Keeping Data Separate: Not All Personally Identifiable Information are Equal
By Francis Leung | November 1, 2019
Two-factor authentication (2FA) is a security process in which the user provides two different authentication factors to verify their identity. The first factor is commonly a password, while the second factor could be a security token or pin that is generated and sent to the user’s pre-registered email address or phone as they try to log in. 2FA is easy to implement and helps improve security as simply obtaining passwords is no longer sufficient for attackers to access an account and the personal nature of the second factor also makes it more difficult to obtain. As a result, many online platforms offer 2FA to its users.
On October 8, 2019, Twitter disclosed that it had inadvertently allowed phone numbers and email addresses provided by users to set up 2FA on their accounts, to be used for targeted advertising. Twitter offers a product called Tailored Audiences, which allows advertisers to target ads to customers based on the advertiser’s own mailing lists. The advertiser uploads their marketing list to Twitter, who matches the list with the Twitter user base and generates the targeted audience for the advertiser. Twitter admitted that the personal information collected for 2FA was accessed by the Tailored Audiences product.
Similarly, a year ago in September 2018, researchers from Northwestern University had discovered that Facebook was using phone numbers shared by users for two-factor authentication purposes for targeted marketing. When the researchers confronted FAcebook, the company defended its move, saying “With regard to 2-fac specifically, we’re clear with people that we use the information people provide to offer a more personalized experience, including showing more relevant ads. So when someone adds a phone number to their account for example, at sign up, on their profile, or during the two-factor authentication signup — we use this information for the same purposes.” In addition, the only way to prevent 2FA data from being used for personalization as well, was to remove the 2FA security feature from the users account.
While Facebook openly admitted it was co-mingling personally identifiable data for security and for advertising, Twitter has claimed that it was a mistake on their part. Nevertheless, these two incidents are highly concerning because it constitutes both a deceptive and unfair practice as well as a breach of trust. Users provided their contact information for the purpose of securing their accounts, only to have it used for a completely different purpose. This is incredibly hypocritical, especially as security is supposed to prevent the access of data, but the very means of security (phone numbers and emails in this case) became the enablers of data access for advertising. To add insult to injury, one reason users sign up for 2FA in the first place is because of security lapses at both Twitter and Facebook, including the hacking of numerous politicians and public figures’ profiles. Despite Facebook’s claim that they had been clear about the use of personal information for personalized services, it is also likely that many users who signed up for 2FA were not aware that their contact information would be used for anything other than security purposes.
Although cognizant that personalized recommendations is what makes platforms like Twitter and Facebook highly engaging, we nonetheless adamantly believe that data obtained for security applications should be kept separately from data used for other purposes such as personalization, even if the user is willing to provide the same personal data for both uses. This would be technologically easy to implement and it is surprising that this is not industry common practice. In addition, if the user did indeed want to provide their phone number of email address for both marketing features as well as 2FA, online platforms should ensure that this data is entered by the user separately, even at the cost of customer convenience. This way there can be no mistakes on determining what data was provided for what purposes and it reduces the risk of data being co-mingled.
Given that companies like Facebook had voluntarily shared data between its different products, we also believe that regulation is needed to ensure the separation of data for different uses. For its part, Facebook was fined $5 billion by the Federal Trade Commission for various privacy lapses (including the 2FA issue) and was explicitly prohibited from using telephone numbers obtained for security for advertising. However, Twitter’s incident a year later shows that the Facebook settlement was a one-off case that did not encourage other companies to enact similar protections on 2FA personal data. Hence, given the widespread of 2FA use today, we recommend that regulators include such provisions in the latest data protection regulations to ensure that all other companies who collect personal data for security purposes can also effectively protect this data.
Coldewey, Devin, and Natasha Lomas. “Facebook Settles with FTC: $5 Billion and New Privacy Guarantees.” TechCrunch, TechCrunch, 24 July 2019, techcrunch.com/2019/07/24/facebook-settles-with-ftc-5-billion-and-new-privacy-guarantees/.
Gesenhues, Amy. “Facebook Targets Ads with Data Users Didn’t Share with the Platform.” Marketing Land, 21 Mar. 2019, marketingland.com/facebook-targets-ads-with-data-users-didnt-share-with-the-platform-249136.
Goodin, Dan. “Twitter Transgression Proves Why Its Flawed 2FA System Is Such a Privacy Trap.” Ars Technica, 9 Oct. 2019, arstechnica.com/information-technology/2019/10/twitter-used-phone-numbers-provided-for-2fa-t o-match-users-to-advertisers/.
Lomas, Natasha. “Yes Facebook Is Using Your 2FA Phone Number to Target You with Ads.” TechCrunch, TechCrunch, 27 Sept. 2018, techcrunch.com/2018/09/27/yes-facebook-is-using-your-2fa-phone-number-to-target-you-with-a ds/.
Newman, Lily Hay. “Twitter Puts Profit Ahead of User Privacy-Just Like Facebook Did Before.” Wired, Conde Nast, 10 Oct. 2019, www.wired.com/story/twitter-two-factor-advertising/.
“Personal Information and Ads on Twitter.” Twitter, 8 Oct. 2019, help.twitter.com/en/information-and-ads#10-08-2019.
Rouse, Margaret, et al. “What Is Two-Factor Authentication (2FA)? – Definition from WhatIs.com.” SearchSecurity, searchsecurity.techtarget.com/definition/two-factor-authentication.
Whittaker, Zack. “Twitter Admits It Used Two-Factor Phone Numbers and Emails for Serving Targeted Ads.” TechCrunch, TechCrunch, 8 Oct. 2019, techcrunch.com/2019/10/08/twitter-admits-it-used-two-factor-phone-numbers-and-emails-for-tar geted-advertising/.