Twitter warns investors of possible fine from FTC consent order probe
Twitter has disclosed it’s facing a potential fine of more than a hundred million dollars as a result of a probe by the Federal Trade Commission (FTC) which believes the company violated a 2011 consent order by using data provided by users for a security purpose to target them with ads.
In an SEC filing , reported on earlier by the New York Times , Twitter revealed it received the draft complaint from the FTC late last month. The activity the regulator is complaining about is alleged to have taken place between 2013 and 2019.
LastOctober the social media firm publicly disclosed it had used phone numbers and email addresses provided by users to set up two-factor authentication to bolster the security of their accounts in order to serve targeted ads — blaming the SNAFU on atailored audiences program, which allows companies to target ads against their own marketing lists.
Twitter found that when advertisers uploaded their own marketing lists (of emails and/or phone numbers) it matched users to data they had submitted purely to set up two-factor authentication on their Twitter account.
“The allegations relate to the Company’s use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019,” Twitter writes in the SEC filing. “The Company estimates that the range of probable loss in this matter is $150.0 million to $250.0 million and has recorded an accrual of $150.0 million.”
“The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome,” it adds.
We’ve reached out to Twitter with questions.
The company has had a torrid few weeks on the security front, suffering a major security incident last month after hackers gained access to its internal account management tools, enabling them to access accounts of scores of verified Twitter users, including Bill Gates, Elon Musk and Joe Biden, and use them to send cryptocurrency scam tweets. Police have since charged three people with the hack , including a 17-year-old Florida teen.
InJune Twitter also disclosed a security lapse may have exposed some business customers’ information. While it was forced to report another crop of security incidents last year — including after a researcheridentifying a bug that allowed him to discover phone numbers associated with millions of Twitter accounts.
Twitter also admitted it gave account location data to one of its partners, even if the user had opted-out of having their data shared; and inadvertently gave its ad partners more data than it should have.
Additionally, the company is now at the front of a long queue of tech giants pending enforcement in Europe, related to major GDPR complaints — where regional fines for data violations can scale to 4% of a company’s global annual turnover. Twitter’s lead data protection regulator, Ireland’s DPC, submitted a draft decision related to a probe of one of its security breaches to the bloc’s other data agencies inMay — with a final decision slated as likely this summer.
The decision relates to an investigation the regulator instigated following yet another major security fail by Twitter in 2018 — when it revealed a bug had resulted in some passwords being stored in plain text.
As wereported at the time it’s pretty unusual for a company of such size to make such a basic security mistake. But Twitter has a very long history of failing to protect users’ data — with additional hacking incidents all the way back in 2009 leading to the 2011 FTC consent order.
Under the terms of that settlement Twitter was barred for 20 years from misleading consumers about the safety of their data in order to resolve FTC charges that it had “deceived consumers and put their privacy at risk by failing to safeguard their personal information”.
It also agreed to establish and maintain “a comprehensive information security program”, with independent auditor assessments taking place every other year for 10 years.
Given the terms of that order a fine does indeed look inevitable. However the wider failing here is that of US regulators — which, for over a decade, have failed to grapple with the exploitative, surveillance-based business models that have led to breaches and security lapses by a number of data-mining adtech giants, not just Twitter.
- Qualified raises $12M make websites smarter about sales and marketing
- Intercom hires a CFO as it ramps towards an IPO
- Mobile bank Current launches a points rewards program for debit card users
- Twitter warns investors of possible fine from FTC consent order probe
- Grab launches new consumer financial services, including micro-investments and loans
- What Microsoft should demand in exchange for its “payment” to the U.S. government for TikTok
- Trump calls TikTok a hot brand, demands a chunk of its sale price
- SaaS securitization will disrupt VC’s biggest returns this coming decade
- The essential revenue software stack
- Google signs up six more partners for its digital banking platform coming to Google Pay
- Amid pandemic, returning to offices remains an open question for tech leaders
- Is the 2020 SPAC boom an echo of the 2017 ICO craze?
- Mobile banking startup Varo is becoming a real bank
- OneKey makes it easier to work without a desktop by integrating apps into mobile keyboards
- Chinese internet users brand ByteDance CEO a ‘traitor’ as TikTok seeks US buyer
- Google to invest $450M in smart home security solutions provider ADT
- Pompeo says U.S. may take action against TikTok and other Chinese tech companies “shortly”
- SpaceX and NASA successfully return Crew Dragon spacecraft to Earth with astronauts on board
- Future Fields is tackling cultured meat’s biggest problem
- The Station: ADA turns 30, Panasonic’s new battery tech and delivery (data) woes