Twitter Screws Up With Data It Shouldn't Hold

I recently had a (NSFW) grumble about Twitter. Part of that grumble was about the fact that Twitter insist you provide a mobile phone number in order to re-instate your account after a suspension.

As part of my appeal against the suspension I noted that that's arguably not GDPR compliant - a phone number is (undoubtedly) PII, and is not required in order to provide the service. For Twitter to hold that number requires consent, and it's unlawful for them to withhold the service if consent is not given for non-essential data processing.

Part of the reason for my objection was because Social Media companies (in the form of Facebook) have already proven they cannot be trusted with things like mobile phone numbers.

Presumably Twitter weren't happy with the fact that I needed to use Facebook as an example, as they've now gone ahead and had a data processing screw up of their own.

Twitter's Screw-Up

The linked blog post can be found here, as they seem to have used a generic page rather than a dedicated URL, the text is quoted below:

We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system. 

Tailored Audiences is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser's own marketing lists (e.g., email addresses or phone numbers they have compiled). Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners. When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.

We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties. As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.  

We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again. If you have any questions, you may contact Twitter's Office of Data Protection through this form.

So, to summarise:

Twitter "accidentally" used mobile phone numbers (and email addresses) for marketing/advertising purposes when they were provided solely for the purpose of account safety.

My experience shows, too, that these numbers may not all have been given willingly. So that's Twitter processing data for a purpose that hasn't been consented to (and very evidently requires consent under GDPR) using data that they've extorted out of users through a non-compliant process.

Not the Only Means of Number Collection

Getting your account unsuspended isn't the only means by which Twitter collected mobile numbers. Providing a mobile number is a requirement for enabling 2nd Factor Authentication on Twitter - even if you don't intend to use SMS 2FA.

Twitter support TOTP and U2F tokens, but you cannot access the menu to enable those without first providing a mobile number in order to enable 2FA. You then have to enable those, disable SMS based 2FA and then delete your mobile number - there's no way not to trust them with your number.

My Number

Being somewhat distrusting and quite, quite stubborn, I didn't give Twitter my real number. Instead I bought a Pay-as-you-go SIM and gave them that number instead. Technically that's now still my number, just not my main one.

Whilst queuing for the till, it did occur to me that perhaps I was being overly paranoid. Today vindicates me.

Companies without a legitimate need should not be provided with a mobile number.

It gets worse

It's only actually today I've noticed this, but when Twitter forced me to (re)add a mobile number in order to unsuspend my account, they silently disabled all 2 factor auth. So my account has been sat without 2FA active for over a month, with no notification to me.

So this morning I've had to

• Re-add the number (I deleted it again after my account was unsuspended)
• Enable SMS 2FA
• Enable TOTP and U2F
• Disable SMS 2FA
• Delete my mobile number

Just because this complaint about Twitter's 2FA wouldn't be complete without it - most services allow you to register multiple hardware keys (so that if one gets lost, you've another secured somewhere to use). Not Twitter, one token, that's it - you'll have to use some other (weaker) form for your backup.

Conclusion

Mistakes happen in any business, and it's easy to explain this away as a mistake (as Twitter are keen to do), but if we look at this in context, one thing is clear. Twitter are absolutely crap at security.

They often get (well deserved) criticism for fostering the alt-right on their platform, but their security posture is absolutely laughable. They should be embarrassed at just how poor their system is.

In this brief post, we've highlighted a few screw-ups:

• Collected data they weren't entitled to
• "Accidentally" processed it for marketing purposes
• Have no useful form of audit, so cannot even tell how many users were affected
• Silently disabled 2nd Factor Auth on my account without notification
• Require personal data (phone number) to enable any form of 2FA

That Twitter have decided to be transparent about this screw-up is good (not so good that they've taken 21 days to notify about this - GDPR says 72 hours), and they should be credited for that, but they really, really need to get their house in order.

Follow Up

Rather than simply complaining about it here, I figured I'd use the form Twitter provided in order to highlight this stuff (and found another issue on the form.... sigh). The message I sent them is as follows

Hi,

There are 2 related issues in this message:

You recently *forced* me to provide a mobile phone number in order to re-instate my account. 

In my appeal against my suspension I noted that this was not GDPR compliant and that the requirement for provision of a number was the primary basis for my appeal (I'm a big boy, I can sit on the naughty step for 12hrs).  A phone number is PII under GDPR, and is clearly not required for provision of service (otherwise you couldn't have an account without one). Consent is therefore required and it is unlawful to withhold service if that consent is not given.

That appeal was rejected, so in order to reinstate my account I had to supply a number, despite that being contrary to law.

Now, it appears that my concerns were well founded as Twitter has revealed that it's incapable of correctly handling data. Well done...

Moving onto 2FA - again, you unnecessarily force provision of a phone number here. In order to enable any form of 2FA, you *must* provide a phone number, even if your intention is to use TOTP or U2F. Once TOTP/U2F are enabled, you can disable SMS 2FA and then delete the number. So, once again, Twitter's collecting numbers it doesn't need, despite clearly having inadequate internal processes.

I only found out today, but when you forced me to provide a number to re-instate my account, that reset (read, disabled) my 2FA settings. So, without notification, my account has been sat protected only by a password for over a month.

From your disclosure about the misprocessing, it's clear that Twitter's internal processes are entirely inadequate - the very fact that you've had to write "We cannot say with certainty how many people were impacted by this" indicates that your auditing around handling of personal data is insufficient.

So, as a result, I have some questions:

• Do you maintain a register of how PII is handled, and the legal basis upon which it's processed, as per the requirements of GDPR?
• How are you going to fix your processes going forward so that numbers are not collected unless absolutely necessary, and are not processed for any purpose other than those for which consent has been given?
• Are you going to fix your 2FA/Login Verification process so that it no longer requires a mobile number _unless_ SMS 2FA is being enabled? 
• Are you going to fix your 2FA process so that it can never be disabled, or settings changed, without notification to the user?
• Do you at least have an estimate of how many users were affected?
• Are you able to tell if an individual account is affected (e.g. can you see if my details were mis-processed)?
  

Sorry, I also now have one follow up question. Why have you disabled paste functionality on the password fields in this form (section "Follow-Up")? It's incredibly hostile to any user using a password manager which relies on the paste functionality, in doing so you're actually weakening security, not improving it (the UK's NCSC describes this practice as completely pointless" and actually "damaging" security. - https://www.telegraph.co.uk/news/2017/02/14/gchq-boss-admits-even-struggles-remember-internet-passwords/).

 

Thanks for your time

 

Ben

2FA Update

So, it transpires that at some point, Twitter have changed the way their 2FA hangs together. When I re-enabled 2FA earlier and then deleted my mobile number it seems to have triggered a process which meant that I eventually (read some time after) received an email with the subject line "Twitter login verification is now off". It's far from immediate though, I took the screenshot above after deleting the number

Checking back through my inbox, I definitely didn't get one of these when they made me provide a number to re-instate my account though.

They seem to have suggested to Ars that they are planning on fixing their implementation though.