Twitter recently revealed to its users that their privacy settings may not have been protecting their data from Twitter’s ad partners, which constitutes a breach in privacy. “[W]e recently found issues where your settings choices may not have worked as intended,” Twitter wrote in a report. These issues were fixed on August 5, 2019. According to Twitter, the privacy breach was the result of two bugs.
The first bug pertains to ad conversions. If you clicked on any mobile app advertisement on the Twitter platform and then interacted with the mobile app between May 2018 and August 2019, Twitter may have shared “certain data” with their ad partners regardless of your privacy settings. The term “interaction” is a broad term technically-speaking. An “interaction” can include installs, signups, logins, searches, etc. These conversion events get assigned to the conversion_type in Twitter’s mobile measurement API. This data is then shared with ad partners who can track the conversion rates of their advertisements. Although Twitter’s API doesn’t give an ad partner access to usernames or emails, it still allows the partner to receive a unique identifier that they can then use to track activity in order to perform targeted advertising. As you’ll soon find out, Twitter also receives data from their ad partners to aid their own targeted advertising.
Targeted advertising leads us to Twitter’s second bug; Twitter used their inference system to serve “relevant” ads to all of their users, ignoring their privacy settings. This is how Twitter explains its inference-based advertising:
When you log in to Twitter on a browser or device, we associate that browser or device with your Twitter account. Whether or not you are logged in to Twitter, we may also receive information about your browsers or devices when, for example, that information is shared by a partner; you visit twitter.com; you visit third-party websites that integrate Twitter content; or you visit a Twitter advertiser’s website or mobile application. We may use this information, most commonly IP addresses and the time at which the information was received, to infer that certain browsers or devices are associated with one another or with your account.
Within the same post, Twitter mentioned their “commitment to providing meaningful privacy choices.” Yet it never tested if its inferred identity advertising strategy restricted these choices for at least a year. Although the privacy breaches seem unintentional, they still violate GDPR’s privacy rules, which can result in fines. Currently, Twitter hasn’t released when they first discovered the privacy breaches. The social media giant also has no information about the amount of users who were affected. We can probably expect more information to come out in the following days.