
Twitter faces FTC probe, likely fine over use of phone numbers for ads - samizdis
https://arstechnica.com/tech-policy/2020/08/twitter-faces-ftc-probe-likely-fine-over-use-of-phone-numbers-for-ads/
======
jeremynixon
This is a deep violation that makes every user of 2fa _unsafe_. A mere $250
million? This needs to be the kind of violation that endangers the company.
It's not a mistake or honest error when 2fa phone numbers are used for
advertising. This is malicious. Should be scaled to 100X the amount the
company gained in advertising for the violation.

~~~
noscrewstoyous
You shouldn’t use a phone number for 2fa to begin with, you’d be better off
without 2fa if that’s the only option IMO (assuming you’re using a strong
unique password). This is just more fuel on that fire.

~~~
diabeetusman
2FA with SMS protects against password reuse or leaks. It's my understanding
that SMS is weak against attacks targeted at particular people while being
sufficiently strong for the majority of cases.

~~~
thephyber
SS7 attacks scale better. SIM cloning is a lot of effort just to compromise a
single SMS number.

In general, SMS is better than no 2FA, but it's weaker than OTP/OTH or a token
like YubiKey or Titan.

------
cracker_jacks
> Twitter estimates the "range of probable loss" it faces in the probe is
> between $150 million and $250 million

That's close to 10% of Twitter's annual revenue. How do the likes of Google
and Facebook get away with fines <1% of annual revenue? This seems
disproportionate. I am not taking a position on whether it should be higher or
lower, just that it appears unbalanced.

~~~
gundmc
$150 - 250 MM is more like 4-7 % of revenue than 10% based on their 2019
figure.

~~~
tjoff
Also note that they did this for _seven years_.

It is really hard to grasp how pathetic the modern web is, where this is
commonplace.

~~~
thephyber
What does this have to do with "the modern web"?

The weakness here is both the legal system that allowed it and the regulatory
system that failed to police it for years.

~~~
kulahan
Because the modern web is based entirely around invading the privacy of every
user as much as possible in order to sell their private details to
advertisers. If Twitter's money came from users in the form of subscriptions
or purchases, rather than from advertisers in the form of paid, targeted ads,
this would be _guarded_ information, rather than _shared_.

------
Jordrok
I've always hated giving my phone number to sites, even when it's ostensibly
only for recovery purposes. Even worse are the sites/apps which refuse to let
you make an account without one. I remember Facebook getting busted for the
same thing so this just goes to further confirm my suspicion that this type of
practice is more widespread than most companies would like to acknowledge.

------
anitil
Maybe this is just me being thick, but I still don't have a clear idea of what
they actually did.

Did they send spam SMS? Or were they using the numbers as another data point
for analytics?

------
yelloworangefog
The fine (and others like it) is a meaningless gesture. Unless companies like
twitter start getting fined in amounts that aren’t pocket change to them,
there is literally no incentive to change their abusive behavior. They make
enough from abusing their users and absconding with their data to pay these
paltry fines a hundred times over in most cases.

------
segmondy
Despite all that, their ads are straight up garbage. Either that or I'm very
hard to target. I swear Twitter and Facebook must display random ads to me.
I'm often having to mark it as never show this again because it's so way off
from my interests.

~~~
yelloworangefog
I leave my Adblock off for youtube a fair bit of the time. Not for any sense
of ethical responsibility to help content creators, but because of how
entertaining I find their failed attempts to target me. The ads are so bad,
they’re oftentimes literal scams. I go out of my way to engage with the bad
ads so I’ll get more like them. Luckily screwing with the ad algorithm doesn’t
seem to have too great an effect on the video recommendation algorithm.

------
mercora
is there any benefit in using the phone network for 2FA besides (IMHO too)
easy recovery in case of loss? Is there an equivalently usable method for
recovery? recovery codes aren't practicall i guess because people would keep
loosing them too.

Maybe some pseudonymous proof using cryptographic functions of modern
passports could be used somehow without revealing real identity to the
passport issuer too? It should not be possible to know who issued the
pseudonymous identity proof but should also only be proof-able by me...

~~~
gruez
You can outsource it to something like authy, which is still sms based, but
gets disabled if you install their app. They also claim that they can detect
number porting attacks, so that might be marginally better.

>Maybe some pseudonymous proof using cryptographic functions of modern
passports could be used somehow without revealing real identity to the
passport issuer too?

You can still lose your passport. It's less likely than losing your phone, but
still. Also, to access the cryptographic functions of a passport, you probably
need a NFC reader, which isn't exactly accessible.

~~~
mercora
>You can still lose your passport. It's less likely than losing your phone,
but still. Also, to access the cryptographic functions of a passport, you
probably need a NFC reader, which isn't exactly accessible.

i thought maybe the pseudonymous identity proof could still work after your
passport has been reissued either because of loss or because of invalidation.
But its probably not really doable with named constraints. Modern phones are
apparently often equipped with an NFC reader. I think this could be usable
enough for the recovery case.

------
justjonathan
You could not create a new Twitter account with out a phone number last week.
(Attempting from US). It rejected my disposal number as invalid too. :(

~~~
Nextgrid
From the past several years they've been constantly suspending brand new
accounts for "security" reasons and requiring a phone number to unlock them,
even if the account wasn't doing anything that looks spammy or suspicious.

When opening a support ticket about it, they claim it was a "mistake and"
offer to unlock the account but I always suspected it was a disgusting tactic
for harvesting phone numbers and I guess I was right.

------
NicoJuicy
The government went suddenly active...

TikTok for Tulsa Twitter for warning labels

Or did the investigation begin before those events?

------
RandomBacon
Good. Didn't Facebook do the same thing? I don't remember if they were fined
or not.

~~~
tyre
They did and were fined $5bn for privacy violations generally, of which one
part was:

> In addition to these violations of its 2012 order, the FTC alleges that
> Facebook violated the FTC Act’s prohibition against deceptive practices when
> it told users it would collect their phone numbers to enable a security
> feature, but did not disclose that it also used those numbers for
> advertising purposes.

[https://www.ftc.gov/news-events/press-
releases/2019/07/ftc-i...](https://www.ftc.gov/news-events/press-
releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-
restrictions)

------
Khaine
Twitter delenda est

