back to article Twitter: No, really, we're very sorry we sold your security info for a boatload of cash

Twitter says it was just an accident that caused the microblogging giant to let advertisers use private information to better target their marketing materials at users. The social networking giant on Tuesday admitted to an "error" that let advertisers have access to the private information customers had given Twitter in order …

  1. Shadow Systems Silver badge

    Meteor, smoking crater, Twitter HQ.

    Another one for Zuck & FaceBook, Google & SatNad, Pai...

    Oh hell, I'm having fantasies of Total Extinction Events again. I'll go take my frog pills.

    =-J

    1. Long John Brass Silver badge
      Joke

      Re: Meteor, smoking crater, Twitter HQ.

      You bastard; Frogs are endangered dontcha know

      1. Shadow Systems Silver badge
        Joke

        Re: Meteor, smoking crater, Twitter HQ.

        The French are endangered? =-DP

        *Runs like hell*

        1. Fungus Bob Silver badge

          Re: Meteor, smoking crater, Twitter HQ.

          They smoke too much.

          1. Shadow Systems Silver badge
            Joke

            Re: Meteor, smoking crater, Twitter HQ.

            Of course they smoke, that's a symptom of having been set on fire. Duuuuhhhhh. =-)P

            *Hopes no French people are coming after me with pitchforks & tar, the tar makes my frog pills taste funny*

            1. Anonymous Coward
              Anonymous Coward

              Re: Meteor, smoking crater, Twitter HQ.

              French here. We surrender!

    2. Teiwaz Silver badge

      Re: Meteor, smoking crater, Twitter HQ.

      Sit back, relax and enjoy it,

      It's very therapeutic.

      ...Breath in and out evenly and regularly, allow the site of the salvo of ICBMs streaking majestically toward their targets to calm you.

      As the missiles hit, allow the annihilation to banish your stresses and purify your spirit.

      Lean back in your comfortable meditation chair and allow yourself a maniacal laugh.

      1. Sir Runcible Spoon Silver badge
        Headmaster

        Re: Meteor, smoking crater, Twitter HQ.

        I can't meditate properly knowing you used 'site' instead of 'sight'.

        1. herman Silver badge

          Re: Meteor, smoking crater, Twitter HQ.

          '''site' instead of 'sight'" - Aha, you mean 'shite'.

          TFIFY

      2. Shadow Systems Silver badge
        Pint

        Re: Meteor, smoking crater, Twitter HQ.

        Forget a mere pint, please go enjoy an entire keg with my compliments while I go back to that delightful little dream sequence. XD Hahahahahahaha

  2. Anonymous Coward
    Anonymous Coward

    De ja vu

    Isn't this breach of user trust and privacy nearly identical to what happened to Facebook users that gave FB their phone number for 2FA?

    Also, how come these so-called mistakes ever happen in the opposite where advertisers (and authoritarian govt spooks) were unable to slurp user data due to these errors?

    1. Anonymous Coward
      Anonymous Coward

      Re: De ja vu

      This is not a breach of user trust and privacy, it is a business strategy intended to maximize value for shareholders. It's capitalism 101.

      1. sbt Silver badge
        Paris Hilton

        Can't it be both?

        The interests of customers and shareholders often align only incidentally.

        1. Headley_Grange Silver badge

          Re: Can't it be both?

          Twitter's customers are the advertisers, not the users.

          1. GnuTzu Silver badge

            Re: Can't it be both?

            And, just to state the blatantly obvious: this is how we know they won't spend anymore on security then they have to, regardless of any claim to the effect that they take these things very seriously. Make a choice: industry standards or government regulations. Decide before somebody decides for you.

        2. IceC0ld Silver badge

          Re: Can't it be both?

          The interests of customers and shareholders often align only *incidentally*

          The interests of customers and shareholders only ever align accidentally - FTFY

          1. sbt Silver badge
            Coat

            Re: Can't it be both?

            Thanks. That was closer to my original wording, too. But my mistake was calling them customers, I should have said users. As Headley_Grange pointed out, in this case the real customers and shareholders did OK.

            I think there are enough examples of happy customers leading to happy shareholders to refute your take. "Only" is a strong claim.

      2. Justthefacts Bronze badge

        Re: De ja vu

        Megacorps aren’t maximising value for shareholders any more, particularly not the FAANGs. They just maximise the pay packets of the C-suite for a decade or so.

        Share*holders* make negligible profit from this, because these companies pay little if any dividend. The life cycle of these companies is roughly:

        1 “we’re growing massively we need to invest in growth not dividends”

        2 “we’re massive so we have to avoid tax, which we do by retaining earnings and not giving dividends”

        3 “ the next big thing has arrived, seems our product and company is now worthless, sorry”

        Share speculators make money on the way up, lose it on the way down, Twitter scams are great for them. Ironically, the share speculators don’t really care whether there are any real Twitter accounts at all, or they are just botnets. The underlying fundamentals are entirely irrelevant, as the only important game is to time the pump and dump. The pension funds have to follow the trackers, so it’s the pension fund “shareholders” that are always the loser in this zero-sum lifecycle.

        1. Terry 6 Silver badge

          Re: De ja vu

          Share speculators make money on the way up, make more on the way down,

          It's the amateurs that get burnt by a fall.

        2. Robert D Bank

          Re: De ja vu

          hear hear

  3. Anonymous Coward
    Anonymous Coward

    Once again we have the proof

    suck... sorry, gullible persons are a valuable, renewable economic resource available in large quantities.

    Give phone number for security purposes ? Guffaws...

  4. IGotOut

    Well...

    looks like a clear GDPR violotion from. Lets see some BIG fines from the EU.

    The UK however will wag it's tail in order not to upset our "special relationship" i.e. get royally fucked over.

    1. macjules Silver badge
      Pint

      Re: Well...

      It does indeed, and 21 days does not equal 'within 72 hours', which is the maximum time permitted for a personal data breach.

      Multiply approximately 21m UK Twitter users by £1000 and then factor in that Twitter only paid £41,000 in corporation tax last year on UK sales of £100m. Oh, and its 4% of Global turnover, not just UK, so around $120m if their global turnover for last year was $3Bn

      Beer and Popcorn time.

      1. SolidSquid

        Re: Well...

        Might be why they're trying to claim that no personal data was shared externally, if they can muddy the waters around what "personal" data is they can argue they didn't violate the 72 hour limit

        1. hakuli

          Re: Well...

          "if they can muddy the waters around what "personal" data is they can argue they didn't violate the 72 hour limit"

          My understanding is that GDPR itself defines what is considered to be personal information, and so in scope of the law. Twitter can "redefine" personal data all they like, but it won't make a difference if the law says otherwise.

          If a mobile phone number is a sufficiently good identifier to provide targeted ads, by extension surely it's also sufficiently good to uniquely identify an individual and so - if they're an EU citizen - it's "personal data" and in scope for GDPR?

          IANAL, though...

          1. Phil O'Sophical Silver badge

            Re: Well...

            if they're an EU citizen

            EU resident, GDPR does not take citizenship into account

            1. hakuli
              Pint

              Re: Well...

              Whoops, my bad. Happy to be corrected, though.

          2. MJB7 Silver badge

            Re: muddy the waters

            I think they will try to muddy the waters around "externally disclose" rather than "personal data". Specifically, if the advertiser says "send this ad to this list of people if you know of them", then Twitter didn't disclose the user's phone number externally, so that's alright then.

            Of course, even if they can pull that one off, they are still stuck with admitting that they processed the personal information not just for the purposes that they said they were going to process it for - and that is a big GDPR no-no.

            1. Nick Ryan Silver badge

              Re: muddy the waters

              Tha's how I read it too. I read it that Twitter generated a list of advertising targets, twitter account identifiers, having been given a list of various identifiers to try and produce this list. This externally provided list included telephone numbers and email addresses and while it would have been acceptable, to varying degrees of acceptable, to match these to published Twitter account profile records, it was definitely not acceptable to match these against data provided solely for the purpose of account recovery and verification. In other words, while Twitter is correct in that they did not provide these personal details to an external organisation (advertiser) they did process the provided personal data in a manner which was contra to its intended and published and agreed purpose and therefore the processing was in violation of the GDPR. Even if Twitter did not provide the list of advertising targets externally, which I'm reasonably sure that they didn't, the abuse of the personal data that was not provided for this purpose is the issue.

    2. Halfmad Silver badge

      Re: Well...

      ICO doesn't care about special relationships tbh.

    3. Anonymous Coward
      Anonymous Coward

      Re: Well...

      > The UK however will wag it's tail in order not to upset our "special relationship"

      UK consumer and data protection rules are, and always have been, stronger than EU-specified minima.

      1. Anonymous Coward
        Anonymous Coward

        Re: Well...

        I can only assume that the downvotes are from people who dislike the fact that UK has the lead over the EU, since the facts are correct. The original UK Sale of Goods Act dates from 1893, and fines available under the DPA that preceded GDPR were £500k max, compared to, say, the German equivalent which was limited to €300k.

        1. Nick Ryan Silver badge

          Re: Well...

          I'm not sure what particular relevance the UK's sales of good act has to the points being made here.

          The (1998) Data Protection Act that the GDPR superceded provided a lot of wriggle room for the implementing states to apply things as they felt fit. The maximum fine was not set in the original Data Protection Act therefore it was up to each member state to set whatever values they felt appropriate. As for the UK always applying over the minimum regulation, that is not true as the UK chose to include only computer processed data in the original DPA even though the intention of the original act was to cover all mediums and other states chose to include all mediums as this was the intention. This kind of divergence is one of the many things that the GDPR has fixed over the DPA.

  5. doublelayer Silver badge

    Geographic coverage

    We now need to find out where this applies. If it applies to European users, they may be in for quite a fine, as this is a pretty clear GDPR violation and they probably didn't disclose any of this as they were required to do. Why do I have this sinking feeling that it applies to everyone but the European users (just check, investigators, you'll clearly see that the server says "everywhere-but-europe.twitter.com" and why would we lie?) or that those with the power to hand out fines will consider it and then forget?

  6. Anonymous Coward
    Anonymous Coward

    GDPR: Probably not just advertisers ...

    You could imagine other interested parties such HR departments, agencies and third parties they engage to actively trawl and identify whether any of their workforce hold non-canonical views, e.g. in Politics, since discrimination and termination on the basis of expressing Political belief on Social Media is not protected by Diversity legislation.

  7. Anonymous Coward
    Anonymous Coward

    GDPR

    From: https://www.bbc.co.uk/news/technology-49981981

    "Unusually, the company is not proactively contacting customers directly to inform them of the breach."

    Twitter, which has its European headquarters in Dublin, would not confirm whether or not it had notified the Irish Data Protection Commissioner, other than to say it was communicating with regulators “where appropriate”.

    Under Europe’s General Data Protection Regulation (GDPR), users must be informed if data is used for a purpose other than what it was intended for.

    1. Jet Set Willy

      Re: GDPR

      This is a nailed-on GDPR violation compounded by their non-disclosure. They should be fined heavily for their "oopsie".

      Unfortunately Twitter are Media Darlings because it means news outlets don't have to spend shoe-leather doing any real journalism these days. Slap on the wrist is the most we can expect.

    2. EnviableOne Bronze badge

      Re: GDPR

      Its not the personal data being lost which is a breach of GDPR (even if we believe them)

      Its the data being used for purposes, other than the ones, that were consented to when the info was given to Twitter.

      Chances of this resulting in even a repremand under GDPR is negligable as the Irish DPC would have to take lead as it hosts Twitter's EU HQ, and its so woefully underfunded and in the pockets of US tech.

  8. cantankerous swineherd Silver badge

    other SIMs are available. as are email addresses, birthdays etc etc

    1. AJ MacLeod

      The "trouble" is that while valid but disposable email addresses are easily generated and confirmed, most sites that take phone numbers as 2FA require you to prove that you can receive calls/messages on that number.

      (I put trouble in quotation marks as being unable to sign up to this particular site seems to me like a benefit rather than a problem.)

  9. Anonymous Coward
    Anonymous Coward

    Another reason NOT to engage with these social media shysters

    Believe it or not people, life is just fine and dandy outside the social media bubble.

    1. Anonymous Coward
      Anonymous Coward

      Re: Another reason NOT to engage with these social media shysters

      Thanks for sharing your thoughts socially on this medium.

      1. John Brown (no body) Silver badge
        Linux

        Re: Another reason NOT to engage with these social media shysters

        Is this social media? Here's a photo of what I had for lunch today.

  10. Chris G Silver badge

    Sorreee, sorreee!

    We just got carried away.

    Twitter's attitude and that of all the other businesses that have played fast and loose with people's private information always reminds me of the wedding massacre in the Holy Grail.

    Potential profit and advantage outweighs injury by a long stretch.

    "Let's not argue about who killed who, this is a happy occasion and Lancelot is an honoured and very influential guest.........."

    1. Jet Set Willy

      Re: Sorreee, sorreee!

      "...in a very real, and leagally binding sense".

  11. Pat Att

    Hmmm

    That explains why I've had a sudden increase in spam to my main email address.

    1. Doctor Syntax Silver badge

      Re: Hmmm

      Why give potential spammers (and that includes any business where you are the product) your main email address?

  12. Doctor Syntax Silver badge

    Error?

    All those LoC and everything else needed to put this together were intended to do something else and this was an accidental and totally unintentional side-effect? Or it was an unconscious doodle by some day-dreaming developer that by the magic of DevOps got released without anyone knowing it existed?

    You might try not insulting our intelligence.

  13. Mage Silver badge
    Pirate

    If you MUST use SM

    Use a pseudonym.

    Use a unique email address.

    Use a unique password.

    Use a unique PAYG unregisterd SIM (not possible in all countries) if you think you MUST give them a phone number. Better to regard the account as disposable and ignore 2FA. Use a decent unique password.

    Do not ever post your real age or address or real names of any family or friends. Use email with people that need to know that stuff.

    *

    The Advertisers are the customers and you are the product. Do not use it for Customer Support, use your own website if you are commercial.

    1. Lee D Silver badge

      Re: If you MUST use SM

      Just buy a 07 VoIP number or similar... let them spam that to oblivion, rather than have to pee about with extra SIMs, phones, etc. Best thing I ever did was buy a 4G router and SIM package for it - portable Internet connection without having to rely on other people's wifi, use it as my home Internet when I'm at home, and it gives me a real-but-throwaway phone number for people who insist they need one, which I can access the texts to if I really want to (via an app for the router) but which doesn't ping, bing or notify me in any way otherwise.

      Unique email - I agree. I own a domain and use a unique "username"@ for every service. Anyone spams that service, the email gets blocked. It costs a pittance, but all lands in the same (unadvertised) GMail inbox at the end.

      Unique password - no. Just have a set of throwaway passwords that you use for anything that contains the same level of information. If you Twitter has no more information on it than, say, your Reddit, they can have the same password - if someone gets one, they have access to the same information as the other anyway. The username is already unique, so the password won't get re-used with that account name to try to cross into services anyway.

      Other than that, the paranoia isn't worth the effort.

    2. Ben Tasker Silver badge

      Re: If you MUST use SM

      > Use a unique PAYG unregisterd SIM (not possible in all countries) if you think you MUST give them a phone number. Better to regard the account as disposable and ignore 2FA.

      It's not quite as simple as being about what _you_ think, unfortunately.

      Twitter recently gave me a 12hr naughty-stepping, and to reinstate my account a requirement was that I provide a mobile number (I objected on GDPR grounds and they rejected the appeal). I didn't fancy throwing my account away over it, so yeah, I bought a PAYG SIM for the princely sum of 99p.

      They also require you to provide a mobile number to enable 2FA, even if you'll be using TOTP/U2F instead of SMS 2FA.

      In both these cases you can delete the number straight after, but they've had it, and it's down to trust (hah) whether it's actually gone.

      As a side note, I discovered this morning that when they required me to provide that number, they silently disabled my 2FA. So the account's been sat protected only by a strong password for more than a month, without my knowledge.

      Twitter are _really_ shit at this security thing.

      1. herman Silver badge
        Devil

        Re: If you MUST use SM

        "Twitter are _really_ shit at this security thing." - On the contrary, they are very good at it all - they make very sure that they give accurate user information to their advertisers.

  14. Toni the terrible

    Its Like anything Addictive

    Just say no, that is don't use unsocial media

  15. Tom Paine Silver badge

    "When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize."

    Twitter assures users that no "personal" information was shared, though we're not sure what Twitter would consider "personal information" if your phone number and email address do not meet the bar.

    So you're accusing Twitter of telling barefaced lies? You're alleging they DID share the data with advertisers, even though they deny it?

    1. doublelayer Silver badge

      I know what they mean. They mean that the phone numbers weren't simply packaged up and emailed to the advertisers, I.E. no data was "shared", deliberately on the basis of "let's share this big list of numbers". However, the data was, in fact, shared because the advertisers got matches. The matching software ran on Twitter's servers and not the advertisers', that is all. From the perspective of the users who had their numbers stolen and given to an advertiser, there's not much difference. I would cheerfully accuse Twitter of almost a lie in this occasion. They know what this means but they were deliberately deceptive to try to make it sound like less happened. Definitions of "lie" can change, but it was clearly less than honest.

  16. herman Silver badge

    Relaxation therapy

    Breathe in....

    Breathe out....

    Breathe in....

    Breathe out....

    There....

    You are breathing manually now...

    You are welcome!

  17. Anonymous South African Coward Silver badge

    T

    Tw

    Twa

    Twat

    Twatt

    Twatte

    Twatter

    What a timewaster. Especially if you try to follow links into and deep down the deep rabbit hole.

  18. Anonymous Coward
    Anonymous Coward

    ""We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,""

    This is quite high in the bullshit meter, here. It is when "YOU provide details" that it "mat have been INADVERTENTLY used" for anything.

    I'm a bit baffled this doesn't provoke outcries in the main press here, or are everyone already hopelessly used to it ?

  19. Anonymous Coward
    Anonymous Coward

    If something is free, YOU are the product being sold

    That is all.

    1. Throatwarbler Mangrove Silver badge
      Trollface

      Re: If something is free, YOU are the product being sold

      . . . he says, posting on The Register, a free news site.

    2. Anonymous Cowtard

      Re: If something is free, YOU are the product being sold

      I use GNU/Linux OSes, all free. Who is the customer buying me?

      1. doublelayer Silver badge

        Re: If something is free, YOU are the product being sold

        This is far too general. In some cases, it's simply not true. Plenty of software is released for free without expecting data or anything else of value. And, in many other cases, people pay for a product and have their data stolen regardless. To some extent, you could say that "If there are ads on it, you are the product", but that's not necessarily always the case either.

  20. sitta_europea Bronze badge

    Whenever ANYONE asks for my phone number I tell them to EOn-Off.

  21. Dan 55 Silver badge

    This is way I never use 2FA with a phone number

    Unless it's the bank, because they're pass masters at backwards authentication methods and I've not exactly got a choice in the matter.

  22. Throatwarbler Mangrove Silver badge
    Trollface

    I forgive you, Twitter

    . . . now, what's Dolt 45's personal cell phone number?

  23. MatsSvensson

    Please...

    Give me your email and phone number, to read this comment.

  24. TeeCee Gold badge

    ...their marketing list, we may have matched...

    That's how they didn't share the info. Twitter are saying that given a list, some entries on which already contained email, phone and such, those items would match to what they had.

    No harm done bar breaking the bit in their own Ts & Cs where it (presumably) says something like "we will not use this information...", the operative word being "use".

    This begs the question as to where the ad-slingers did get it from...

  25. PaulR79
    FAIL

    Phone number required for new accounts now?

    I was in the process of procuring a new Twitter account, for totally legit reasons that I will not go into and don't you dare suggest it's nefarious, and was surprised to see that the only way to do so was to provide a mobile phone number while signing up. Has this been a recent change or did I miss it happening a while ago? It'd be laughable if it wasn't so infuriating.

    "We need your phone number so we can verify that it's a legitimate account! We only use it for that purpose, honest!!"

    "Yeah... we might have given your details away. 21 days ago. No we can't tell you if you were affected but at least we're telling you about it now."

    Until / unless these asshole companies are fined something significant with no room to wiggle and negotiate it down to virtually nothing this sort of crap will keep happening.

  26. Anonymous Coward
    Anonymous Coward

    Phone numbers are mandatory on Twitter... is not optional!

    If one wants to have some account at Twitter he/ she MUST give them the phone number. It is not like anyone may choose not to give it, because they always lock down the account until the user gives Twitter their phone number (with some "security" argument to protect the community that you have done something suspicious or some poor excuse like that). I don't remember if they allow just to enter the phone, or if they also demand the e-mail... the phone I'm sure is mandatory, the account is almost immediately (few minutes) locked until some valid number is entered, but the e-mail I don't remember if they also demand it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019