access to its internal account management tools, enabling them to access accounts of scores of verified Twitter users, including Bill Gates, Elon Musk and Joe Biden, and use them to send cryptocurrency scam tweets. Police have since charged three people with the hack, including a 17-year-old from Florida.
In June Twitter also disclosed a security lapse may have exposed some business customers’ information. It was forced to report another crop of security incidents last year — including after a researcher identified a bug that allowed him to discover phone numbers associated with millions of Twitter accounts.
Twitter also admitted it gave account location data to one of its partners, even if the user had opted-out of having their data shared; and inadvertently gave its ad partners more data than it should have.
Additionally, the company is now at the front of a long queue of tech giants pending enforcement in Europe, related to major GDPR complaints — where regional fines for data violations can scale to 4% of a company’s global annual turnover. Twitter’s lead data protection regulator, Ireland’s DPC, submitted a draft decision related to a probe of one of its security breaches to the bloc’s other data agencies in May — with a final decision slated as likely to land this summer.
The decision relates to an investigation the regulator instigated following yet another major security fail by Twitter in 2018 — when it revealed a bug had resulted in some passwords being stored in plain text.
As we reported at the time, it’s pretty unusual for a company of such size to make such a basic security mistake. But Twitter has a very long history of failing to protect users’ data — with additional hacking incidents all the way back in 2009 leading to the 2011 FTC consent order.
Under the terms of that settlement Twitter was barred for 20 years from misleading consumers about the safety of their data in order to resolve FTC charges that it had “deceived consumers and put their privacy at risk by failing to safeguard their personal information.”
It also agreed to establish and maintain “a comprehensive information security program,” with independent auditor assessments taking place every other year for 10 years.
Given the terms of that order, a fine does indeed look inevitable. However, the wider failing here is that of U.S. regulators — which, for over a decade, have failed to grapple with the exploitative, surveillance-based business models that have led to breaches and security lapses by a number of data-mining adtech giants, not just Twitter.