More than 70,000 websites belonging to Fortune 500 brands, government agencies, and universities share consumers’ data with Twitter using data tracking code hosted on these other organizations’ websites, according to research published on Thursday by Adalytics.
In its report, Adalytics analyzed web crawler data “from hundreds of thousands of websites” to see which ones utilize Twitter’s tracking code as of November. It found that, despite public statements about suspending ads after Elon Musk took over as Chief Twit, at least 70,772 websites were still using Twitter’s advertising code and tracking pixel on their pages.
In addition to sharing info on their visitors including cookie IDs, IP addresses, and browsing data with Twitter, Adalytics — a data analytics org that essentially tracks web trackers — also observed some websites sharing hashed emails and phone numbers with the platform.
There is a tool that organizations can enable to restrict what Twitter can do with this web traffic data: the “Restricted Data Use” (RDU) tool “enables an advertiser to limit Twitter’s use of individual-level conversion events for specific business purposes only on that advertiser’s behalf.”
The RDU tool requires the advertiser to send a parameter to Twitter, specifying that the organization wants Twitter to limit its use of data collected “for an individual conversion event,” according to Twitter’s RDU page. “When enabled, Twitter will limit the use of personal data received in connection with the restricted conversion event to certain business purposes on behalf of the advertiser, such as measurement,” it explains.
However, the “vast majority of these entities” haven’t enabled it, according to Adalytics.
“Virtually all (>99%) of websites examined in this study that had the Twitter advertising pixel were not using the Restricted Data Usage (RDU) feature,” the report said.
Fortune 500 brands, government agencies, the list goes is long
We can’t name all 70,000-plus organizations hooked into Twitter’s adware, but some of the Fortune 500 companies on the list include General Motors, Ford, Volkswagen, Pfizer, Disney+, Citigroup, Kohl’s, Coca-Cola’s Sprite website, and Cisco.
Adalytics noted that not every advertiser on Twitter uses the Twitter pixel on its own websites.
“Some brands have made the decision not to use the third party Twitter Pixel on their page,” the report said. “One prominent example is Apple; apple.com and various other Apple owned properties like shazam.com and beatsbydre.com were not observed loading any code from Twitter.”
It’s also worth noting that at least two of Musk’s other companies, SpaceX and Tesla, do not host any Twitter tracking code on their websites.
Major corporations aren’t the only ones sharing customer data with Twitter.
Adalytics also found university websites including Purdue and the University of California, plus nonprofit groups such as Alzheimer’s Association and Doctors Without Borders, all share data with Twitter. So do healthcare websites and major new publishers including The New York Times and The Wall Street Journal.
Additionally, websites belonging to government agencies including the US departments of Health and Human Services and Education as well as the Australian Government Department of Foreign Affairs were seen sending data to static.ads-twitter.com.
The spokesperson declined to say if the DOE planned to change its data tracking policies.
The DoE was the only organization that responded to The Register‘s requests for comment.
Adalytics also said it documented other government websites, including the FBI and US Department of Homeland Security, embedding Twitter code on their pages without enabling security features such as iframe sandbox, Subresource Integrity hashes, or content security policy headers.
“If Twitter itself were to ever suffer a breach, a foreign threat actor could leverage their control over Twitter’s code to deface or hack these sensitive government websites,” according to the report.
While the authors say it’s “unclear” what Twitter can legally do with this treasure-trove of information it has collected about consumers, “there does not appear to be any legislation, laws, or legal mechanisms in the US that would allow organizational entities to direct Twitter to delete large amounts of log data.”
Twitter did not respond to The Register‘s questions. We will update this story if and when we hear back. ®