On FTC’s Twitter Case: Enhancing Security Without Compromising Privacy

In a complaint against Twitter announced today, the Federal Trade Commission alleged the company deceptively used Twitter users’ phone numbers and email addresses, which were collected for security purposes, for other purposes from 2014 to 2019. Users provided phone numbers or email addresses to Twitter for a variety of security purposes, such as for two-factor authentication or to unlock an account where Twitter detected suspicious or malicious activity. Twitter would then use this contact information to allow advertisers to target specific groups of Twitter users by matching the telephone numbers and email addresses that Twitter collected to the advertisers’ lists of telephone numbers and email addresses, or to import marketing lists from data brokers for matching purposes. We outline key takeaways of the case below.

Deceptive use of phone and email for targeted advertising instead of just for security

According to the complaint, when Twitter requested phone numbers and email addresses from its users in these contexts, it specifically told them that this information was to help secure their accounts, with no mention of targeted advertising. Twitter’s privacy policy appears to communicate it is using contact information for advertising:

When you use Twitter, even if you’re just looking at Tweets, we receive some personal information from you like the type of device you’re using and your IP address. You can choose to share additional information with us like your email address, phone number, address book contacts, and a public profile. We use this information for things like keeping your account secure and showing you more relevant Tweets, people to follow, events, and ads.

Generic, broad claims buried in a lengthy document do not override more specific, just-in-time statements made to consumers specifically in the context of when they are providing their information – in this case, about the use of contact information for security purposes. If a company says at the point of collection that consumers’ information will be used for a particular purpose, consumers should be able to rely on that promise.^[1]

The FTC’s recent action against Cafepress^[2] is another example of this. In that case, consumers ordering products online had to submit their email address. As detailed in the complaint, a notice above the email address field stated, “Email address for order notifications and receipt.” The FTC challenged the use of these email addresses for marketing purposes, too, as a deceptive practice.   

Mandating multi-factor authentication

A novel feature of our order in Twitter is the requirement that Twitter must allow its users to take advantage of multi-factor authentication choices that do not require providing Twitter a phone number, such as mobile authentication apps or security keys.

This provision reflects the growing importance of multi-factor authentication to protect accounts online. ^[3] It also helps protect users: in addition to being more protective of privacy, because they do not require providing any personally identifying information, mobile authentication apps and security keys are both more secure than phone-number based multifactor-authentication. Security keys in particular provide a tremendous security benefit to consumers, as they effectively protect against credential phishing attacks that all too often can give an attacker a way into a company’s network, as alleged in Cafepress.

A similar requirement is present in our Cafepress order. In Cafepress, an attacker was able to access sensitive consumer information including security questions and answers used to authenticate accounts – compromising that information for consumers’ accounts at Cafepress and possibly other sites where the consumer may have supplied the same information. The order requires Cafepress to stop using security questions and answers and instead to use secure multi-factor authentication methods.

In actions against companies for law violations relating to privacy or data security, the Commission will continue to look for remedies that make consumers whole and ensure that companies that misused or failed to protect consumers’ data put state-of-the-art measures in place so it does not happen again.

[1] This is a basic tenet of consumer protection law. As stated in the FTC’s “Dot.Com Disclosures” guidance:

• [I]t is highly unlikely that consumers will read disclosures buried in ‘terms of use’ and similar lengthy agreements. Even if such agreements may be sufficient for contractual or other purposes, disclosures that are necessary to prevent deception or unfairness should not be relegated to them.  Similarly, simply because consumers click that they ‘agree’ to a term or condition, does not make the disclosure clear and conspicuous.

FTC Staff Report, .com Disclosures:  How to Make Effective Disclosures in Digital Advertising at 18 (2013), https://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-staff-revises-online-advertising-disclosure-guidelines/130312dotcomdisclosures.pdf. See also, e.g.,Sears Holdings Management Corporation, FTC Matter No. 082 3099, Docket No. C-4264 (2009), https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3099-c-4264-sears-holdings-management-corporation-corporation-matter.

[2] Residual Pumpkin Entity, LLC, and PlanetArt LLC, FTC Matter No. 1923209 (proposed complaint and consent agreement) (March 15, 2022), https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter. Residual Pumpkin Entity and PlanetArt have done business at various times as Cafepress.

[3] The New York Attorney General recently announced that more than 1.1 million online accounts were compromised in cyberattacks at 17 well-known companies through a technique called “credential stuffing,” where hackers try to get into password-secured accounts by various means, including using passwords exposed in previous breaches. Attorney General James stated, “Right now, there are more than 15 billion stolen credentials being circulated across the internet….” See https://ag.ny.gov/press-release/2022/attorney-general-james-alerts-17-companies-credential-stuffing-cyberattacks (and see accompanying guide for tips for businesses to address this issue, https://ag.ny.gov/sites/default/files/businessguide-credentialstuffingattacks.pdf).