Twitter: No, really, we're very sorry we sold your security info for a boatload of cash Twitter says it was just an accident that caused the microblogging giant to let advertisers use private information to better target their marketing materials at users. The social networking giant on Tuesday admitted to an "error" that let advertisers have access to the private information customers had given Twitter in order …
Sit back, relax and enjoy it,
It's very therapeutic.
...Breath in and out evenly and regularly, allow the site of the salvo of ICBMs streaking majestically toward their targets to calm you.
As the missiles hit, allow the annihilation to banish your stresses and purify your spirit.
Lean back in your comfortable meditation chair and allow yourself a maniacal laugh.
Isn't this breach of user trust and privacy nearly identical to what happened to Facebook users that gave FB their phone number for 2FA?
Also, how come these so-called mistakes ever happen in the opposite where advertisers (and authoritarian govt spooks) were unable to slurp user data due to these errors?
And, just to state the blatantly obvious: this is how we know they won't spend anymore on security then they have to, regardless of any claim to the effect that they take these things very seriously. Make a choice: industry standards or government regulations. Decide before somebody decides for you.
Thanks. That was closer to my original wording, too. But my mistake was calling them customers, I should have said users. As Headley_Grange pointed out, in this case the real customers and shareholders did OK.
I think there are enough examples of happy customers leading to happy shareholders to refute your take. "Only" is a strong claim.
Megacorps aren’t maximising value for shareholders any more, particularly not the FAANGs. They just maximise the pay packets of the C-suite for a decade or so.
Share*holders* make negligible profit from this, because these companies pay little if any dividend. The life cycle of these companies is roughly:
1 “we’re growing massively we need to invest in growth not dividends”
2 “we’re massive so we have to avoid tax, which we do by retaining earnings and not giving dividends”
3 “ the next big thing has arrived, seems our product and company is now worthless, sorry”
Share speculators make money on the way up, lose it on the way down, Twitter scams are great for them. Ironically, the share speculators don’t really care whether there are any real Twitter accounts at all, or they are just botnets. The underlying fundamentals are entirely irrelevant, as the only important game is to time the pump and dump. The pension funds have to follow the trackers, so it’s the pension fund “shareholders” that are always the loser in this zero-sum lifecycle.
It does indeed, and 21 days does not equal 'within 72 hours', which is the maximum time permitted for a personal data breach.
Multiply approximately 21m UK Twitter users by £1000 and then factor in that Twitter only paid £41,000 in corporation tax last year on UK sales of £100m. Oh, and its 4% of Global turnover, not just UK, so around $120m if their global turnover for last year was $3Bn
Beer and Popcorn time.
"if they can muddy the waters around what "personal" data is they can argue they didn't violate the 72 hour limit"
My understanding is that GDPR itself defines what is considered to be personal information, and so in scope of the law. Twitter can "redefine" personal data all they like, but it won't make a difference if the law says otherwise.
If a mobile phone number is a sufficiently good identifier to provide targeted ads, by extension surely it's also sufficiently good to uniquely identify an individual and so - if they're an EU citizen - it's "personal data" and in scope for GDPR?
IANAL, though...
I think they will try to muddy the waters around "externally disclose" rather than "personal data". Specifically, if the advertiser says "send this ad to this list of people if you know of them", then Twitter didn't disclose the user's phone number externally, so that's alright then.
Of course, even if they can pull that one off, they are still stuck with admitting that they processed the personal information not just for the purposes that they said they were going to process it for - and that is a big GDPR no-no.
Tha's how I read it too. I read it that Twitter generated a list of advertising targets, twitter account identifiers, having been given a list of various identifiers to try and produce this list. This externally provided list included telephone numbers and email addresses and while it would have been acceptable, to varying degrees of acceptable, to match these to published Twitter account profile records, it was definitely not acceptable to match these against data provided solely for the purpose of account recovery and verification. In other words, while Twitter is correct in that they did not provide these personal details to an external organisation (advertiser) they did process the provided personal data in a manner which was contra to its intended and published and agreed purpose and therefore the processing was in violation of the GDPR. Even if Twitter did not provide the list of advertising targets externally, which I'm reasonably sure that they didn't, the abuse of the personal data that was not provided for this purpose is the issue.
I can only assume that the downvotes are from people who dislike the fact that UK has the lead over the EU, since the facts are correct. The original UK Sale of Goods Act dates from 1893, and fines available under the DPA that preceded GDPR were £500k max, compared to, say, the German equivalent which was limited to €300k.
I'm not sure what particular relevance the UK's sales of good act has to the points being made here.
The (1998) Data Protection Act that the GDPR superceded provided a lot of wriggle room for the implementing states to apply things as they felt fit. The maximum fine was not set in the original Data Protection Act therefore it was up to each member state to set whatever values they felt appropriate. As for the UK always applying over the minimum regulation, that is not true as the UK chose to include only computer processed data in the original DPA even though the intention of the original act was to cover all mediums and other states chose to include all mediums as this was the intention. This kind of divergence is one of the many things that the GDPR has fixed over the DPA.
We now need to find out where this applies. If it applies to European users, they may be in for quite a fine, as this is a pretty clear GDPR violation and they probably didn't disclose any of this as they were required to do. Why do I have this sinking feeling that it applies to everyone but the European users (just check, investigators, you'll clearly see that the server says "everywhere-but-europe.twitter.com" and why would we lie?) or that those with the power to hand out fines will consider it and then forget?
You could imagine other interested parties such HR departments, agencies and third parties they engage to actively trawl and identify whether any of their workforce hold non-canonical views, e.g. in Politics, since discrimination and termination on the basis of expressing Political belief on Social Media is not protected by Diversity legislation.
From: https://www.bbc.co.uk/news/technology-49981981
"Unusually, the company is not proactively contacting customers directly to inform them of the breach."
Twitter, which has its European headquarters in Dublin, would not confirm whether or not it had notified the Irish Data Protection Commissioner, other than to say it was communicating with regulators “where appropriate”.
Under Europe’s General Data Protection Regulation (GDPR), users must be informed if data is used for a purpose other than what it was intended for.
This is a nailed-on GDPR violation compounded by their non-disclosure. They should be fined heavily for their "oopsie".
Unfortunately Twitter are Media Darlings because it means news outlets don't have to spend shoe-leather doing any real journalism these days. Slap on the wrist is the most we can expect.
Its not the personal data being lost which is a breach of GDPR (even if we believe them)
Its the data being used for purposes, other than the ones, that were consented to when the info was given to Twitter.
Chances of this resulting in even a repremand under GDPR is negligable as the Irish DPC would have to take lead as it hosts Twitter's EU HQ, and its so woefully underfunded and in the pockets of US tech.
The "trouble" is that while valid but disposable email addresses are easily generated and confirmed, most sites that take phone numbers as 2FA require you to prove that you can receive calls/messages on that number.
(I put trouble in quotation marks as being unable to sign up to this particular site seems to me like a benefit rather than a problem.)
We just got carried away.
Twitter's attitude and that of all the other businesses that have played fast and loose with people's private information always reminds me of the wedding massacre in the Holy Grail.
Potential profit and advantage outweighs injury by a long stretch.
"Let's not argue about who killed who, this is a happy occasion and Lancelot is an honoured and very influential guest.........."
All those LoC and everything else needed to put this together were intended to do something else and this was an accidental and totally unintentional side-effect? Or it was an unconscious doodle by some day-dreaming developer that by the magic of DevOps got released without anyone knowing it existed?
You might try not insulting our intelligence.
Use a pseudonym.
Use a unique email address.
Use a unique password.
Use a unique PAYG unregisterd SIM (not possible in all countries) if you think you MUST give them a phone number. Better to regard the account as disposable and ignore 2FA. Use a decent unique password.
Do not ever post your real age or address or real names of any family or friends. Use email with people that need to know that stuff.
*
The Advertisers are the customers and you are the product. Do not use it for Customer Support, use your own website if you are commercial.
Just buy a 07 VoIP number or similar... let them spam that to oblivion, rather than have to pee about with extra SIMs, phones, etc. Best thing I ever did was buy a 4G router and SIM package for it - portable Internet connection without having to rely on other people's wifi, use it as my home Internet when I'm at home, and it gives me a real-but-throwaway phone number for people who insist they need one, which I can access the texts to if I really want to (via an app for the router) but which doesn't ping, bing or notify me in any way otherwise.
Unique email - I agree. I own a domain and use a unique "username"@ for every service. Anyone spams that service, the email gets blocked. It costs a pittance, but all lands in the same (unadvertised) GMail inbox at the end.
Unique password - no. Just have a set of throwaway passwords that you use for anything that contains the same level of information. If you Twitter has no more information on it than, say, your Reddit, they can have the same password - if someone gets one, they have access to the same information as the other anyway. The username is already unique, so the password won't get re-used with that account name to try to cross into services anyway.
Other than that, the paranoia isn't worth the effort.
> Use a unique PAYG unregisterd SIM (not possible in all countries) if you think you MUST give them a phone number. Better to regard the account as disposable and ignore 2FA.
It's not quite as simple as being about what _you_ think, unfortunately.
Twitter recently gave me a 12hr naughty-stepping, and to reinstate my account a requirement was that I provide a mobile number (I objected on GDPR grounds and they rejected the appeal). I didn't fancy throwing my account away over it, so yeah, I bought a PAYG SIM for the princely sum of 99p.
They also require you to provide a mobile number to enable 2FA, even if you'll be using TOTP/U2F instead of SMS 2FA.
In both these cases you can delete the number straight after, but they've had it, and it's down to trust (hah) whether it's actually gone.
As a side note, I discovered this morning that when they required me to provide that number, they silently disabled my 2FA. So the account's been sat protected only by a strong password for more than a month, without my knowledge.
Twitter are _really_ shit at this security thing.
"When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize."
Twitter assures users that no "personal" information was shared, though we're not sure what Twitter would consider "personal information" if your phone number and email address do not meet the bar.
So you're accusing Twitter of telling barefaced lies? You're alleging they DID share the data with advertisers, even though they deny it?
I know what they mean. They mean that the phone numbers weren't simply packaged up and emailed to the advertisers, I.E. no data was "shared", deliberately on the basis of "let's share this big list of numbers". However, the data was, in fact, shared because the advertisers got matches. The matching software ran on Twitter's servers and not the advertisers', that is all. From the perspective of the users who had their numbers stolen and given to an advertiser, there's not much difference. I would cheerfully accuse Twitter of almost a lie in this occasion. They know what this means but they were deliberately deceptive to try to make it sound like less happened. Definitions of "lie" can change, but it was clearly less than honest.
""We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,""
This is quite high in the bullshit meter, here. It is when "YOU provide details" that it "mat have been INADVERTENTLY used" for anything.
I'm a bit baffled this doesn't provoke outcries in the main press here, or are everyone already hopelessly used to it ?
This is far too general. In some cases, it's simply not true. Plenty of software is released for free without expecting data or anything else of value. And, in many other cases, people pay for a product and have their data stolen regardless. To some extent, you could say that "If there are ads on it, you are the product", but that's not necessarily always the case either.
...their marketing list, we may have matched...
That's how they didn't share the info. Twitter are saying that given a list, some entries on which already contained email, phone and such, those items would match to what they had.
No harm done bar breaking the bit in their own Ts & Cs where it (presumably) says something like "we will not use this information...", the operative word being "use".
This begs the question as to where the ad-slingers did get it from...
I was in the process of procuring a new Twitter account, for totally legit reasons that I will not go into and don't you dare suggest it's nefarious, and was surprised to see that the only way to do so was to provide a mobile phone number while signing up. Has this been a recent change or did I miss it happening a while ago? It'd be laughable if it wasn't so infuriating.
"We need your phone number so we can verify that it's a legitimate account! We only use it for that purpose, honest!!"
"Yeah... we might have given your details away. 21 days ago. No we can't tell you if you were affected but at least we're telling you about it now."
Until / unless these asshole companies are fined something significant with no room to wiggle and negotiate it down to virtually nothing this sort of crap will keep happening.
If one wants to have some account at Twitter he/ she MUST give them the phone number. It is not like anyone may choose not to give it, because they always lock down the account until the user gives Twitter their phone number (with some "security" argument to protect the community that you have done something suspicious or some poor excuse like that). I don't remember if they allow just to enter the phone, or if they also demand the e-mail... the phone I'm sure is mandatory, the account is almost immediately (few minutes) locked until some valid number is entered, but the e-mail I don't remember if they also demand it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
