In October, Elon Musk purchased Twitter for a cool $44 billion dollars. Among a variety of other assets and headaches, the deal came with one resource that’s gone under-explored: a vast data collection network spanning the sites of more than 70,000 Fortune 500 companies, government agencies, non-profits, universities, and more. Given Twitter’s history of security lapses, how safe is all that data?
At least 70,772 websites are using a Twitter advertising tool called a pixel to send the company information about every person who visits their sites, even people who don’t have Twitter accounts, according to a bombshell new report from Adalytics, an ad tech firm. The list includes the websites of government agencies—the Department of Homeland Security, the FBI, the Department of Education’s student aid portal—Fortune 500 behemoths—Amazon, General Motors, Pfizer—and health care companies like WebMD and UnitedHealth Group. General Motors, Pfizer, and other companies that claimed they pulled their ads from Twitter after Musk’s takeover continued to send Twitter data using the advertising Pixel.
By sending data to Twitter, organizations may be putting themselves and their visitors at serious risk. Twitter has a lengthy history of data breaches, infiltration by foreign governments, and fines for security issues by the FTC. Most recently, Twitter’s former head of security resigned and filed a whistleblower complaint accusing the company of disastrous security practices—and that was before Elon Musk laid off over half of Twitter’s staff, including swaths of its security team. Among a host of other tech companies that collect data using similar means, that makes Twitter particularly concerning.
The report also finds that many websites haven’t taken the proper precautions to avoid cyber threats known as a supply chain and code injection attacks, which could allow websites to be hijacked if Twitter was compromised. That’s an even bigger issue due to Twitter’s history of security problems and apparent lack of engineering staff. In such attacks, third party tools are compromised and used to infiltrate an organizations systems, a serious threat when you’re talking about Fortune 500 companies or FBI.gov. It’s unlikely, but this kind of attack has happened before, and a similar mechanism led to the SolarWinds hack which compromised much of the US government and private sector.
“Many marketers privately admit to having very little to no understanding of the security, ethical and business risks of the pixels that run on their websites,” said Krzysztof Franaszek, founder of Adalytics. “This is something the advertising and corporate trade groups may look at remediating through better training programs.”
Twitter reserves the right to use all of the data it receives from advertisers for other business purposes, but advertisers can enable a special Twitter privacy setting called Restricted Data Usage (RDU). That setting “enables an advertiser to limit Twitter’s use of individual-level conversion events for specific business purposes only on that advertiser’s behalf.” The vast majority of websites using the pixel don’t have that setting enabled, leaving Twitter free to do as it wishes with the information.
“There is a possibility that every website that does not use this RDU feature is allowing Twitter to co-mingle and reuse that advertisers’s web traffic data for other purposes,” Franaszek said.
There’s an obvious privacy ick factor here. But for many people, there may not be an immediate threat to Twitter holding an archive of some of their web browsing data, Franaszek said. However, “for certain individuals with a heightened personal risk profile—such as human rights activists, journalists, or members of persecuted minorities—the chance that the data Twitter has collected about them being used by a 3rd party is probably one of the most immediate concerns,” he said.
Amazon, General Motors, the FBI, General Motors, Pfizer, United Health Group, the US Department of Homeland Security and WebMD could not immediately be reached for comment. Twitter, which doesn’t have a communications department after Musk’s mass layoffs, didn’t respond to a request for comment.
If you aren’t focused on the inner workings of websites, it may seem strange that so many companies are sending data to Twitter, but it’s standard practice online. Advertisers who use platforms like Twitter, Meta, and Google use so-called pixels and other trackers provided by those companies. The trackers collect data about people who visit the advertisers’ websites, and that data is analyzed by the tech platforms to identify the right people to show ads to, and analyze how well ad campaigns are working.
In Twitter’s case, the pixel is designed to measure the actions people are taking on a website, like clicking on certain links, or engaging with particular pieces of content. Pixels can collect unique strings of letters and numbers that identify individual people, email addresses, IP addresses, and other details about a user’s device. That information is sent along with the URL of the page a person is looking at. In cases like a website about health issues (WebMD, perhaps?), that can include highly sensitive search history.
When I wrote about a similar phenomenon with websites sending data to TikTok in September, several organizations said they didn’t realize their sites were configured to share the data. Marketing departments or website developers sometimes load up tracking tools without alerting other divisions of a company, and sometimes they just get forgotten and run in the background.
Not every Twitter advertiser sends the company data. The report finds that none of Apple’s websites contain Twitter pixels, despite the fact that the iPhone maker spends millions of dollars advertising on the platform. The same goes for the websites of other companies owned by Apple, including Shazam and Beats by Dre. The report also notes that Musk’s other companies, SpaceX and Tesla, don’t use the pixel either, despite the fact that SpaceX recently purchased at least $250,000 of Twitter ads.
Update 12/08/21, 9:20 a.m. ET: This story has been updated with a comment from the Department of Education.