This is the week's free edition. Enjoy and consider subscribing.
Twitter violated the FTC Act and a consent order in deceptively obtaining the phone numbers and email addresses of 140 million people for targeted advertising.
The United States (U.S.) Federal Trade Commission (FTC) and U.S. Department of Justice reached a settlement with Twitter requiring the company to pay $150 million in fines and institute a range of new security and privacy practices, that modify or are in addition to those in the 2011 FTC consent order. The U.S. government claimed that the social media platform collected phone numbers or email addresses from users for a variety of legitimate functions like multi-factor authentication and the like. However, the company then sold access to the email addresses and phone numbers to advertisers to allow them to compare against their lists of email addresses and phone numbers. Twitter also permitted advertisers to utilize lists of email addresses and phone numbers from data brokers for purposes of matching those obtained by Twitter. In light of Twitter’s advertising revenue, this fine seems small.
In October 2019, Twitter posted on its platform:
Subsequently, the FTC started investigating. The company was already under a consent order from 2011 that “resolved charges that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information” according to the agency’s statement. The FTC added “serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account.”
Twitter was not fined because for the FTC cannot seek civil fines for violations of Section 5 of the FTC Act. Moreover, “big tech” was seen differently under the Obama Administration as part economic engine and part magicians for the free products and services they brought to Americans. In any event, entry of a consent order does trigger the FTC’s civil fine authority for violations of the terms of such an order, which is where Twitter found itself. At present, the FTC can seek more than $46,000 per violation and according to the complaint, Twitter deceived 140 million users, and so the company faced liability far in excess of its net worth (more than $6.5 trillion.)
In mid-2020, there were signs that the company was negotiating with the FTC and was close to a final deal. In its U.S. Securities and Exchange Commission filing from the third quarter of 2020, Twitter revealed it had been sent a draft FTC complaint and its fine for “unintentionally” using phone numbers and email addresses for advertising may be between $150 million and $250 million:
On July 28, 2020, the Company received a draft complaint from the Federal Trade Commission (FTC) alleging violations of the Company’s 2011 consent order with the FTC and the FTC Act. The allegations relate to the Company’s use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019. The Company estimates that the range of probable loss in this matter is $150.0 million to $250.0 million….The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.
And, now nearly two years later, the U.S. government and Twitter have settled with a fine on the lower end of what Twitter predicted and an augmented consent order that imposes new security, data, and privacy responsibilities on the company.
The FTC and DOJ detail Twitter’s conduct in some detail, but the heart of the DOJ’s complaint is this:
Twitter has prompted users to provide a telephone number or email address for the express purpose of securing or authenticating their Twitter accounts. However, through at least September 2019, Twitter also used this information to serve targeted advertising and further its own business interests through its Tailored Audiences and Partner Audiences services. For example, from at least May 2013 until at least September 2019, Twitter collected telephone numbers and email addresses from users specifically for purposes of allowing users to enable two-factor authentication, to assist with account recovery (e.g., to provide access to accounts when users have forgotten their passwords), and to re-authenticate users (e.g., to re-enable full access to an account after Twitter has detected suspicious or malicious activity). From at least May 2013 through at least September 2019, Twitter did not disclose, or did not disclose adequately, that it used these telephone numbers and email addresses to target advertisements to those users through its Tailored Audiences and Partner Audiences services.
In other words, Twitter said a phone number or email address was necessary to secure one’s account, but the company also used them to sell advertising without telling people of this secondary use.
The FTC has long punished companies for failing to disclose what they do with user and customer personal data. It is a cardinal principle of the agency’s body of privacy and data security case law that companies must honor their commitments to people and cannot act in contravention of these commitments. At no point did Twitter tell people that the phone numbers and email addresses they were prompted to submit for MFA, account recovery, or account re-authorization were also being made available to advertisers. Hence, this conduct violated Section 5 of the FTC Act. Had Twitter disclosed that email addresses and phone numbers were to be used for targeted advertising, the company would likely not have violated the FTC Act.
Moreover, with this conduct, it should be add that Twitter also violated its commitments under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
It bears note that in an FTC blog post on the general principles one may draw from the settlement, the agency stresses that burying disclosures in lengthy notices may not suffice to avoid a deceptive acts action:
Generic, broad claims buried in a lengthy document do not override more specific, just-in-time statements made to consumers specifically in the context of when they are providing their information – in this case, about the use of contact information for security purposes. If a company says at the point of collection that consumers’ information will be used for a particular purpose, consumers should be able to rely on that promise.
As noted the company will pay $150 million, a fine if levied ten years ago would have been earthshaking. Now it seems small. As for the backdrop on how this fine was calculated, the DOJ asserted that “of the $3.4 billion in revenue that Twitter earned in 2019, $2.99 billion flowed from advertising.”
Additionally, for some reason, the DOJ omitted the considerable advertising revenue throughout the 2013-2019 period:
§ 2013: $594 million
§ 2014 $1.255 billion
§ 2015 $1.994 billion
§ 2016: $2.248 billion
§ 2017: $2.109 billion
§ 2018: $2.617 billion
In total, Twitter earned $13.807 billion from advertising during the period of the alleged wrongdoing. But, the company only cleared $362 million in total profit during this period and only starting to show profits in 2018 and 2019. In light of the profit and loss numbers, perhaps the DOJ and FTC decided to ask for a more modest fine than the advertising revenue would suggest is appropriate.
There is also the issue of how much of Twitter’s advertising revenue came from its Tailored Audiences and Partner Audiences services. The DOJ’s complaint does not have this information, and I could not locate data in the 10-K’s to disaggregate revenue from those two sources as opposed to Twitter’s other advertising revenue streams (e.g. Promoted Tweets.) And yet, conceivably the DOJ and FTC could have requested and received more detailed information on earnings from Tailored Audiences and Partner Audiences.
Nonetheless, in light of this type of revenue, how significant is a $150 million fine? In the same way the FTC’s fine of $5 billion for the Cambridge Analytica scandal sounded immense, in the context of the company’s earnings from the previous year of more than $80 billion, it seems less significant. The same seems true here. Moreover, the agency could have levied a higher fine, say $500 million, that would have stung the company, provided deterrence to other companies, and would not have bankrupted Twitter.
Twitter has additional compliance mandates as part of the settlement. The FTC and DOJ did not released the new Decision and Order, however. Thus, one must depend on the summary in the press release on what the new mandates would do:
§ prohibit Twitter from profiting from deceptively collected data;
§ allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
§ notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
§ implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
§ limit employee access to users’ personal data; and
§ notify the FTC if the company experiences a data breach.
A number of these sorts of provisions are standard in the FTC’s recent consent orders. It is likely the period of the consent order was changed, as has happened in the past. The 2011 order was set to run through 2031. It is my guess the new order will run through 2042. As always, there are questions about how well the agency can monitor companies under consent orders given its resource constraints.
Normally, the statements of the FTC Commissioners would be of interest but not necessary to analyzing a settlement. In this case, the two Democrats and two Republicans engaged in a spirited debate over the settlement with the latter quoting former Commissioner Rohit Chopra’s statements about the Facebook settlement to implicitly criticize the Twitter settlement.
Commissioners Christine S. Wilson and Noah Joshua Phillips asserted “[t]he new Twitter order employs the model that the FTC has built during two decades of vigorous privacy and data security enforcement.” They claimed this is why “it provides meaningful and effective relief.” Wilson and Phillips go on to reference and quote Chopra’s statements in the most recent Facebook case, the YouTube case, and the Zoom case by way of critiquing the settlement they voted for. They noted that the Twitter settlement does not require the company’s executives to accept blame personally, that the company disgorge algorithms based on the fraudulently obtained data, or change Twitter’s business model. Chopra called for these, and other steps, in advocating for stronger FTC settlements. Wilson and Phillips took the occasion of this 4-0 settlement decided before Commissioner Alvaro Bedoya was sworn in as an opportunity to try to persuade the new majority from imposing settlements along the lines that Chopra called for:
We hope that the bipartisan approval of this order, one very much in line with prior orders, signals the beginning of a more constructive dialogue about how to continue refining our enforcement program. If this case can close the door on unfounded and gratuitous attacks on the FTC’s privacy enforcement program, that closure would serve consumers, provide clarity to stakeholders, and advance the mission of the agency.
FTC Chair Lina Khan and Commissioner Rebecca Kelly Slaughter did not deign to respond in the body of their statement, and in a footnote, they batted aside Phillips and Wilson’s criticisms:
Our colleagues Commissioners Wilson and Phillips invite a framework of comparing enforcement resolutions in two entirely different matters—an exercise that the defense bar also frequently demands. We respectfully reject this invitation. No two law violations—or law violators—are exactly alike. Every potential action the Commission takes, whether it is to litigate or to weigh the merits of a proposed settlement, is distinct and requires close and careful consideration of several factors, including: the alleged violations, the effect of those violations on consumers and markets, the structure and incentives of the defendant’s business model, the defendant’s past history of lawbreaking, the ability of the order to affect specific and general deterrence, and the resources of the Commission. Charting and tallying may have some visual appeal, but it is no substitute for case-by-case analysis, nor can it make apples-to-apples out of oranges and bananas.
And so, in short, Khan and Slaughter do not seem persuaded by Wilson and Phillips. They seem to be reserving the right to seek to impose more severe terms in a settlement should a company’s conduct warrant it.
And, one cannot help but speculate about the timing of the settlement given that Elon Musk and his co-investors are on the verge of taking over the company. Was there pressure on the FTC and DOJ to complete negotiations with the outgoing leadership? Did the company want to “sandwich” the bad news of settling violations of U.S. law between the hype of Musk’s announcement and the endgame of closing the deal?
The United Kingdom’s (UK) Competition and Markets Authority (CMA) launched a “second investigation into Google’s practices in ad tech, following launch of probe into Google and Meta’s ‘Jedi Blue’ agreement.”
The European Commission issued a new question and answer document on the two new “sets of standard contractual clauses, one for the use between controllers and processors within the European Economic Area1 (EEA) and one for the transfer of personal data to countries outside of the EEA.”
The Office of the Privacy Commissioner of Canada (OPC) released an opinion it commissioned that found that C-11 - the Digital Charter Implementation Act, 2020 is constitutional. The OPC noted “[t]his opinion recognizes that Bill C-11 died with the dissolution of Parliament. Although the Federal Government has not introduced a new Bill implementing the Digital Charter, the Prime Minister issued a mandate letter to Minister Champagne (Minister of Innovation, Science and Industry) instructing him to "introduce legislation to advance the Digital Charter, strengthen privacy protections for consumers and provide a clear set of rules that ensure fair competition in the online marketplace."
The United States (U.S.) Consumer Financial Protection Bureau (CFPB) published “a Consumer Financial Protection Circular to remind the public, including those responsible for enforcing federal consumer financial protection law, of creditors’ adverse action notice requirements under the Equal Credit Opportunity Act (ECOA)” that “confirmed that federal anti-discrimination law requires companies to explain to applicants the specific reasons for denying an application for credit or taking other adverse actions, even if the creditor is relying on credit models using complex algorithms.”
The White House’s National Artificial Intelligence Research Resource (NAIRR) Task Force submitted its interim report to President Joe Biden and Congress that “lays out a vision for how this national cyberinfrastructure could be structured, designed, operated, and governed to meet the needs of America’s research community” per the White House’s press release.
The European Data Protection Supervisor (EDPS) issued “its Opinion concerning the EU’s participation in the United Nations’ negotiations for a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (the future UN convention on cybercrime)…[including] recommendations to ensure that the future UN convention upholds individuals’ data protection and privacy rights according to EU law.”
United States (U.S.) Senate Homeland Security and Governmental Affairs Committee Gary Peters (D-MI) released “a new report detailing the results of his investigation into the role cryptocurrencies continue to play in emboldening and incentivizing cybercriminals to commit ransomware attacks that pose an increasing national security threat.”
The Australian Signals Directorate (ASD) published its Annual Report for 2020–21 and found that “Australia was targeted by a range of actors who conducted persistent cyber operations that posed significant threats to Australia, and observed an increase in the speed with which malicious actors have researched and then pivoted to exploit publicly-released vulnerabilities.”
The United Kingdom’s (UK) Department for Digital, Culture, Media & Sport (DCMS) announced that “it is seeking views on how to boost the security and resilience of the UK’s data centres and online cloud platforms.”
The United States (U.S.) Federal Communications Commission (FCC) announced “that it has received requests for $2,814,736,532 in the third application filing window of the Emergency Connectivity Fund program to fund 5,120,453 connected devices and 4,285,794 broadband connections.”
The United States (U.S.) Consumer Financial Protection Bureau (CFPB) announced that it “is opening a new office, the Office of Competition and Innovation, as part of a new approach to help spur innovation in financial services by promoting competition and identifying stumbling blocks for new market entrants.”
The United Kingdom’s (UK) Department for Business, Energy & Industrial Strategy announced that the “acquisition by Nexperia of Newport Wafer Fab has been called-in for a full national security assessment.”
Tweet of the Day
“Broadcom to Acquire VMware in $61 Billion Enterprise Computing Deal” By Nico Grant and Lauren Hirsch — New York Times
“Twitter investors sue Elon Musk over stock manipulation claims” By J. Fingas — Endgadget
“China seeks Pacific islands policing, security cooperation -document” By Kirsty Needham — Reuters
“Meta accuses Apple of 'self-serving tactics' on gaming app restrictions” By Nick Statt — Protocol
“The Mystery of China’s Sudden Warnings About US Hackers” By Matt Burgess — WIRED
“Internet Drama in Canada. (Really.)” By Shira Ovide — New York Times
“Pakistan shuts down internet ahead of protests over ousting of prime minister” By Jonathan Grieg — The Record
“Hacker Steals Database of Hundreds of Verizon Employees” By Lorenzo Franceschi-Bicchierai — Vice
“Inside the Government Fiasco That Nearly Closed the U.S. Air System” by Peter Elkind — ProPublica
“Spain’s PM vows to reform intelligence services following phone hacking scandal” By Emma Vail — The Record
“Trans woman's photo used to spread baseless online theory about Texas shooter” By Jo Yurcaba, Ben Goggin and Ben Collins — NBC News
“Apple is raising its retail hourly starting salary to $22 and spreading anti-union messages” By Michelle Ma — Protocol
“Russian hackers are linked to new Brexit leak website, Google says” By Raphael Satter, James Pearson and Christopher Bing — Reuters
§ 26 May
o The United States (U.S.) House Energy and Commerce Committee’s Consumer Protection and Commerce Subcommittee will hold a hearing titled “Legislative Hearing to Protect Consumers and Strengthen the Economy” regarding, among other bills, the "Securing and Enabling Commerce Using Remote and Electronic Notarization Act of 2021" (H.R. 3962) and the "Informing Consumers about Smart Devices Act" (H.R. 4081).
§ 8 June
o The United States (U.S.) House of Representatives Armed Services Committee’s Cyber, Innovative Technologies, and Information Systems Subcommittee will mark up its portion of the FY 2023 National Defense Authorization Act.
§ 16-17 June
o The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”
§ 23 June
o The United States (U.S.) House of Representatives Armed Services Committee will mark up the FY 2023 National Defense Authorization Act.
§ 19 October
o The United States (U.S.) Federal Trade Commission (FTC) will hold a virtual event “to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media.”
§ 1 November
o The United States (U.S.) Federal Trade Commission (FTC) will hold PrivacyCon.