Twitter's Potential Engagement with Data Brokers
Alistair Simmons
April 6, 2023
In December 2022, after Elon Musk dissolved Twitter’s Trust and Safety Council, concern grew about Twitter restructuring its content moderation and data usage policy. Due to the concern over the lack of transparency into Twitter’s protection of data, I thought that it was pertinent to better understand the company’s Privacy Policy.
When describing who Twitter shares its information with, the Privacy Policy states:
“With service providers. We may share your information with our service providers that perform functions and provide services on our behalf, including payment services providers who facilitate payments; service providers that host our various blogs and wikis; service providers that help us understand the use of our services; and those that provide fraud detection services.”
In essence, according to Twitter, “service providers” are authorized to have privileged access to personal data such as “cookie identifiers, or your IP address.” The list of Twitter’s named service providers is below. I coded the service providers based on the type of company and their specialty area. Notably, many of the companies are data brokers.
Graph 1:
Company | Type | Specialty |
Accenture | Consulting | Data Analytics |
Acxiom | Data Broker | Marketing |
Adjust | Data Broker | Marketing |
Akamai Technologies | Cloud Computing | Processing |
Amazon Web Services | Cloud Computing | Processing |
Appsflyer | Data Broker | Marketing |
Au10Tix | Data Broker | ID Services |
Branch Metrics | Data Broker | Track data flows |
comScore | Data Broker | Marketing |
CyberAgent | Data Broker | Marketing |
DoubleVerify | Data Broker | Marketing |
dunnhumby Limited | Data Broker | Marketing |
Foursquare Labs | Data Broker | Geolocation Data |
Free Stream Media Corporation | Data Broker | Marketing |
Software Provider | Marketing | |
HackerOne | Cybersecurity | Penetration Testing |
Intage | Data Broker | Marketing |
Integral Ad Science | Data Broker | Marketing |
Kochava | Data Broker | Geolocation Data |
LiveRamp | Data Broker | Consumer Data |
Microsoft | Cloud Computing | Server Storage |
NAVEX Global | Cybersecurity | Cloud-based Compliance |
NC Ventures | Financial Technology | Online Banking |
Nielsen | Data Broker | Marketing |
Neustar Information Services | Data Broker | Marketing |
Oracle America | Data Broker | Enterprise Software |
PRO Unlimited | Data Broker; Cloud Computing | Workforce Management |
Salesforce.com | Software Provider | Marketing |
Singular Labs | Software Platform | Image Conversion |
Slack Technologies | Software Platform | Worker Communication |
Stripe | Financial Technology | Online Payment |
Tipalti | Financial Technology | Online Payment |
Unit 21 | Cybersecurity | Data Monitoring |
Twitter says that it may share user data with any of the 33 service providers; based on my classification, 19 of those service providers are data brokers. This classification is depicted in Graph 1. I classify a data broker as a company whose business model entails collecting data, processing it, repackaging it, and reselling it as marketing insights. This is consistent with the definition from the FTC’s 2014 report on data brokers and the Sanford Cyber Policy Program’s public response to the FTC’s fall 2022 request for comment on commercial surveillance and data security. The FTC’s 2014 report, for example, defined the data brokerage industry as “companies that collect consumers’ personal information and resell or share that information with others.” Although this definition is broader than those in a couple of state laws currently in place, I find it to be the most precise definition of data brokers because it includes the process of selling data. Data brokers act as centralized information pools, where it is possible for personal information to be mined, rehashed, and combined with other information obtained by different means. It is possible this includes data from Twitter, based on Twitter’s privacy policy, and it is an open question whether this could include content on Twitter—potentially shared with service providers and converted into marketing commodities by data brokers who attempt to influence consumer behavior.
To better understand how Twitter users’ information can be disseminated, I have inserted a pie chart (Graph 2) to demonstrate the proportion of partnerships with companies that sell users’ data for profit:
Graph 2:
Many data brokers collect and/or process users’ information for legitimate purposes, such as protecting against identity fraud and credit reporting. Further information from Twitter about each Twitter-data broker relationship is necessary to determine how each company uses Twitter data and what controls, if any, Twitter has put in place to determine that the companies receiving act responsibly. Based on the current, publicly available information, however, it is possible that Twitter could be handing data and information on users’ posts, including the content of those posts, to data brokers who may be allowed and or have the business motivation to repackage and resell that information to other parties. Those parties could use that data in ways that could negatively impact the Twitter user. Given the history of data misuse by some of Twitter’s data broker partners, the platform’s users and US regulators should demand more information from the company.
These potential harms could be significant. For example, Kochava, a data broker that is partnered with Twitter, was recently sued by the FTC for selling sensitive location data—tracking people at reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. Kochava acquired geolocation data from millions of devices and created models that could make it easy for hate groups to target vulnerable populations. The impacted consumers, as the FTC alleges, likely did not suspect their data was being collected or subsequently acquired by a data broker. Kochava also has a Deep Links interface which collects data from different apps and platforms to create an in-depth profile of the user.
Twitter is also partnered with the geolocation data broker Foursquare, whose advertising touts that Foursquare will pinpoint the exact location of a device. Foursquare tracks devices’ locations with concerning detail: it can pinpoint personal places (such as place of residence or work) and track patterns (such as the route of your morning walk). This sensitive location data is mass collected from and distributed among over 550 partners.
Figure 1:
Figure 2:
Figure 3:
LiveRamp, another partner with Twitter, specializes in identifying specific individuals by matching data to personal profiles developed by the data broker. LiveRamp’s main product is IdentityLink, which is a “people based identifier.” It features the “world’s largest independent omnichannel identity graph to bid on digital advertising inventory.” LiveRamp also adds information to IdentityLink by matching already-existing profiles of consumers with uploaded content, constantly refining the highly specific profiles for 2.5 billion humans. After 1.6 billion records were breached from data broker Acxiom’s servers in 2003, Acxiom sold its databases and brand name for $2.3 billion to the Interpublic Group and rebranded to Liveramp in 2018.
Figure 4:
Acxiom, also a partner for Twitter, markets itself as the “most comprehensive consumer data” repository. Acxiom develops seemingly exhaustive profiles for the majority of consumers, including sensitive details to develop an incredibly detailed description of every person in its database. Acxiom can refine its personal profiles to capture and influence more specifics about people’s beliefs, preferences, and habits.
Figure 5:
Acxiom already possesses a concerning array of personal data, as shown in Figure 6:
Figure 6:
Branch Metrics can integrate data obtained from Twitter with different channels and platforms to create a centralized stream of personal information. The Data Feeds service offered by Branch Metrics collects, sells, and exports information across platforms. This service is able to streamline the collection of data from multiple platforms. By creating embedded URLs, Branch’s webhook platform enables companies to download and export personal data for external processing.
Figure 7:
Although Twitter’s previous privacy policies acknowledged the company’s relationship with service providers many years before Elon Musk bought the company, the company’s relationship with data brokers demonstrates the privacy tradeoff that consumers must make when using this platform. Information that is collected by Twitter has the potential to be repackaged and resold by data brokers for harmful uses. Since data brokers track geolocation data as well as a host of other information already present on a device, the extraction of personal information on Twitter users could extend well beyond the content posted on Twitter—for example, by gathering data on Twitter users through other sources and then matching that with data potentially acquired from Twitter itself.
As our personal data exposes us to more risk, it is important to be aware of the ways that data can unknowingly be used against our interest. Social media companies like Twitter may gather our information and fuel an insatiable pipeline of data brokers, so it is increasingly important that we endeavor to remain in control of the application, use, and dissemination of our personal data.
Our Duke University data brokerage project continues to want to hear from data brokers about whether they have oversight and control mechanisms in place to address these kinds of risks. Data brokers often provide little detail about any oversight or control mechanisms on their websites, and to this point have not been willing to work with our team to demonstrate whether they do have internal oversight and control mechanisms in place, targeted at the kinds of risks described in this article. However, we recognize that the data brokerage ecosystem encompasses a wide range of companies, including companies (both first and third parties) with a long history of implementing compliance and data privacy programs. We are specifically interested in obtaining more information on how companies involved in data brokerage obtain their information and whether they have internal oversight and controls in place to protect data from secondary use, evaluate risk to the individuals encompassed in their datasets, and determine whether end customers will comply with restrictions against harmful uses of the data.
For now, it is clear that Twitter has business relationships with a number of data brokers—and more information is needed to understand the exact nature of those relationships.
—
Alistair Simmons is an undergraduate research assistant on the data brokerage research project at Duke University’s Sanford School of Public Policy.