On Tuesday, Twitter disclosed that it may have shared data on users with advertising partners, even if they have opted out from personalised ads, and shown people ads based on inferences made about the devices they use without permission. According to Twitter, the issue was fixed on Monday, even though it is not yet clear how many users have been affected.

This is not the first time that Twitter had to admit that it leaked user data to advertisers. In May 2019, the social network disclosed a bug that resulted in an account’s location data being shared with a Twitter ad partner, in certain circumstances.

Questions about GDPR compliance

Companies like Twitter collect vast amounts of data about user behaviour, both on Twitter and across the web on other websites and apps. This data is used to profile users, infer their interests, and show them highly targeted ads (called "promoted stories" on Twitter). Twitter allows users to decide if they want tracking data from other websites and apps to be used for targeted ads. Now the company had to admit, that since September 2018, it may have served targeted ads that used inferences made about the user’s interests based on tracking their wider use of the Internet — even when the user had not given permission to be tracked.

This is hugely concerning. Twitter has ignored people's choices, thereby raising a number of questions in terms of compliance with Europe's data protection law GDPR, which among other things requires transparency and a legal justification for using and sharing people's data.

The online advertising ecosystem is out of control

What sounds like a series of isolated incidences is embedded in a much more systemic problem of targeted online advertising. Twitter uses a technique called Real Time Bidding (RTB) – an opaque system that allows companies, advertisers and political campaigns to buy access to you and your attention. RTB is an automated process that enables advertisers to target very specific groups of people on different websites, videos, apps. RTB is also a privacy nightmare. Through RTB, vast amounts of personal data exchanges hands between a large number of players a billion times a day. RTB is subject to complaints across Europe and PI has complained about the practices of companies involved, including Criteo, one of Twitter's RTB partners.

The UK’s privacy regulator has warned that AdTech and RTB is out of control, and in many cases unlawful:

The creation and sharing of personal data profiles about people, to the scale we’ve seen, feels disproportionate, intrusive and unfair, particularly when people are often unaware it is happening. - Information Commissioner's Office

Targeted ads need to become much more transparent

Twitter's latest disclosures show how urgently the industry needs to change, but until then, there's something that Twitter could already do right now. Privacy International believes that social media platforms like Twitter need to do much more to increase transparency around how ads are targeted at users. At present is very difficult to understand why you are seeing an ad on Twitter. Finding the "Why you're seeing this ad" button on an ad an requires a sharp eye. Once located, you have to click multiple times before finally arriving at the page meant to tell you why you are seeing an ad, only to be presented with very limited information.

What Twitter provides you about why you're seeing an ad stands in contrast to the granularity with which advertisers are able to target you. There are targeting categories such as location, age, interests, behaviour and gender which are obviously quite personal. Twitter should provide this level of information to users but instead, we've seen that sometimes they provide no information at all about why an ad is shown to a user. The fact that Twitter may have accidentally used your personal data for ads without your permission is completely outrageous.

What PI is doing about it

You might be wondering how all of this tracking and data sharing is even legal, especially under the General Data Protection Regulation (GDPR) and other data protection laws around the world. We do too! Privacy International has spent the last few years looking at how our data is exploited, this includes investigating and challenging the hidden online data ecosystem built on tracking, profiling and targeting us. Using the new standards set by GDPR, Privacy International is seeking to prompt regulatory scrutiny of the industry and hold specific actors to account. In November 2018, we complained about seven companies in the hidden data ecosystem to Data Protection Authorities in Ireland, the UK, and France. As a result of our submission, the Irish Data Protection Commission (DPC) has now opened a formal probe into Quantcast’s data practices and our submissions have contributed to the UK Information Commissioner's focus on AdTech. We believe AdTech companies' practices are in breach of GDPR and want to continue to hold these companies to account.

But this alone is not enough. We believe that people should be able to understand what's at stake. To contribute to this, we have written explainers to simplify concepts and topics related to online advertisement:

Tracking : the reality and mechanism behind AdTech tracking how it turned the internet into a surveillance machine

Cookie banners and consent boxes : why they are so annoying and deceptive

Image: 3 Levels by Panoptykon - Licence: CC BY-SA 4.0 - Click to see full image