Mastodon Kuan0: Twitter's 2FA login verification: more security, less privacy from Twitter?

Monday 17 June 2013

Twitter's 2FA login verification: more security, less privacy from Twitter?

Twitter's recent rollout of two-factor authentication (which it called 'login verification') may help a bit (not necessarily!) to protect your Twitter account against being hacked. But beware - it will give Twitter rights to use your mobile phone number, even if you don't tweet using your smartphone.

This is why. When you go to your Twitter account settings and scroll down to Account security, it says you must add a phone to your Twitter account in order to require a verification code for sign in:

image

Notice that Twitter's "add a phone" page says nothing about what Twitter can do with your mobile or cellphone number:

image

So let's look at Twitter's privacy policy to see what they can do with your mobile number

image

The relevant parts, highlighted above, are these:

"You may provide information to customize your account, such as a cell phone number for the delivery of SMS messages. We may use your contact information to send you information about our Services or to market to you."

and

"We may use your contact information to help others find your Twitter account, including through third-party services and client applications. Your account settings control whether others can find you by your email address or cell phone number."

In other words, these mean that, if you give your mobile phone number to Twitter, intending it to be used only for security purposes:

  1. Twitter can use it to market to you eg send you marketing SMS text messages!
  2. Twitter can use it to help other people track you down on Twitter if they know your phone number (even if you tweet using a pseudonym), unless you disable that in your account settings. But how? I have no idea, as I've not added my phone to Twitter, precisely for these two reasons. The settings I can see without adding my number don't seem to disallow others from finding me via my mobile number. There's an Account setting that says 'Let others find me by my email address', but not one that says 'Let others find me by my phone number'. Does that setting deal with both? I've no idea - it's not clear.

The good news is that it seems Twitter will limit sharing or giving your phone number to anyone else:

image

There's still the caveats though - unless required by law, etc etc.

Let's contrast this with Yahoo!'s practice:

image

The outlined text says, about your phone number: "We'll keep it secure and only text you if you need help with your account".

So Yahoo! get points for saying, at the point they ask for your number, that they won't use your number to market to you. But, they lose points for not making it clear whether they may share or give your number to others. Their privacy policy, like Twitter's, says they'll limit sharing - unless there are court orders or 'to establish or exercise our legal rights or defend against legal proceedings', or 'We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo!'s terms of use, or as otherwise required by law', etc.

Now consider Google's similar procedure:

image

This says that "Google will only use this number for account security". Yeeesss! That is exactly what someone who is privacy-conscious like me wants. Although Google introduced 2-factor authentication some time ago, I didn't sign up for it until Google started displaying this message, and now I have. Maybe Google are finally learning to try to be a little more privacy-friendly, after the Buzz and Safari debacles.

But much as I'd like to use 2FA for Twitter, I'm not giving Twitter my mobile number, no way no how - not until Twitter emulates Google and assures me that my number will be used only for authentication and other security purposes. Only. Given the recent opinion on purpose limitation from EU privacy regulators the Article 29 Working Party, doing that would seem to be a sensible move on Twitter's part.