Email addresses and phone numbers, submitted for two-factor authentication to secure accounts from hackers, "may have been" used to power Twitter's Tailored Audiences and Partner Audiences advertising products.
On Wednesday 8 October, Twitter, in the name of "transparency", said it was unsure how many times the data pooled into ad buys, but assured no information left its platform. The issue, which it did not specify in any detail, was fixed in September after being in place for an undisclosed length of time.
Neville Doyle, chief strategy officer at Town Square, suggested it was "enormously improbable” that Twitter 'inadvertently' improved its ad product with the sensitive data, and blasted the tech giant for being either "either immoral or incompetent". Either way, he said, it was playing "fast and loose with users' privacy".
Respected ad-tech and cybersecurity expert Dr Augustine Fou, who was previously chief digital officer at media agency Omnicom's healthcare division, also branded Twitter's announcement as "total chickenshit".
Last July, the Federal Trade Commission (FTC) fined Facebook $5bn for improperly handling user data, the largest fine ever imposed on company for violating consumers’ privacy. “[Such abuses are] standard practice and would have continued in the shadows were it not for Cambridge Analytica scandal and a heightened sensitivity to privacy," said the ad fraud researcher.
Fou added: "Twitter should have the balls to say: ‘This is what we did, we didn't clearly explain to you that we could/would also use the data for advertising and targeting. Now we are telling you and are giving you the chance to opt-out or give us feedback'. That would have been the right and honourable thing to do."
It's a further blow to Twitter which has been recovering from another data breach. Last May, it advised all 330 million users to change their passwords as "a bug" in the system meant it had been storing passwords in plain text. It has also shared iOS user location data with advertisers without permission and had a two-year phone number leak bug.
Twitter has since encouraged users to adopt two-factor security to make it more difficult for hackers -which it may have benefited from.
Doyle, formerly of ad agencies BBDO and Carat, said it was "convenient" that the incident benefited Twitter's bottomline and the effectiveness of its targeting.
“Either Twitter was making unauthorised use of your private information to target ads, or it is so unbelievably slapdash with how it stores private data that it got entangled with the targeted advertising programs. Between a company that is immoral or incompetent with my private data, I am genuinely not sure which is the lesser of the two evils.”
Could this damage trust in the wider online advertising industry, he questioned. Web-users already think targeted advertising they already thing is “creepy”.
“The need to balance personalisation and privacy is a constant battle in the digital space, and if you cannot trust a platform to not go beyond the realms of what you have agreed they can do with your private data then that is a huge, fundamental problem.”
Privacy advocate and Brave browser thought leader, Johnny Ryan had previously explained the cross-use of data to the US Senate Judiciary Committee. Ryan said it was “good” that Twitter disclosed the incident.
Under GDPR's "purpose limitation" principle (Article 5(1)(b)), it is unlawful to use data outside of the purposes it was originally intended for unless there is a particular legally valid justification to do so.
Ryan explained: "The cross-use of data between processing purposes is a no-no in most cases. It seems to me that this aspect of the GDPR has not been effectively enforced anywhere in Europe.” As a result, there's been an “internal data free for all” in many companies.
Advertising activists Sleeping Giants, (The Drum interviewed them earlier this year) said it further highlights the issues facing the broader social media industry.
“This is what happens when there is zero oversight of massive social media companies. You just kind of have to, you know, trust the companies’ word that they’re making things right after they totally screw you. Almost no other business works like this.”
Whether this impacts Twitter's relationship with advertisers, already on high alert to any potential data misuse issues post-Cambridge Analytica, remains to be seen.
According to ad-tracking firm Pathmatics Kraft Heinz, Nestlé and Coca-Cola are among the top five spenders on Twitter ads with the bulk of their media budgets going to video. The Drum has contacted these brands but was awaiting response at the time of writing.
Chris Pitt, head of marketing at HSBC UK, was still trying to get to grips with the revelations from Twitter. The bank has towed a hard line in the past with tech platforms, pulling its advertising from Google in wake of the brand safety scandal in 2017.
He asserted that "marketers need to be extraordinarily sensitive and appropriate" in the way data is used and said there's "a line that shouldn't be crossed" when it comes to targeting people with personalised ads.
"We need to be using data in a way that's positive to customers rather than a purely commercial sense for an organization," he said.
When dealing with the likes of Twitter or Facebook or YouTube or Google it is important to get results, but "not get to a point where you're questioning as to whether its the right use of personal data".
In July, Twitter said average monetizable daily active usage (mDAU) was 139 million, compared to 122 million in the same period of the previous year. As a result, ad revenue rose by a fifth. After years of making losses, the social network posted two consecutive quarters in profit, fueled but pointed to the strength of its Video Website Card, In-Stream Video Ads, and First View ad formats.
Could this incident slow the momentum the social network was making?