BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

How Computer Vision Is Transforming Cybersecurity
Google Issues ‘Critical’ Chrome Update For All Windows Users
WhatsApp Threatens To Remove 500 Million Users From App
Google Update Warning Issued For Millions Of Android Users
New iOS 18 AI Security Move Changes The Game For All iPhone Users
Microsoft Warns Windows Users Of Ongoing Russian Hack Attack
Edit Story
ForbesInnovationCybersecurity
Editors' Pick

Twitter ‘Inadvertently’ Gives User Security Data To Advertisers

Emma Woollacott
Senior Contributor
Opinions expressed by Forbes Contributors are their own.
Following
This article is more than 4 years old.


Twitter has apologised for allowing advertisers to target ads using the email addresses and phone numbers provided by users for account security.

The company has admitted that advertisers with its Tailored Audiences and Partner Audiences systems may have been able to target ads at specific users, based on the contact information they provided for two-factor authentification (2FA).

Tailored Audiences allows advertisers to target ads at users whose email addresses or phone numbers they already have. Partner Audiences allows ads to be targeted at audiences provided by third-party partners.

"When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize," says the company in a statement.

"We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware."

The company says it's addressed the problem that allowed this to happen and is no longer using phone numbers or email addresses collected for safety or security purposes for advertising.

However, questions remain - not least, why the information was ever on that particular database in the first place.

In addition, the company says it fixed the problem on September 17 - a full three weeks ago. Why were users not alerted before?

MORE FOR YOU

Apple’s iPhone AI Plans Confirmed With New Software Release

Packers Complete Safety Overhaul With Georgia’s Javon Bullard

Sopranos Star On James Gandolfini s Caring Reaction To Her MS Diagnosis

The company isn't contacting individual users affected by the issue, and says it doesn't even know how many there are. But, depending on where they are in the world, they will likely have legal recourse through data protection laws.

In Europe, for example, the General Data Protection Regulation (GDPR) has heavy penalties for organizations that use data for purposes that users haven't specifically authorized. Twitter may or may not have reported the breach to the authorities - in the EU, it should have done so within 72 hours of discovering it 'where feasible'. It should also have notified users individually unless it could argue - as it possibly can - that doing so would involve 'disproportionate effort'.

And it could face problems in the US too, where there's a bit of a precedent. Earlier this year, Facebook was found to be similarly using contact information provided for 2FA to allow targeted advertising; it was ordered to stop by the US Federal Trade Commission and given a $5 billion fine.

Follow me on Twitter
Emma Woollacott
Emma Woollacott