Twitter used account security information to lead advertisers to users

Microblogging platform Twitter today said it used email addresses and phone numbers provided by consumers for security purposes for advertising ends — similar to behavior that got Facebook in trouble with the Federal Trade Commission.

Twitter itself is already under a 20-year consent agreement with the FTC stemming from a 2011 complaint that the social media platform misrepresented its security and privacy measures. Under the order, it can't "misrepresent in any manner" the extent to which it protects the security and privacy of its users' private information.

Twitter said it had allowed advertisers looking to target specific individuals based on internal or third-party marketing data to verify the identities of Twitter users by using emails and phone numbers those same users provided to the social media company to protect their accounts.

Most online platforms, including Twitter, allow consumers to turn on “second-factor authentication,” meaning that when logging on, the platform sends a one-time code to a mobile phone or email account.

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize,” Twitter said in a blog post. The company stopped the practice on Sept. 17 and doesn’t have an estimate of how many people are affected by the advertising, it also said.

Similar behavior by Facebook earned that social media company censure by the Federal Trade Commission in the agency’s July settlement ending an ongoing investigation into the company’s privacy practices.

Facebook encouraged users since May 2011 to turn on second-factor authentication by supplying a phone number. In the FTC complaint against Facebook, the agency says Facebook did not adequately disclose that those same phone numbers “would also be used by Facebook to target advertisements.”

A Twitter spokesperson didn't respond immediately to questions about how long the practice to reuse user account information for advertising purposes endured, nor whether the company has been in touch with the FTC.