
Personal information and ads on Twitter - coloneltcb
https://help.twitter.com/en/information-and-ads
======
danShumway
Virtually the entire security industry agrees that using phone numbers for
account security is an antipattern because of sim-jacking, and yet swaths of
the biggest tech companies in the industry do it anyway.

I recently got locked out of my Amazon account because I made a large purchase
after not ordering anything for ~6-7 months. During the reset process, they
tried really hard to get me to set a phone number 'for account security'. From
what I could tell from their documentation, it's not even just used for 2FA,
it's literally just a way to prove my identity if I need to reset my password.

I refused, and then a few days later Amazon called me up to reconfirm the
order anyway, even though I had never given them my number. Their entire
account recovery process from that point on was based on me having access to
information that was already listed on my account, that the hacker would have
100% had access to. It was all just security theater, literally the only thing
that mattered was I had access to my email and a phone number.

Fastmail (to its credit) allows you to have 2FA without a recovery number, but
it requires you to add a recovery number, activate a real 2FA app, and then
delete the number. At least it doesn't (as far as I know) use the number on
its own for account recovery.

Twitter's _CEO_ got hacked because Twitter trusted phone numbers as identity,
and they _still_ haven't changed the policy, because collecting phone numbers
is fun or something.

In theory, a 2FA over SMS is better than nothing. In practice, it trains
customers to be insecure and should be avoided. It trains customers to think
that identity verification over text is OK. In practice, you can't trust
companies not to use it for advertising, or to start using it as identity
verification in the future. In practice, there are very, very few legitimate
reasons why a company should ever need my phone number, and pretty much none
of them have anything to do with security. 99% of your users should be using a
2FA app instead of a phone number.

Companies like Twitter should be shamed for misusing security information this
way, but they should also be shamed for using insecure authentication methods.
I'm convinced that 5 years from now, we're going to look back at SMS
authentication the same way we looked at serving login pages over HTTP.

~~~
GhostVII
I think it is important to separate out criticisms of 2FA over sms, and
companies who say they have 2FA. I think even in practice 2FA over sms is
definitely better than nothing, it's a lot harder to both guess someone's
password, and put in the work to hijack their phone number. But as you said,
many big tech companies say they have 2FA, when they really are just giving
you two ways of logging in, where one of those ways is incredibly insecure.

It seems crazy to me that recovery numbers are a thing. I mean I'm sure it
helps reduce customer service load, since people just recover over sms rather
than trying to call and get their account re-activated, but it is so insecure.

~~~
danShumway
I am sympathetic to claims that 2FA over SMS is better than nothing, because
_technically_ it is completely true. You're right.

However, as a user, I go back to the idea that I can't think of many companies
I trust to only use my phone number as 2FA and not as identity verification.
So I'm am skeptical that it is good to train users to trust SMS 2FA, because
those same users will probably not be able to distinguish between 2FA and
identity verification when they sign up for other services. It is better to
teach users a simple rule (never give out your phone number) than a complex
rule (only give out your number for this specific use-case).

The other big thing I just can't get past is that nearly everyone today has a
smartphone that will run a 2FA app, and that even users who don't have a
smartphone would be better served by getting codes delivered to their email.
So sure, it's better than nothing. But there are even better options that
exist that aren't that hard for us to switch to.

In practice, even if you know you're only going to use SMS for 2FA, I now lean
towards saying you shouldn't use SMS at all. Treat email like the backup SMS
option, and just get rid of phone numbers entirely.

Maybe the dynamics of that change for some developing countries? But Twitter,
Facebook, and Amazon all know what country I live in. If they want to offer an
SMS option for India because of some extenuating circumstance I can't think
of, they should still have the good sense to at least discourage SMS
verification for accounts that are based in the USA or Europe.

~~~
laughinghan
> nearly everyone today has a smartphone that will run a 2FA app

What do they do when their smartphone dies? The phone company makes sure your
new phone has the same phone number, but you lose 2FA tokens in apps.

And I have no idea where the recovery codes that I printed on paper are since
I last moved.

> even users who don't have a smartphone would be better served by getting
> codes delivered to their email

But then isn't that just one factor instead of two factors, because both their
password for the service and their email password are just "something you
know"? I'm assuming if they have no cell phone, they don't have a second
factor to secure their email either.

~~~
danShumway
This is a reasonable concern, and users should be aware of the risks behind
real 2FA. But if you really dig into this, it starts to fall apart.

> The phone company makes sure your new phone has the same phone number

This is exactly why 2-factor SMS is insecure. You mention later that email is
something you know, instead of something you have. In the same way, if a
company can transfer my number to a new phone without access to the original
phone, then it's not really something I have.

The ease of number transfers are the problem. The reason why 2FA tokens aren't
stored online and secured with a password is because they are designed to be
something you have, not something you know.

For comparison, switching your number to Verizon only requires information
that you know (account numbers, a SSN)[0], so it's just extra steps around a
less secure password that you can't change or set yourself.

> But then isn't that just one factor instead of two factors

Expanding on the above -- yes, email is often going to be just another account
secured with another password. In practice, hacking two accounts is often
harder than hacking one, and in practice, I suspect breaking into someone's
Gmail account is harder than stealing their phone number. Google offers much
more comprehensive 2FA options than most other companies, and their automated
security alerts also tend to be better.

But there's no reason for us to debate over how secure email is.

The situation we have today with companies like Amazon/Facebook/Twitter is one
where I can _already_ request a password reset without SMS. Companies are
scared of strict 2FA methods because customers get locked out of their
accounts. Very, very few of them are willing to take that risk, so email will
virtually always be an option. SMS is being added on top of that system --
it's not replacing it.

Here's Twitter's account recovery help page[1]:

> If you do not receive anything back, get help with Twitter via SMS or use
> the email password reset option.

So if you consider email to be a weak link in identity verification/2FA,
adding SMS verification as a secondary option alongside email still doesn't do
anything to increase your security. In fact, even if SMS was as secure as
email, forcing you to monitor two authentication methods instead of just one
would still be less secure.

I'm not advocating email is perfect, I'm just advocating that SMS is less
secure than email, and that since companies are already comfortable trusting
email, they can continue to rely on that.

Of course if you really want to set up 2FA to literally be 'something you
have', then you need to accept that things you have can be lost. And if you're
not willing to make that compromise, at least email accounts are harder to
hack than phone numbers, because the most common email providers are probably
more resistant than Verizon to social engineering attacks.

[0]: [https://www.verizonwireless.com/support/local-number-
portabi...](https://www.verizonwireless.com/support/local-number-portability-
faqs/)

[1]: [https://help.twitter.com/en/managing-your-
account/forgotten-...](https://help.twitter.com/en/managing-your-
account/forgotten-or-lost-password-reset)

~~~
laughinghan
You know, your reply sounds reasonable, but if you really dig in, it starts to
fall apart.

> Twitter [...] So if you consider email to be a weak link in identity
> verification/2FA, adding SMS verification as a secondary option alongside
> email still doesn't do anything to increase your security.

I agree, and your comment's parent (my comment's grandparent) specifically
went out of its way to agree: "as you said, many big tech companies say they
have 2FA, when they really are just giving you two ways of logging in, where
one of those ways is incredibly insecure."

> switching your number to Verizon only requires information that you know
> (account numbers, a SSN) [...] hacking two accounts is often harder than
> hacking one, and in practice, I suspect breaking into someone's Gmail
> account is harder than stealing their phone number

I think the number of people who go to the trouble of using like, a Yubikey or
something for their Gmail but won't use it for anything else is vanishingly
small. People opting for password + SMS 2FA (NOT the SMS 1FA that let @jack
get hacked) are probably using the same thing for their email.

I'm sure it's true that it's easier to steal someone's phone number than break
into their Gmail account, but afterwards you can go into Verizon's physical
store with your physical government-issued ID and get your phone number back.
That's not an option with a Gmail account.

No one is saying any of these are perfect, and everyone agrees SMS is less
secure than email. The question is whether password + SMS 2FA is less secure
than email 1FA, or whether password + email 2FA with no account recovery
pathway is workable—doubtful, and definitely not.

Let's agree that out of password + SMS 2FA, password + email 2FA, and email +
SMS 2FA, the first one is the weakest link, because SIM-jacking is
terrifyingly easy and people choose terrible passwords. Just for account
recovery, though, email + SMS 2FA still provides security benefits over email
1FA (you can guarantee a second factor, even if it's a weak factor, whereas
you actually have no idea how strongly or weakly their email account is
protected, you're just assuming) and usability benefits over email + TOTP
apps/Yubikeys/paper backup codes.

~~~
danShumway
> Just for account recovery, though, email + SMS 2FA still provides security
> benefits over email 1FA

Agreed, but I can't think of a single company, anywhere, that offers what
you're talking about. Everyone offers SMS and email as separate options, both
of which separately unlock your account.

If either Twitter, Facebook, Amazon, or Facebook required _both_ email and SMS
access to recover an account, I'd agree that there could be some value there.
But (to the best of my knowledge) they don't. So the debate over whether or
not SMS verification is better than nothing is hard for me indulge, when
(again to the best of my knowledge) virtually no company is using SMS account
recovery in a way that provides real value over 1FA email.

Maybe Lyft is an example? But the last time I used Lyft, I'm pretty sure I
could get access to my account with only my phone, no password/email required.
I'm not 100% sure Lyft even requires an email to sign up.

> That's not an option with a Gmail account.

I've never been in this scenario, so I'll have to take your word for it, but
this seems strange to me. Could I really not fax or mail a government ID to
Google to get access to my account?

Assuming this is right though, we again run into the same problem.

I lose access to my password and email. Is a company comfortable letting me
reauthenticate with only an SMS message?

If yes, then we have 1-factor authentication over pure SMS.

If no, then we have to be comfortable with the idea that losing your
email/password might mean losing your account, or going through a complicated
recovery process involving government IDs.

~~~
laughinghan
> I can't think of a single company, anywhere, that offers what you're talking
> about

I think you're right. I thought Vanguard or my bank did, but no, it's email
_or_ SMS plus personal info like SSN, birthdate, zipcode (LOL, information
that no one has on me, thanks Equifax!).

> Could I really not fax or mail a government ID to Google to get access to my
> account?

To what address? Just plop it down at 1600 Amphitheatre Pkwy? I've never heard
of Google offering any account support whatsoever for a free private Gmail
account, have you?

I do personally know people who have just given up on accounts they lost
access to (they claim they didn't forget the password) and just created a new
Gmail account. Not the _most_ technically literate person, but still, that's
who support is supposed to be for. But it's a free service, so.

> then we have to be comfortable with ... going through a complicated recovery
> process involving government IDs

What? The whole point I've been trying to get across is that unlike TOTP or
email, you can get your phone number back through a "complicated recovery
process involving government IDs", which as an _advantage_. That's not a
tradeoff to be comfortable with, that's an upside.

> I lose access to my password and email.

Why would we design for this? Unless there's a particular reason to think
password and email are likely to be lost simultaneously (which I can't think
of, unlike say, smartphone TOTP app + phone number), then we should either
design for losing any combination of 2 auth methods, or not worry about
combos.

By contrast, to me it could make sense to design a system so that you can lose
any 1 of 3 things but still be able to log in with the remaining 2 makes sense
(e.g. password, email, phone number). But you're right that most services are
effectively just email 1FA, and many are SMS 1FA too which we all agree is
utterly broken.

------
soulofmischief
> safety and security purposes

I tried making a Twitter two months ago because I was having trouble with my
phone and needed to access T-Mobile's social media-only support team.

Within five minutes of making the account, I was banned for "suspicious
activity" and required to enter my phone number "for security purposes". But
the only reason I made the account is because my phone wasn't working...

Emailed support and was told that they could not make an exception for me
because I had broken some vague unnamed rule. Then I said the magic words, _"
This is clearly a ploy to collect phone numbers for data aggregation
purposes,"_ and within the next 24 hours my account was unlocked, accompanied
by a very salty and accusatory email.

~~~
paranoidrobot
Twitter isn't alone in this sort of invasive activity.

I have family and friends that share photos on their private Instagram
accounts and nowhere else. I didn't have an account, so I installed the app on
my phone, signed up, verified email and mobile number, and followed the family
accounts.

The next day I open the app only to be prompted to log in again, which it
won't accept (password stored in a password manager). A few minutes later an
email arrives from Instagram saying that my account has been locked due to
suspicious activity and demanding that I provide a photo of myself holding
government issued ID. Their helpdesk refuses to do anything until I do.

~~~
woutr_be
After the whole Blizzard and Hong Kong incident yesterday, I tried to delete
my Blizzard account. Despite having never submitted a copy of my ID, they're
now asking for one to verify that this is indeed me.

I keep wondering, how will they be able to verify? I didn't use my real name,
I used a throwaway email address. So why do they need my ID? I could submitted
any ID I want, they still wouldn't know it's me. This to me just sounds like a
ploy to gather government issued information, to delete my account from a
stupid game...

During log in, they already verified I own the email, by allowing me to sign
in with password and email, and then input a code send to said email address.

~~~
esnard
Did you ever buy anything on their platform?

If so, is it possible they have access to your name via your past money
transactions?

~~~
woutr_be
Don't think I ever bought anything, think I only used it for Hearthstone.

------
verst
Surprisingly the tailored audience targeting had very little tests and
certainly no end to end tests when I was there. Once the whole targeting /
matching pipeline was down for 3 days and nobody noticed (I uncovered this)

Honestly, I wouldn't be surprised if the pipeline was set up wrong to match
against the wrong field. These matching pipelines are just Hadoop jobs
(written in Scalding (Scala library for Cascading) and orchestrated /
scheduled by Apache Aurora.

Internally Twitter generally operated the way you would expect them to as an
external user. User data and privacy was taken seriously and no data was given
to third parties etc.

Source: I worked at Twitter in 2015 as in engineer on ads (on the programmatic
ad buying side and partner integrations).

~~~
sofaofthedamned
If Twitter didn't distinguish between phone_2fa and phone_identifier then they
really shouldn't be in business.

~~~
verst
I don't recall how user data was stored or accessed, but I'm certain there
will have been separate fields, or at least a flag indicating whether the
person opted out from being targeted by their phone number.

That being said, it will have been incredibly easy for a single engineer to
make this mistake (code review probably should have caught it? But maybe it
looked just close enough to the right data source), and it would have been
extraordinarily difficult to discover.

~~~
sofaofthedamned
Not a chance. It's never a single engineer, code gets the PR checked by
another engineer and the Jira will be specific with any PII, probably written
by committee, all of whom know the importance of the data. Don't conflate this
crap with blaming a single nebulous engineer.

I've not worked in years at a place that wouldn't understand the importance of
PII. Not that it doesn't happen, but let's not mince words here - this was
wilfully done.

~~~
tidepod12
Your comment made me audibly laugh at the notion that most companies would
have a committee checking PR and Jira tickets for PII. I've worked at plenty
of companies, even ones at the scale of Twitter and larger, that don't
approach _anything even remotely close_ to that level of sophistication. I've
seen audits uncover _precisely_ what the GP comment is talking about. IME,
it's not at all uncommon for someone to send an email saying "hey can I get a
dump of usernames and phone numbers" and some naive engineer dumps it into a
CSV file and sends it to whoever. Hell, most of the places I consulted at
don't even consider phone numbers to be protected PII.

I don't mean to defend Twitter in any way, but I could easily see this being
an oversight or a mistake.

~~~
danShumway
I bet if we could get a hard percentage of companies that have strict access
rules for engineers around even just sensitive data in general, let alone PII,
that would easily be <50%.

It's entirely feasible to me that this is was a mistake, I think people who
assume this was deliberate are ironically putting _more_ trust in tech
companies than they should.

Most of the world is being held together by duck-tape, fastened by people who
don't understand the systems they're fixing or maintaining. I don't think that
tech companies are an exception to that rule.

------
jsnell
Obviously writing an ads targeting system wasn't an accident. But why did it
end up using data it wasn't supposed to? It seems unlikely that it was
expressly written to work against data they weren't supposed to use for that
purpose. It's much more likely that they had multiple data sources for email
addresses and phone numbers, and had cross-contamination between the data
sources.

E.g. maybe they at some point had dozens of databases for user data, all
maintained by different teams and grown organically. And then had a big effort
to merge them into a single system with a rationally designed schema. And
maybe they ended up coalescing all phone numbers of each user from all sources
together, with some kind of annotations for why each phone number was
collected. And then it's very easy for somebody to screw up the code that's
supposed to filtering out security-only phone numbers when ingesting data into
the ads targeting system.

The above was totally theoretical scenario, but it should be easy to come up
with lots of other ways for this to happen by mistake rather than
intentionally. Don't think companies make these kinds of mistakes? Both
Facebook and Google had issues with plaintext passwords this year. And it
should be obvious that neither had anything to gain from that.

~~~
opencl
Twitter has _exactly one_ source of users' emails/phone numbers- the user
providing them.

~~~
phs318u
Sorry but I’m not clear what point you’re trying to make. I may provide a
phone number for the express purpose of securing my account but that doesn’t
mean I’ve authorised use of that data for marketing. Users are not liable for
a company’s misuse of their data (which in this instance is possibly in
contravention or Twitter’s privacy policy).

~~~
opencl
The point I'm trying to make is that nobody authorized the use of their data
for marketing. As far as I'm aware the only phone numbers they have are ones
submitted for 2FA purposes, I don't see how they could have possibly
accidentally mixed them up with some other source of phone numbers.

If there is some sort of opt-in to use your phone number for ad targeting
purposes they have done an incredibly good job of hiding it in the UI.

~~~
itronitron
They seem to have been allowing the use of phone numbers as a search parameter
when matching result sets for their 'trusted partners', which means they are
revealing user's phone numbers without technically _giving_ the phone numbers
to the trusted partners. Very poor OpSec as it allows an advertising partner
to further segment its proprietary database with users' twitter profiles (how
much data is available there, public or private, I don't know.)

I have a hard time believing that Twitter didn't know this.

------
AndrewStephens
> We recently discovered that when you provided an email address or phone
> number for safety or security purposes (for example, two-factor
> authentication) this data may have inadvertently been used for advertising
> purposes, specifically in our Tailored Audiences and Partner Audiences
> advertising system.

Nice use of passive voice there, mofos.

~~~
i_am_nomad
They should just take it one small step further and blame it on the data
itself. “We discovered that telephone numbers had synced up with advertising
profiles. Twitter regrets that the data correlated in this manner.”

------
jchw
Didn’t this almost-exact same thing happen with Facebook? It’s funny how
frequently these kinds of “accidents” happen. They seem to occur with the
kinds of frequencies that you might hear a manager or developer say something
like, “meh, what’s the worst that could happen?”

~~~
throwaway_bad
I am still waiting for the same article to be written about google so they can
fix their shit too.

I got phone calls from google cloud platform even though I am certain I didn't
give them my number. They even managed to find my real name even though the
only place I used it was for the payment method in the billing account, with a
fake name on the google account. This is way too much information to give to
their internal sales reps.

~~~
bduerst
You don't need to. If you've ever filled out a form anywhere online to access
an article, it's likely you opted in to having your data sold to broker
agencies, who sell it for lead gen. The same goes for magazine subscriptions,
credit card applications, even debt collectors, etc.

------
musicale
At least Twitter is admitting that information collected for one purpose (two
factor authentication, account recovery) should not be used for another
unrelated purpose (advertising and use by "business partners.")

~~~
t0astbread
"At least Twitter is admitting that they've heard of the concept of privacy"

------
sofaofthedamned
" we have addressed the issue that allowed this to occur and are no longer
using phone numbers or email addresses collected for safety or security
purposes for advertising. "

Does this mean the matches they've already made on these identifiers are still
active?

~~~
itronitron
Any advertiser that made the match previously will likely have that stored
somewhere and will also probably have that identified with the twitter handle,
so yeah those identifiers are still active, just not within Twitter.

------
magicalhippo
Raise hands everyone who's surprised by this...

They say they inadvertently did it, which may be true. But if they have the
data it can be abused.

Goes for all those "omg think of the terrorists" data collection plans as
well.

------
oneepic
Say what you want about the morals of their data collection practices, but at
the very least they found it, deemed it inappropriate, removed it (hopefully),
and apologized.

~~~
hazelnut
Agree, I think that's the only good thing here.

------
throwaway_bad
On twitter/fb, people can look up your account by phone number. This is really
fucking stupid because I only added my phone number for two factor
authentication. So now I have to choose between security or people finding my
dumb throwaway accounts.

~~~
spsful
You can disable this functionality in the privacy settings for Twitter-- not
sure if Facebook allows it, though. Either way I totally agree that it's a
dumb feature to have turned on by default.

------
cascom
I get so annoyed by restaurants that want my phone number - even takeout, “so
they can let me know my food/table is ready” even worse are the stores that
don’t offer paper receipts, want a receipt provide an email or phone number...

------
kilolima
I don't understand why people use Twitter to begin with. It's what, 160
characters of text per tweet, right? But to load the webpage, it wants
kilobytes or even MBs of data in scripts and media objects, and it doesn't
even work with JavaScript or media disabled. To simply show a text message!
There's no graceful failsafe mode to display a few bytes of text! This makes
one conclude that Twitter is a data gathering and marketing business disguised
as a messaging platform. Anything they do as a company should be very, very
suspect.

------
andresf
"...in an effort to be transparent, we wanted to make everyone aware" The fact
that the company published this hidden in the help site speaks of how little
commitment to that oath they actually have. It doesn't even have a date! If
you read the reference to "As of September 17, we have addressed the issue"
you don't know when it happened. I guess it might be industry practice, I
don't know, but still... it leaves a great deal to be desired for an
apologize.

------
munchbunny
I imagine some PM and engineering team on the marketing product realized that
the phone number was available in the user's database entry, and so... why not
expose it indirectly for marketing? It'll make a ton of money!

This is exactly why I am a huge fan of the "privacy by design" parts of GDPR
and the fact that the regulation places a heavy emphasis on _how the data is
used_ in addition to who sees it. It has helped to crystallize the discussion
about privacy as not just "what data" but "data + usage".

I like that engineers are increasingly required to think about not just what
the data is but also how it's being used. When the act of connecting data
sources has ethical impact, engineers can't be agnostic.

------
Razengan
This should really be taught as a fundamental rule of modern human society by
now:

Any information that you provide to any company or government _will_ be
“misused.”

------
turdnagel
Sure, I guess the column was named "twitter_mobile" instead of
"twitter_mobile_2fa".

------
troydavis
To see which Twitter advertisers are targeting you (by email address, phone
number, mobile device ID, or Twitter username), go to
[https://twitter.com/settings/your_twitter_data/audiences](https://twitter.com/settings/your_twitter_data/audiences)
and click "Request advertiser list."

Opt out on
[https://twitter.com/personalization](https://twitter.com/personalization)

(details and screenshot:
[https://twitter.com/simpleoptout/status/1178290986868297729](https://twitter.com/simpleoptout/status/1178290986868297729))

~~~
llamataboot
huh, I wonder if there is a way to get the audience segments? It says I'm part
of over 2500 audiences, but currently being targeted by 0 advertisers.

------
diveanon
Recently Google started prompting me to use my phone to confirm logins every
time using my phone.

I went through the recovery process just to make sure that I would be able to
access my account and was asked the month and year I opened my gmail account.

I have had my gmail for 17+ years and I have no idea when I opened it, and now
if I ever lose my phone I will be locked out of my account.

Does anyone know where I can see when I opened my account?

I travel year round and rarely keep a phone number for more than a few months,
2FA has increasing ly become a problem for me as more and more companies force
it on me. Paypal for instance is completely unusable for me, I have been
locked out of my own account numerous times.

~~~
hamandcheese
You could check the date if you still have the "Welcome to gmail" email that I
assume was sent.

------
product50
I mean, when Facebook came out with a similar admission last year, Twitter
should have at least checked that they weren't doing a similar thing. But I
guess that would have made them culpable had they discovered the same issue.
So, just wait out till some employee "accidentally" discovers it!

Twitter would go head over heels trying to remove that one field from their
sign up flow to improve the funnel. In fact they will copy what their
competitors are doing to understand things better. But when it comes to
security or using data, anything goes unless they absolutely have to address
it for legal/compliance reasons.

Just the state of affairs of tech companies these days.

------
teddyuk
Twitter asks for a phone number for security and then sends sms's to tell you,
you have a direct message or to wish you a happy birthday.

Twitter know it is a rubbish security system but they do it as it is another
channel to send their garbage

~~~
johnisgood
It is also funny because providing a phone number is initially optional. It
becomes mandatory when someone tries to log in to your account and fails a
couple of times. Your account gets suspended (reason: suspicious activity)
until you provide a phone number. Bullshit system that is unfortunately
popular.

------
meowface
Did anyone else genuinely laugh out loud while reading this? It's so devoid of
useful information (we don't know how this happened or at least won't tell
you, and we don't know who is affected or how many people are affected) other
than "it was an accident". It's just so ridiculous.

I do believe them that they don't know who was affected and that this probably
wasn't approved by the top brass (in that sense being a kind of accident), but
that doesn't speak well to their technical or legal competence.

------
6cd6beb
I don't understand; isn't this literally the point of running a free service?
Harvesting data and using it for marketing purposes?

~~~
dave5104
In this case, Twitter was lying (or more generously, not being entirely
truthful) with what they were using the data for. Some users may have chosen
_not_ to give up their phone number or email if they had known it would be
used for advertising in addition to account security.

~~~
icedchai
When signing up for a "free" service, I basically assume all data entered will
be used for advertising / marketing purposes. This is a safe assumption to
make.

~~~
TeMPOraL
It's why I love GDPR. Since it requires explicit, opt-in consent, I can just
register or visit a site and don't worry much - abuse of my data is a bigger
risk to the service than it is to me.

~~~
icedchai
Sounds good on paper. Reality is GDPR isn't going to stop an "error" from
happening.

------
dang
I don't like these corporate press release titles either but the submitted
title, "Twitter misused phone numbers and e-mail to target advertising", seems
tendentious. What's an accurate, neutral title we can use above?

~~~
cwkoss
"misused" seems to be the only word with affect, but seems consistent with and
descriptive of the facts in the press release. I don't think "Personal
information and ads on Twitter" is very descriptive - I prefer the previous
title.

------
riffic
[https://help.twitter.com/en/managing-your-account/how-to-
dea...](https://help.twitter.com/en/managing-your-account/how-to-deactivate-
twitter-account)

------
chasing
This sort of shitty behavior will not change until it becomes expensive.

------
hayksaakian
"When an advertiser uploaded their marketing list, we may have matched people
on Twitter to their list based on the email or phone number the Twitter
account holder provided for safety and security purposes. This was an error
and we apologize."

This doesn't happen accidentally, someone had to engineer, test and build a
system that performed reliable targeting.

~~~
bengotow
Yeah this is hilarious. I feel like tech companies get away with this because
the internet is more "mysterious".

This is no different than a chemical plant "accidentally" building a conduit a
quarter mile and dumping waste into a river. Of course they know.

~~~
shsjxjbsbs
You really don’t think that a chemical company dumping waste into a river is
worse than using phone numbers to target ads? Deep in your heart of hearts?
Are you _sure_ you don’t have an axe to grind against tech companies and
perhaps that’s clouding your moral calculus?

~~~
55555
He wasn't saying they are just as bad as one another, he was saying the
excuses are just as unbelievable.

------
qwerty456127
Whatever information they already have, I don't mind them to use to target
advertising. I just don't want them to share it with anybody and I'd like them
to have as little information as possible. Does anybody care about ads
actually? It obviously is desirable to see none yet if I am shown some I don't
care if it's targeted. I would only care about somebody tracking me and
leaking data about me to other parties.

------
dudul
[http://www.quickmeme.com/img/b3/b3a10abef396f68423bc6a60d2bb...](http://www.quickmeme.com/img/b3/b3a10abef396f68423bc6a60d2bbf40cb78298afa309f51c76c94130124b681c.jpg)

------
whytai
Is this against GDPR?

~~~
jacquesm
That's a rhetorical question I hope? In case it isn't: yes, that's against the
GDPR that requires that when data is collected the purpose of the collection
is stated and consent is obtained for the use of the information for that
purpose. No consent->violation of the law.

~~~
twanvl
This is not entirely correct, GDPR does not necessarily require consent, see
[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#II_Principles)

However, you are right in saying that this violates the GDPR, because the data
was collected for a different purpose, and using it for another reason like
advertising is not allowed.

~~~
jacquesm
In this context it does.

------
secfirstmd
Wonder will they be hit under the GDPR for this...hopefully...

------
jacquesm
That bloody rogue engineer again? What is it with that person. Job hopper too,
first Volkswagen, then Facebook and now working at Twitter. That's what you
get for skipping reference checks.

------
pezo1919
Ok, so what about GDPR now? Now every EU citizen can sue Twitter?
Compensation?

I am totally fed up with GDPR and its expectation to small/micro companies
with the false sense of security it gives to users.

SHAME on twitter, shame on Fb, shane on stupid EU.

------
avocado4
Why would somebody ever give their phone number to Twitter, Facebook, or any
other service for that matter? You loose anonymity when you give away your
phone number.

~~~
opencl
You can't make a Twitter account without a phone number. Well you technically
can, but it will be instantly banned upon creation until a phone number is
provided.

~~~
avocado4
I've had a Twitter account for years (to contact customer support). They keep
asking me for a phone number but I never provide it. I never got banned.

~~~
opencl
This is a recent-ish change that only applies to new accounts.

~~~
avocado4
I still don't get it, I just signed up for a new Twitter account and didn't
have to provide a phone number. Was there an official policy change from
Twitter? Do you have a link?

~~~
opencl
As far as I'm aware there was never any sort of official policy announcement.
They just started banning any new account without a phone number a few minutes
after creating it at some point. I personally experienced it a couple of times
and there was a big thread about it on here a few months ago[1]. Maybe they
changed it back again?

[1]
[https://news.ycombinator.com/item?id=19487304](https://news.ycombinator.com/item?id=19487304)

