The point of any service, free or otherwise, should be to deliver some kind of benefit to its users. If it doesn't do that, it has little reason to exist.
"Data harvesting," marketing and advertising are far from the only business reasons why a company might want to offer a free service.
From a business perspective, a free service might
- build goodwill for the company
- satisfy legal or government requirements
- save money on billing while increasing the value of other goods and services from the company
- enable the company to qualify for certain grants or subsidies
- support the creation and improvement of goods or services
(such as software) which the company uses
- enable the company to influence industry standards
- help to acquire future paying customers (e.g. by offering a free student or limited version which can be upgraded with additional paid features)
- help to compete against other companies that charge for the same service
- act as a loss leader to encourage sales of compatible companion products or accessories
In this case, Twitter was lying (or more generously, not being entirely truthful) with what they were using the data for. Some users may have chosen not to give up their phone number or email if they had known it would be used for advertising in addition to account security.
When signing up for a "free" service, I basically assume all data entered will be used for advertising / marketing purposes. This is a safe assumption to make.
I don't disagree, but I think we should still be able to get upset when a free service uses the data for something other than what they said it would be used for.
It's why I love GDPR. Since it requires explicit, opt-in consent, I can just register or visit a site and don't worry much - abuse of my data is a bigger risk to the service than it is to me.
In fact, prompting every time is also a red flag. They wouldn't be so desperate if providing the number was for your benefit as they claim (for "security", etc). The real reason they're so desperate is because it's for their benefit.
> Harvesting data and using it for marketing purposes?
Twitter's actions make everyone less secure. The next time an online service asks me to enable 2FA to protect my account, I'll have to consider whether the potential for abuse of my 2nd factor information is worth the additional risk to my account.
FIDO tokens (for U2F or WebAuthn) don't give the relying party anything valuable. If they literally publish everyone's parameters it makes essentially no difference to anything. It doesn't even mean they stop being useful for authentication.
Not allowing opting out of data collection is actually in breach of the GDPR, so actually in the EU you can not run a business for the sole purpose of stealing data.
"Data harvesting," marketing and advertising are far from the only business reasons why a company might want to offer a free service.
From a business perspective, a free service might
- build goodwill for the company
- satisfy legal or government requirements
- save money on billing while increasing the value of other goods and services from the company
- enable the company to qualify for certain grants or subsidies
- support the creation and improvement of goods or services (such as software) which the company uses
- enable the company to influence industry standards
- help to acquire future paying customers (e.g. by offering a free student or limited version which can be upgraded with additional paid features)
- help to compete against other companies that charge for the same service
- act as a loss leader to encourage sales of compatible companion products or accessories
etc.