New Delhi: 

For six years, from 2013 to 2019, social media platform Twitter misused personal details of its users such as phone numbers and email addresses for targeted advertising. Twitter had sought personal details from users to put in place a more secure experience by way of two-factor authentication.

This misuse of data is likely to cost Twitter at least $150 million (more than Rs 11 billion, $=Rs 74.86) as this is not for the first time that it has misused users’ data surreptitiously.

This has been revealed by the company itself in its latest regulatory filing, which it did with the United States Securities and Exchange Commission (SEC) on 3 August. Twitter has not given any numbers in the filings as to how many Indian users were impacted by this data misuse. It is the second time in the last 10 years that Twitter has done something like this.

When reached out for a response by The Sunday Guardian, Twitter refused to share the number of users from India—which is its third largest user-based market after the US and Japan— who were affected by this data misuse.

As per the filings with the SEC, Twitter has stated that it had received a draft complaint from the United States’ Federal Trade Commission (FTC) on 28 July 2020, alleging violations of Twitter’s 2011 consent order with the FTC.

In this draft complaint, the FTC has stated that Twitter used phone number and/or email address data provided for safety and security purposes, for targeted advertising during the periods between 2013 and 2019. As per Twitter’s admission to its investors, it was likely to take a loss of a massive $150.0 million to $250.0 million (Rs 18 billion) in the matter as the result of a fine that is likely to be imposed by the FTC.

The March 2011 consent order, which has been referred to in the draft complaint, had come into existence after the FTC finalised a settlement with Twitter after it emerged that Twitter had “deceived consumers and put their privacy at risk by failing to safeguard their personal information”.

In this incident, as per the FTC, serious lapses in Twitter’s data security had allowed hackers to obtain unauthorised administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account.

In this misuse that took place between July 2006 and July 2009 (Twitter started operating in March 2006), Twitter granted almost all of its employees the ability to exercise administrative control of the Twitter system, including the ability to reset a user’s account password, view a user’s non-public tweets and other non-public user information, and send tweets on behalf of a user.

In the consent order, as per the FTC’s press release, Twitter was barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of non-public consumer information, including the measures it takes to prevent unauthorised access to non-public information and honour the privacy choices made by consumers. It was also required to establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.

What information does Twitter collect without making it public?

As per Twitter’s own admission, it collects certain information from each user that it does not make public. This information includes: an email address, Internet Protocol (“IP”) addresses, mobile carrier or mobile telephone number (for users who receive updates by phone), and the username for any Twitter account that a user has chosen to “block” from exchanging tweets with the user. This non-public information (collectively, “non-public user information”) cannot be viewed by other users or any other third parties, but—with the exception of IP addresses—can be viewed by the user who operates the account.

The Sunday Guardian reached out to senior officials of the Ministry of Electronics and Information Technology (MeITY), including Ajay Prakash Sawhney, Secretary, and Dr Rajendra Kumar, Additional Secretary (cyber security, data-governance), seeking their response on whether they were aware of the FTC complaint and whether Twitter has shared the details of Indian users whose data was compromised, with the ministry.

There was no official response received from the ministry. However, ministry officials, not authorised to speak to the media, told The Sunday Guardian that the matter had been taken cognizance of and pertinent directions were going to be issued. “No company or organisation will be allowed to misuse data of Indians and we are already working on a policy to safeguard such misuse,” a ministry official said.

It is pertinent to mention that the Ministry of Home Affairs (MHA), in 2016, had asked Twitter to place its server in India. However, that order is yet to be complied with. Despite having the third maximum number of users from India, Twitter has only accepted 5% of the request for information made by Indian officials seeking information about Twitter users and their activities. The corresponding figure for the US and Japan, the two countries that occupy the top two positions when it comes to users, was more than 50%. The Sunday Guardian had recently done a report on this (Twitter barely replied to Indian information requests).

The Sunday Guardian also reached out to Twitter with the following questions:

  1. Twitter is being investigated by the Federal Trade Commission of the US government for improper use of Twitter users’ personal information. Were the data of Indian users, too, misused in this incident?
  2. Has Twitter informed the Government of India as per the established rules about the data breach and subsequent misuse? If yes, when was this information shared?
  3. The MHA had requested Twitter to maintain its servers in India in 2016. Has the request been complied with? If yes, when was this done? If not, has the reason for not doing so been shared with the India government?

In its response, a Twitter spokesperson stated, “Our investigation and cooperation with law enforcement continues, and we remain committed to sharing updates (on the issue). We hope that our openness and transparency throughout this process, and the steps and work we will take to safeguard against other attacks in the future, will be the start of making this right.”

No response was shared by Twitter on whether it had informed the Government of India or if the data of Indian users were misused in the present instance or whether it had shifted the servers, as the MHA had directed it in 2016, to India or not.