[HN Gopher] Twitter faces FTC probe, likely fine over use of pho... ___________________________________________________________________ Twitter faces FTC probe, likely fine over use of phone numbers for ads Author : samizdis Score : 164 points Date : 2020-08-04 16:36 UTC (6 hours ago) (HTM) web link (arstechnica.com) (TXT) w3m dump (arstechnica.com) | segmondy wrote: | Despite all that, their ads are straight up garbage. Either that | or I'm very hard to target. I swear Twitter and Facebook must | display random ads to me. I'm often having to mark it as never | show this again because it's so way off from my interests. | cracker_jacks wrote: | > Twitter estimates the "range of probable loss" it faces in the | probe is between $150 million and $250 million | | That's close to 10% of Twitter's annual revenue. How do the likes | of Google and Facebook get away with fines <1% of annual revenue? | This seems disproportionate. I am not taking a position on | whether it should be higher or lower, just that it appears | unbalanced. | mrosett wrote: | Part of the difference is that Twitter has much lower revenue | per user than the other two. If you frame the fine as "$X per | user impacted" rather than as "y% of your revenue" then it | seems more proportional. | gundmc wrote: | $150 - 250 MM is more like 4-7 % of revenue than 10% based on | their 2019 figure. | tjoff wrote: | Also note that they did this for _seven years_. | | It is really hard to grasp how pathetic the modern web is, | where this is commonplace. | thephyber wrote: | What does this have to do with "the modern web"? | | The weakness here is both the legal system that allowed it | and the regulatory system that failed to police it for | years. | kulahan wrote: | Because the modern web is based entirely around invading | the privacy of every user as much as possible in order to | sell their private details to advertisers. If Twitter's | money came from users in the form of subscriptions or | purchases, rather than from advertisers in the form of | paid, targeted ads, this would be _guarded_ information, | rather than _shared_. | RandomBacon wrote: | Good. Didn't Facebook do the same thing? I don't remember if they | were fined or not. | tyre wrote: | They did and were fined $5bn for privacy violations generally, | of which one part was: | | > In addition to these violations of its 2012 order, the FTC | alleges that Facebook violated the FTC Act's prohibition | against deceptive practices when it told users it would collect | their phone numbers to enable a security feature, but did not | disclose that it also used those numbers for advertising | purposes. | | https://www.ftc.gov/news-events/press-releases/2019/07/ftc-i... | mercora wrote: | is there any benefit in using the phone network for 2FA besides | (IMHO too) easy recovery in case of loss? Is there an | equivalently usable method for recovery? recovery codes aren't | practicall i guess because people would keep loosing them too. | | Maybe some pseudonymous proof using cryptographic functions of | modern passports could be used somehow without revealing real | identity to the passport issuer too? It should not be possible to | know who issued the pseudonymous identity proof but should also | only be proof-able by me... | gruez wrote: | You can outsource it to something like authy, which is still | sms based, but gets disabled if you install their app. They | also claim that they can detect number porting attacks, so that | might be marginally better. | | >Maybe some pseudonymous proof using cryptographic functions of | modern passports could be used somehow without revealing real | identity to the passport issuer too? | | You can still lose your passport. It's less likely than losing | your phone, but still. Also, to access the cryptographic | functions of a passport, you probably need a NFC reader, which | isn't exactly accessible. | jeremynixon wrote: | This is a deep violation that makes every user of 2fa _unsafe_. A | mere $250 million? This needs to be the kind of violation that | endangers the company. It's not a mistake or honest error when | 2fa phone numbers are used for advertising. This is malicious. | Should be scaled to 100X the amount the company gained in | advertising for the violation. | Silhouette wrote: | _This is a deep violation that makes every user of 2fa | _unsafe_._ | | It's certainly a violation of trust that could make people less | likely to volunteer extra information for 2FA that could be | used against them, even if it might also make them safer. For | that alone, wilful violations ought to be treated as a serious | breach under data protection laws. | | The number of important financial services I use that now | insist on phone numbers for 2FA is getting irritating, too. | Apparently in some cases it's been prompted by the changes in | EU rules under PSD2, but as with almost everything else I've | come across so far under PSD2, I'm not sure how much safer it | will really make anyone. At least those financial services -- | and my government, which is the other organisation I see doing | this routinely now -- probably aren't going to use the contact | information for anything other than the 2FA they claim, though. | 1vuio0pswjnm7 wrote: | I don't have the citation but I recall a researcher who was | studying this practice. He suggests that these requests for | "factors" will continue to escalate to the point of absurdity. | The sales pitch to the user is essentially "The more we know | about you, the more we can protect you." However, if the user | is seeking protection from others who are trying to discover | her personal details, then this continual "full disclosure" to | each tech company is counterproductive. | | This sort of nonsensical reasoning has also used by individuals | portrying themselves as "whitehats" who try to profit from | large leaks of personal data. Users are asked to provide | personal data in order to confirm whether their personal data | has been leaked. | WrtCdEvrydy wrote: | Should be 1 million per user per text message sent out. | | Trust me, if our agencies had teeth, and executed a corporation | for shit like this, we'd have a better technology ecosystem. | edmundsauto wrote: | Similarly, if we executed every criminal who is convicted of | a violent crime, we would have far fewer violent criminals. | noscrewstoyous wrote: | You shouldn't use a phone number for 2fa to begin with, you'd | be better off without 2fa if that's the only option IMO | (assuming you're using a strong unique password). This is just | more fuel on that fire. | moscovium wrote: | Remember when Jack Dorsey had his SIM attacked for the 2fa? | diabeetusman wrote: | 2FA with SMS protects against password reuse or leaks. It's | my understanding that SMS is weak against attacks targeted at | particular people while being sufficiently strong for the | majority of cases. | thephyber wrote: | SS7 attacks scale better. SIM cloning is a lot of effort | just to compromise a single SMS number. | | In general, SMS is better than no 2FA, but it's weaker than | OTP/OTH or a token like YubiKey or Titan. | amznthrwaway wrote: | 1) it doesn't make every user of 2fa unsafe. Don't be absurd.* | | 2) $250MM is 10% of their annual revenue. That's extremely | meaningful. | | If you want an example of an overly light fine, this is not it. | | * yes, I know that you will argue, in bad faith, using some | absurd definition of the word 'unsafe', but it simply isn't the | case. | | unsafe is what happens in places (like HN) where the moderators | welcome white supremacists and other people who want to | exterminate a portion of the population. unsafe is not an | unwanted text ad. ___________________________________________________________________ (page generated 2020-08-04 23:00 UTC)