Twitter used 2FA phone numbers for targeted advertising

Does Twitter know your email address and your phone number?

Depending on how long ago you started using Twitter, it’s a near certainty the company has at least one of these – the email address – because people often hand that over when registering.

As for phone numbers (usually mobile numbers) these are entered to enable Twitter’s two-factor authentication (2FA) security, Login Verification.

We mention this because Twitter this week made the you have to be kidding admission that it might have “inadvertently” handed this data from some users to advertisers as part of the company’s Tailored Audiences system that targets users’ feeds with ads.

As apologies go, this one is unsatisfactory, particularly if you like Twitter but think ‘targeted’ ads sound intrusive:

We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.

Twitter glosses over some of the detail so let’s explain how Tailored Audiences is supposed to work.

Well-tailored

As many Twitter users will already know to their chagrin, Twitter posts ads to people’s feeds in the form of Promoted Tweets.

The advertiser logs into their ad account, chooses the Twitter demographic it wants to reach (country, language, device type, gender, and people who’ve tweeted about topics that interest the advertiser). The ad then appears in the feed of users meeting these criteria.

However, Twitter’s admission relates to a second type of targeting that sounds incredibly similar to what Facebook was accused of doing a year ago – allowing advertisers to match Twitter’s data to their own databases not simply to target uses but, hypothetically, to identify them too.

What Twitter describes as being “inadvertent” is in fact described quite explicitly on its website on a page for advertisers.

The advertiser logs into their ad account, this time uploading their own user list which is then matched to Twitter users with the same email addresses and mobile numbers (Android or iOS advertising IDs and Twitter handles can also be used).

So, when the ad appears in someone’s feed, it’s been put there because the advertiser already knows something about that person and believes the message will be better received.

Owning up

Twitter said that as of 17 September, it no longer allowed access to mobile numbers or email addresses (the latter of which can still be used by other Twitter users to hunt for you unless you turn that feature off).

We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties.

Of course, the fact that Twitter didn’t let advertisers see phone numbers and email addresses is moot if advertisers might be able to infer this by matching their databases with its.

The involvement of mobile numbers entered by users to enable security is unfortunate, but we wouldn’t advise removing this data in case it proves useful should an account recovery become necessary.

Twitter has no plans to tell users if they’re part of this mini-scandal. For now, users who want to know more should contact the company using its data protection query page.