First Facebook, and now Twitter. On Tuesday, Twitter admitted that it allowed marketers to access the phone numbers that users had registered with the site. Many had given their numbers to enable two-factor authentication (2FA)—that process where a website sends you a text message to verify it’s really you who’s logging in. Users didn’t realize they were also allowing marketers to verify who they are in order to build better advertising profiles incorporating Twitter user data. (Twitter says this was an inadvertent mistake and that it has closed the hole.)
That’s especially scary because our phone numbers have become powerful tools to identify and track us, not just for companies but for anyone who wants to look up our personal information stored in a myriad of public records such as court filings, voter registration, real estate transactions, and marriage records.
Twitter’s admission is a nasty case of déjà vu, since Facebook admitted to misusing phone numbers for ad targeting about a year ago. “For a lot of people, [text-message authentication] is a totally reasonable protection that you should feel comfortable using,” says Gennie Gebhart, a researcher on consumer privacy and security at the Electronic Frontier Foundation. “But Facebook was irresponsible, and now we can’t have nice things.”