Twitter apologizes for advertisement gaffe
Location: San Francisco, California, United States
Date Published: October 09, 2019
Social media giant Twitter apologized on Wednesday after it “inadvertently” made use of real phone numbers and email addresses for advertising even though the personal data was provided for account security.
Twitter users’ phone numbers and email addresses — submitted to allow for account authentication — were matched with advertisers’ own data to enable targeted ads.
“When you provided an email address or phone number for safety or security purposes this data may have inadvertently been used for advertising purposes,” Twitter said in an online post.
“This was an error and we apologize.”
None of the user data was shared with partners outside the company, and it was unclear how many people were affected, the San Francisco-based company said.
The issue was fixed in mid-September, Twitter said.
“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,” Twitter said.
Unusually, the company is not proactively contacting customers directly to inform them of the breach.
The company would not say when it discovered the issue but said it had addressed the problem “as of September 17” - 21 days ago. The firm said it was "no longer using phone numbers or email addresses collected for safety or security purposes for advertising”.
Twitter, which has its European headquarters in Dublin, would not confirm whether or not it had notified the Irish Data Protection Commissioner, other than to say it was communicating with regulators “where appropriate”. Under Europe’s General Data Protection Regulation (GDPR), users must be informed if data is used for a purpose other than what it was intended for.
The issue involves a system Twitter offers advertisers whereby they can match their own database of customer email addresses - gathered independently from Twitter - with users on Twitter that use the same email address. The practice - common across social networks - allows for highly targeted advertising designed to reach users who are likely already familiar with the brand or product.
However, what Twitter revealed in its statement on Tuesday was that this email matching was referencing addresses that users had submitted solely for the purpose of enhancing their account security by adding two-factor authentication.
This is a method that adds a second level of security - such as getting a text message with a log-in code - to prevent malicious actors from being able to use a person’s credentials.
In March, Facebook was highly criticized for using numbers and email addresses submitted for two-factor authentication to target advertising. Unlike Twitter, however, Facebook did not consider the behavior to be a mistake.
But, in handing down its record-breaking $5bn fine, the US Federal Trade Commission said Facebook must stop using "the phone numbers it obtained specifically for security” to power its advertising platform.