Twitter was bought by Elon Musk in October for a cool $44 billion. The arrangement had a number of other benefits and drawbacks, but one resource has received little attention: a huge data-collecting network that connects the websites of more than 70,000 Fortune 500 corporations, governmental organizations, non-profits, colleges, and other institutions. How secure is all that data given Twitter’s history of security flaws?
According to a shocking new analysis from ad tech startup Analytics, at least 70,772 websites are employing a Twitter advertising technique called a pixel to transmit the company information about every person who visits their sites, even users who do not have Twitter accounts.
The Department of Homeland Security, the FBI, the Department of Education’s student assistance portal, Fortune 500 behemoths like Amazon, General Motors, and Pfizer, as well as healthcare providers like WebMD and UnitedHealth Group, are all included on the list.
Following Musk’s purchase of Twitter, General Motors, Pfizer, and other businesses claimed they stopped running advertisements there. However, they were still using the advertising Pixel to transmit Twitter data.
Organizations may be seriously endangering both themselves and their visitors by submitting data to Twitter. Twitter has a long history of security difficulties, including data leaks, hacking by foreign governments, and FTC fines.
Before Elon Musk fired more than half of Twitter’s personnel, including significant portions of its security team, the company’s previous head of security resigned from his position and filed a whistleblower complaint, accusing it of appalling security procedures.
That makes Twitter particularly troubling among a plethora of other internet businesses that collect data using comparable techniques.
The analysis also reveals that many websites haven’t taken the necessary security measures to protect themselves against supply chain and code injection attacks, which, if Twitter were compromised, could allow websites to be hijacked.
Due to Twitter’s history of security issues and apparent lack of engineering staff, this is an even bigger problem. When talking about Fortune 500 businesses or FBI.gov, these types of assaults pose a major concern because third-party tools are compromised and then used to enter an organization’s systems.
Even though it’s implausible, comparable attacks have been made in the past. For example, the SolarWinds breach, which exposed much of the US government and business sector, used a similar approach.
The security, moral, and financial concerns associated with the pixels that run on their websites are something that, according to Franaszek, “many marketers privately acknowledge to having very little to no comprehension of.”
“This is something that the business trade associations and the advertising industry may look at correcting through improved training programs.”
Although advertisers can activate a unique Restricted Data Usage Twitter privacy setting, Twitter reserves the right to utilize all of the data they provide for additional business purposes (RDU).
With this option, “an advertiser can restrict Twitter’s usage of individual-level conversion events for specified business goals only on that advertiser’s behalf.” The great majority of websites employing the pixel don’t have that option turned on, thus Twitter is free to use the data any way it sees fit.
Every website that does not make use of this RDU function may be enabling Twitter to combine and reuse that advertiser’s online traffic data for other purposes, according to Franaszek.
There is a clear privacy ick factor at play here. According to Krzysztof Franaszek, the creator of Adalytics, there may not be an immediate danger for many users for Twitter to maintain an archive of part of their web browsing information.
The possibility that the information Twitter has gathered about them will be used by a third party, he added, is “probably one of the most immediate concerns” for “certain individuals with a heightened personal risk profile—such as human rights activists, journalists, or members of persecuted minorities.”
Unable to be reached for comment right away were Amazon, General Motors, the FBI, General Motors, Pfizer, United Health Group, the US Department of Education, the US Department of Homeland Security, and WebMD. After Musk’s massive layoffs, Twitter no longer has a communications division. They did not respond to a request for comment.
The fact that so many businesses are providing information to Twitter may seem unusual to someone who isn’t familiar with how websites operate, but this is a common procedure online. The so-called pixels and other trackers offered by these businesses are used by advertisers who utilize platforms like Twitter, Meta, and Google.
The trackers gather information about website visitors who interact with the advertisers, and the tech platforms analyze that information to determine the most effective target audiences for advertising and how well ad campaigns are performing.