[HN Gopher] Twitter faces FTC probe, likely fine over use of pho...
___________________________________________________________________
Twitter faces FTC probe, likely fine over use of phone numbers for
ads
Author : samizdis
Score : 164 points
Date : 2020-08-04 16:36 UTC (6 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| segmondy wrote:
| Despite all that, their ads are straight up garbage. Either that
| or I'm very hard to target. I swear Twitter and Facebook must
| display random ads to me. I'm often having to mark it as never
| show this again because it's so way off from my interests.
| cracker_jacks wrote:
| > Twitter estimates the "range of probable loss" it faces in the
| probe is between $150 million and $250 million
|
| That's close to 10% of Twitter's annual revenue. How do the likes
| of Google and Facebook get away with fines <1% of annual revenue?
| This seems disproportionate. I am not taking a position on
| whether it should be higher or lower, just that it appears
| unbalanced.
| mrosett wrote:
| Part of the difference is that Twitter has much lower revenue
| per user than the other two. If you frame the fine as "$X per
| user impacted" rather than as "y% of your revenue" then it
| seems more proportional.
| gundmc wrote:
| $150 - 250 MM is more like 4-7 % of revenue than 10% based on
| their 2019 figure.
| tjoff wrote:
| Also note that they did this for _seven years_.
|
| It is really hard to grasp how pathetic the modern web is,
| where this is commonplace.
| thephyber wrote:
| What does this have to do with "the modern web"?
|
| The weakness here is both the legal system that allowed it
| and the regulatory system that failed to police it for
| years.
| kulahan wrote:
| Because the modern web is based entirely around invading
| the privacy of every user as much as possible in order to
| sell their private details to advertisers. If Twitter's
| money came from users in the form of subscriptions or
| purchases, rather than from advertisers in the form of
| paid, targeted ads, this would be _guarded_ information,
| rather than _shared_.
| RandomBacon wrote:
| Good. Didn't Facebook do the same thing? I don't remember if they
| were fined or not.
| tyre wrote:
| They did and were fined $5bn for privacy violations generally,
| of which one part was:
|
| > In addition to these violations of its 2012 order, the FTC
| alleges that Facebook violated the FTC Act's prohibition
| against deceptive practices when it told users it would collect
| their phone numbers to enable a security feature, but did not
| disclose that it also used those numbers for advertising
| purposes.
|
| https://www.ftc.gov/news-events/press-releases/2019/07/ftc-i...
| mercora wrote:
| is there any benefit in using the phone network for 2FA besides
| (IMHO too) easy recovery in case of loss? Is there an
| equivalently usable method for recovery? recovery codes aren't
| practicall i guess because people would keep loosing them too.
|
| Maybe some pseudonymous proof using cryptographic functions of
| modern passports could be used somehow without revealing real
| identity to the passport issuer too? It should not be possible to
| know who issued the pseudonymous identity proof but should also
| only be proof-able by me...
| gruez wrote:
| You can outsource it to something like authy, which is still
| sms based, but gets disabled if you install their app. They
| also claim that they can detect number porting attacks, so that
| might be marginally better.
|
| >Maybe some pseudonymous proof using cryptographic functions of
| modern passports could be used somehow without revealing real
| identity to the passport issuer too?
|
| You can still lose your passport. It's less likely than losing
| your phone, but still. Also, to access the cryptographic
| functions of a passport, you probably need a NFC reader, which
| isn't exactly accessible.
| jeremynixon wrote:
| This is a deep violation that makes every user of 2fa _unsafe_. A
| mere $250 million? This needs to be the kind of violation that
| endangers the company. It's not a mistake or honest error when
| 2fa phone numbers are used for advertising. This is malicious.
| Should be scaled to 100X the amount the company gained in
| advertising for the violation.
| Silhouette wrote:
| _This is a deep violation that makes every user of 2fa
| _unsafe_._
|
| It's certainly a violation of trust that could make people less
| likely to volunteer extra information for 2FA that could be
| used against them, even if it might also make them safer. For
| that alone, wilful violations ought to be treated as a serious
| breach under data protection laws.
|
| The number of important financial services I use that now
| insist on phone numbers for 2FA is getting irritating, too.
| Apparently in some cases it's been prompted by the changes in
| EU rules under PSD2, but as with almost everything else I've
| come across so far under PSD2, I'm not sure how much safer it
| will really make anyone. At least those financial services --
| and my government, which is the other organisation I see doing
| this routinely now -- probably aren't going to use the contact
| information for anything other than the 2FA they claim, though.
| 1vuio0pswjnm7 wrote:
| I don't have the citation but I recall a researcher who was
| studying this practice. He suggests that these requests for
| "factors" will continue to escalate to the point of absurdity.
| The sales pitch to the user is essentially "The more we know
| about you, the more we can protect you." However, if the user
| is seeking protection from others who are trying to discover
| her personal details, then this continual "full disclosure" to
| each tech company is counterproductive.
|
| This sort of nonsensical reasoning has also used by individuals
| portrying themselves as "whitehats" who try to profit from
| large leaks of personal data. Users are asked to provide
| personal data in order to confirm whether their personal data
| has been leaked.
| WrtCdEvrydy wrote:
| Should be 1 million per user per text message sent out.
|
| Trust me, if our agencies had teeth, and executed a corporation
| for shit like this, we'd have a better technology ecosystem.
| edmundsauto wrote:
| Similarly, if we executed every criminal who is convicted of
| a violent crime, we would have far fewer violent criminals.
| noscrewstoyous wrote:
| You shouldn't use a phone number for 2fa to begin with, you'd
| be better off without 2fa if that's the only option IMO
| (assuming you're using a strong unique password). This is just
| more fuel on that fire.
| moscovium wrote:
| Remember when Jack Dorsey had his SIM attacked for the 2fa?
| diabeetusman wrote:
| 2FA with SMS protects against password reuse or leaks. It's
| my understanding that SMS is weak against attacks targeted at
| particular people while being sufficiently strong for the
| majority of cases.
| thephyber wrote:
| SS7 attacks scale better. SIM cloning is a lot of effort
| just to compromise a single SMS number.
|
| In general, SMS is better than no 2FA, but it's weaker than
| OTP/OTH or a token like YubiKey or Titan.
| amznthrwaway wrote:
| 1) it doesn't make every user of 2fa unsafe. Don't be absurd.*
|
| 2) $250MM is 10% of their annual revenue. That's extremely
| meaningful.
|
| If you want an example of an overly light fine, this is not it.
|
| * yes, I know that you will argue, in bad faith, using some
| absurd definition of the word 'unsafe', but it simply isn't the
| case.
|
| unsafe is what happens in places (like HN) where the moderators
| welcome white supremacists and other people who want to
| exterminate a portion of the population. unsafe is not an
| unwanted text ad.
___________________________________________________________________
(page generated 2020-08-04 23:00 UTC)