| Submit your comments on this article | |
| Cyber | |
| Websites are sharing data about consumers with Elon Musk's Twitter | |
| 2022-12-09 | |
| [Adalytics] INTRODUCTION When Elon Musk bought Twitter, he also bought a treasure trove of internet traffic data from websites like Reddit, NYTimes.com, Amazon.com, studentaid.gov (Department of Education’s Free Application for Federal Student Aid), and the website of Democratic Congressional Campaign Committee (dccc.org). Government agencies, hospitals, over half of all US members of Congress, media publishers, and brands may not be aware that they are sharing terabytes of their visitors’ and audiences' data with Twitter. The vast majority of these entities have not enabled Twitter's Restricted Data Usage (RDU) feature to set legal guardrails around what Twitter can do with that web traffic data. On October 27th, 2022, Elon Musk completed an acquisition of Twitter. Some US Senators expressed national security concerns over how the deal was financed with capital from foreign investors, such as a holding company partly owned by Saudi Arabia’s sovereign wealth fund. On November 1st, 2022, the Washington Post reported that: “Experts on the foreign review process said of particular interest will probably be whether any of Musk’s foreign investors would have special privileges to access personal data about Twitter’s users. According to people familiar with Musk’s purchase of Twitter, those who invested $250 million or more have access to information beyond what a lower-level investor would receive. The Saudi and Qatari funds and Binance have invested above that level. But what that additional access includes is not known.” (emphasis added) In the past, Twitter has suffered numerous data breaches, foreign espionage infiltration, been fined repeatedly by the FTC for consumer privacy violations, and has recently lost significant portions of its cybersecurity and regulatory personnel. Over the next few weeks, several major brands and media agencies stated they would stop advertising on Twitter. On November 28th, Elon Musk tweeted that “Apple has mostly stopped advertising on Twitter”, a claim which was contested by ad analytics firm Pathmatics, whose data showed that Apple had continued to spend heavily on Twitter ads. The New York Times reported on Dec. 2nd that "automakers are among the most concerned advertisers, with General Motors raising questions about whether Twitter’s data would be shared with Mr. Musk’s car company, Tesla, three people said." “It’s important for us to ensure our advertising strategies and data can be safely managed by a platform owned by a competitor,” a G.M. spokesman said in a statement. Motivated by these and other events, Adalytics chose to use a different methodology to assess which brands and entities may still consider advertising on Twitter despite their public proclamations. This analysis focuses on both privacy implications and potential cybersecurity risk. Adalytics analyzed web crawler data from hundreds of thousands of websites to determine which websites are still hosting Twitter’s advertising pixel. At least 70,772 websites were observed using Twitter’s advertising Pixel on their pages. Many brands that made public statements about suspending digital ads on Twitter - such as General Motors, Mondelez, Pfizer, and Volkswagen - continue to host the Twitter Pixel on their websites, which enables Twitter to collect information about visitors to these brands’ webpages. It appears that the vast majority of advertisers that use the Twitter pixel are not using the pixel’s “Restricted Data Use” privacy feature. Surprisingly, Apple (Twitter's biggest advertiser by spend) and Elon Musk’s own companies - SpaceX and Tesla - do not appear to host the Twitter Pixel on their websites. This is despite SpaceX recently ordering one of the larger advertising packages available on Twitter around November 14th, 2022. Furthermore, many highly sensitive websites, such as goarmy.com, FBI.gov, and the website of the US Department of Homeland Security (dhs.gov), are hosting 3rd party Javascript code from Twitter on their websites without configuring content security policies or subresource integrity (SRI) hashes. This lack of security precautions could result in supply chain and code injection attacks on government properties if Twitter was ever compromised. British Airways and Ticketmaster both lost tens of thousands of consumers’ personal data after being breached through Javascript exploits, according to research by cybersecurity firm RiskIQ and BBC (respectively).
| |
| Posted by:Skidmark |