In a complaint against Twitter announced today, the Federal Trade Commission alleged that the company fraudulently used Twitter users’ phone numbers and email addresses, which were collected for security purposes, for other purposes from 2014 to in 2019. Users provided phone numbers or email addresses to Twitter for a variety of security purposes, such as for two-factor authentication or to unlock an account where Twitter detected suspicious or malicious activity. Twitter would then use this contact information to allow advertisers to target specific groups of Twitter users by matching phone numbers and email addresses that Twitter collected with advertisers’ lists of phone numbers and email addresses, or to Imported marketing lists from data brokers for matching purposes. We outline the key points of the case below.
Fraudulent use of phone and email for targeted advertising rather than just for security
According to the complaint, when Twitter requested phone numbers and email addresses from its users in these contexts, it specifically told them that this information was to help secure their accounts, without mentioning targeted advertising. Twitter Privacy Policy appears to communicate that it is using contact information for advertising:
When you use Twitter, even if you just view Tweets, we receive some personal information from you, such as the type of device you are using and your IP address. You may choose to share additional information with us such as your email address, phone number, address book contacts, and a public profile. We use this information for things like keeping your account secure and showing you the most relevant Tweets, people to follow, events and advertising.
The general and broad claims buried in a lengthy document do not outweigh the more specific and timely statements made to consumers specifically in the context in which they provide their information—in this case, regarding the use of contact information. for security purposes. If a company says at the point of collection that consumer information will be used for a specific purpose, consumers should be able to rely on that promise.[1]
The FTC’s recent action against Cafepress[2] is another example of this. In that case, consumers ordering products online had to submit their email address. As detailed in the complaint, a notice above the email address field said, “Email address for notifications and receipt of orders.” The FTC challenged the use of these email addresses for marketing purposes as a deceptive practice as well.
Enforce multi-factor authentication
A new feature of our order at I tweet is the requirement that Twitter must allow its users to take advantage of multi-factor authentication options that do not require providing Twitter with a phone number, such as mobile authentication apps or security keys.
This provision reflects the growing importance of multi-factor authentication to protect online accounts. [3] It also helps protect users: in addition to being more privacy-protective because they don’t require you to provide any personally identifiable information, mobile authentication apps and security keys are both more secure than phone number-based multi-factor authentication . Security keys in particular provide a tremendous security benefit to consumers, as they effectively protect against credential phishing attacks that can all too often give an attacker access to a company’s network, as claimed in Cafepress.
A similar request is present in ours Cafepress I order. IN Cafepress, an attacker was able to access sensitive customer information, including the security questions and answers used to authenticate accounts—compromising that information for customer accounts on Cafepress and possibly other sites where the customer may have provided the same information. The order requires Cafepress to stop using security questions and answers and instead use secure multi-factor authentication methods.
In actions against companies for breaches of the law relating to privacy or data security, the Commission will continue to seek remedies that make consumers whole and ensure that companies that have misused or failed to protect consumer data establish modern measures. so it doesn’t happen anymore.
[1] This is a basic principle of consumer protection law. As stated in the FTC’s “Dot.Com Disclosures” guidance:
- [I]Consumers are unlikely to read disclosures buried in ‘terms of use’ and similar lengthy agreements. Even if such agreements may be sufficient for contractual or other purposes, disclosures that are necessary to prevent fraud or unfairness should not be subject to them. Similarly, simply because consumers click that they ‘agree’ to a term or condition does not make the disclosure clear and obvious.
FTC Staff Report, .com Discovery: How to Make Effective Discovery in Digital Advertising at 18 (2013), https://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-staff-revises-online-advertising-disclosure-guidelines/130312dotcomdisclosures.pdf. See also, e.g.Sears Holdings Management CorporationFTC Matter No. 082 3099, Docket No. C-4264 (2009), https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3099-c-4264-sears-holdings- corporate-management-corporate-cases.
[2] Residual Pumpkin Entity, LLC and PlanetArt LLCFTC Case No. 1923209 (proposed complaint and consent agreement) (March 15, 2022), https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter. Residual Pumpkin Entity and PlanetArt have at various times done business as Cafepress.
[3] The New York Attorney General recently announced that more than 1.1 million online accounts were compromised in cyberattacks on 17 well-known companies through a technique called “credential stuffing,” where hackers try to access password-protected accounts. by various means, including the use of passwords. exposed in previous violations. Attorney General James stated, “Right now, there are more than 15 billion stolen credentials floating around the Internet…” Look https://ag.ny.gov/press-release/2022/attorney-general-james-alerts-17-companies-credential-stuffing-cyberattacks (and see the accompanying guide for tips for businesses to address this issue, https: / /ag.ny.gov/sites/default/files/businessguide-credentialstuffingattacks.pdf).
