Another one got exposed.
Twitter just paid a $150 million fine for collecting users' phone numbers under the pretext of "2 factor authentication" and then using those phone numbers to target users with advertisements (link). Facebook also was exposed for a similar offence a while back (link).
This may explain why Twitter requires users to give them a phone number when setting up two-factor authentication even if the user selects a different (i.e. non-phone) mode. The phone number is just too valuable an asset not to have!
(Well, this page suggests they stopped doing this but I am pretty sure something bad happened when I tried to remove the other methods.)
App business models rely on selling user data, which requires building trust with users. The leading tech companies have repeatedly betrayed our trust. The sad part is when they have been caught red-handed, they all redouble their pledges, as Twitter did here, to "keep the information [users] share with us secure and respectful of their privacy", and then they mess up the first step of rebuilding trust - which is to come clean with the users.
According to Twitter, as others before it, the phone numbers were "inadvertently used for advertising". So, no one decided to store the phone numbers in a database accessible to advertisers, no one decided to store those numbers in a format readable by advertising systems, no one in marketing is aware that phone numbers are the match keys to all kinds of third-party user data, no one in marketing wonders how they have phone numbers for most users (or noticed that the proportion of available phone numbers jumped after 2-factor authentication was launched), no one ran any A/B tests that included marketing outcomes as some of their objectives, ...
***Lest you think Google is different. For months now, Gmail has been showing a screen to users shown right.
This screen has no escape button: no Xs, no "Do later", etc. and it blocks access to the inbox.
It also draws your attention to the yellow patch in which users are told they must give Google their date of birth for legal reasons.
Most users probably offered up their birthdays - without reading the fine print below.
The first part that roused my attention is "You can change this info". Hmm, if they needed the birthday for legal reasons, why would they let us know we can "change" it afterwards?
Then, reading backwards, I learned that "your age may be used for personalization across Google, including to make the ads you see more relevant to you".
In spirit, this is the same trick for which Twitter and Facebook paid fines. Personal data are collected for security (here, legal) reasons but are fed to the advertising division. (All these tech companies make money through advertising while offering us "free" services.)
The kicker is the line under the birthday entry form: "This won't make your birthday public". Apparently, the "public" does not include advertisers, who are not our friends, coworkers or even acquaintances.
The design of the interstitial has all the hallmarks of having been thoroughly A/B tested to drive maximum response rate - the lack of obvious escape routes, the misdirection to the yellow box, the assuring note under the entry form, the fine print, etc.
***
Is it the user's fault that they don't read the fine print, and so are led to doing something they would not have wanted?
I actually think most users are fine with giving Google their birthdays (it'd be a huge surprise if Google hasn't already figured it out by other means). The problem is that tech companies rely on user trust to support their business models - and these designs and business practices undermine that trust.
Comments