Twitter admits that it shared some data with advertisers even without users giving their consent
The flaw largely targetted information of users who interacted with certain ads
Twitter said the flaw has been around since September 2018
Despite several incidents of data breaches, security flaws and vulnerabilities on their platforms, social media companies are always playing catch-up against the tools that hackers use. But when the privacy flaws result in the company itself violating its data-sharing rules, then no third-party or hacker can be held responsible. The same is true of Twitter which has admitted that a bug in its platform resulted in the company inadvertently sharing user data with advertising and third-party partners.
The company tweeted about the flaw last night and linked to a blog post that sought to explain how user information may have been shared without people’s permission. The shared information includes country code of the user based on the disclosed location, their engagement levels with respect to the ads run by Twitter partners, and more information about the ad such as the brand and other qualities.
The flaw largely targetted information of users who interacted with certain ads, Twitter said in the blog post. “If you clicked or viewed an advertisement for a mobile application and subsequently interacted with the mobile application since May 2018, we may have shared certain data (e.g., country code, if you engaged with the ad and when, information about the ad, etc) with trusted measurement and advertising partners, even if you didn’t give us permission to do so.”
Twitter added that the inadvertent sharing since September 2018. “As part of a process we use to try and serve more relevant advertising on Twitter and other services since September 2018, we may have shown you ads based on inferences we made about the devices you use, even if you did not give us permission to do so. The data involved stayed within Twitter and did not contain things like passwords, email accounts, etc.”
Consider the two highlighted segments above. How can data remain within Twitter and also be shared with advertising partners? Twitter also did not reveal how many users were affected or which brands and partners got the data that it shared inadvertently.
The company did not respond to Inc42‘s query about the number of users affected in India and around the world, the brands and businesses that got access to the data or how it explains the incongruity in the blog post about data remaining within Twitter but at the same time being accessible to “its trusted measurement and advertising partners” as it claims. Twitter said its response is limited to the blog post linked above.
Does Social Media Even Care About Privacy?
Ever since the Facebook-Cambridge Analytica scandal, which involved similar brokering of user data to third-party agencies and analytics companies, there is more vigilance about how social media platforms are giving their advertising and marketing partners access to user data. To be clear, the issue is not restricted to just Twitter or Facebook, even as social networks such as Reddit and LinkedIn and aggregation platforms such as Google as well as Amazon, also continue doing the same in different ways, with complicated privacy policies obfuscating the real nature of the data-sharing agreements. And that’s part of the problem — despite claiming to want to protect user privacy, these platforms have been caught time and again doing the opposite.
Google faces a litany of privacy violation complaints related to search tracking, location tracking without user consent — and even when users explicitly deny consent — and there’s also the question of how it tracks users even when they are in incognito mode. Amazon has still not revealed the extent of the damage of the last data breach in November 2018, when it recently leaked email addresses of millions of users. One can only presume that it’s millions of users because the company refuses to reveal the number. The tech giant denied that the data was accessed through a breach or hack, but that’s not the question. The question was who did Amazon expose these email addresses to? Amazon has never tried to respond to these questions.
In a similar fashion, Twitter’s blog post is casual in its tone as if users should not concern themselves with such breaches of ethics and terms and conditions. “We are still conducting our investigation to determine who may have been impacted and If we discover more information that is useful we will share it,” it said without specifying the extent of how many users were affected.
“What is there for you to do?” Twitter asks in a FAQ style, and answers the question with a nonchalant, “Aside from checking your settings, we don’t believe there is anything for you to do.”