This week, Twitter has agreed to pay a $150 million settlement to the FTC over a past misuse of user data, which saw information submitted for personal identification confirmation purposes mistakenly then used in Twitter’s ad targeting efforts.
As explained by Twitter:
“On May 25, 2022, Twitter reached a settlement with the Federal Trade Commission (FTC) regarding a privacy incident disclosed in 2019 when some email addresses and phone numbers provided for account security purposes may have been inadvertently used for advertising. This issue was addressed as of September 17, 2019, and today we want to reiterate the work we’ll continue to do to protect the privacy and security of the people who use Twitter.”
The issue, as Twitter notes, was made public in 2019, when Twitter disclosed that it had been using information submitted for account security checks within its data targeting process.
Twitter revealed the initial finding in its Q3 2019 results, in which it noted that the correction of this element would have an impact on its overall revenue performance.
As Twitter CFO Ned Segal explained at the time:
“We ask people a series of questions before we put you into a timeline when you’re new to Twitter. Among the questions we ask are if we can use your device settings to figure out the best ads to show you. It turns out there that, that setting wasn’t working as expected, and we were using device settings even if people had asked us not to do so. So when we discovered that, one, we Tweeted about it, which we often do to try to be transparent with people when things aren’t working as expected. And two, we turned off the setting so that it would work as expected. That has a negative impact to revenue because it’s one less input that you’ve got when you are figuring out which ads to show people. So instead of getting a partial quarter impact, you get a full quarter impact in Q4.”
So, essentially, Twitter’s system did not respect user privacy inputs, and that flaw had been in place for six years, between 2013 and 2019.
Which is a significant privacy breach, hence the $150 million fine from the FTC.
As per the FTC’s announcement:
“Twitter asked users to give their phone numbers and email addresses to protect their accounts. The firm then profited by allowing advertisers to use this data to target specific users. Twitter’s deception violates a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices.”
While the case itself is not new, and the flaw at the heart of the issue has been resolved, it’s another blow for Twitter, which is in the midst of a cost-cutting push as it works to meet its own, tough revenue and growth targets, while also navigating a hostile takeover push from Elon Musk.
Twitter had factored this fine into its forecasts, so the hit won’t be as significant as it may sound, but even so, $150 million is a lot to take off its books – though it will clear the way for a new era if/when Musk does take over the app.
Which still seems like a ‘when’, despite Musk’s protests about the platform’s fake profile count and other transparency issues.
Whatever comes next, this does help to clarify Twitter’s ledger, as the FTC fine had been hanging over it for almost three years.
The case also highlights, once again, that even a relatively minor flaw like this can have a big impact when you’re operating at the scale that social platforms do. A small error with a few hundred people is a problem, but when it impacts millions, the extent of that issue is amplified significantly.
And there may be other flaws yet to be found – though Twitter says that it’s since implemented a range of checks and processes to ensure that it’s no longer misusing any user data.