Twitter Sold Data To Cambridge Analytica-Linked Company

Twitter is the latest company to face scrutiny for how it protects user data, after disclosing this week that it sold data access to a Cambridge Analytica-linked researcher.

The news comes a month after Facebook came under fire for leaking user data to Cambridge Analytica through a third-party app. A Twitter spokesperson told Threatpost that enterprise company Global Science Research, owned by the same researcher behind  Cambridge Analytica, had “one-time API access” to a “random sample of public tweets” in 2015.

“Based on the recent reports, we conducted our own internal review and did not find any access to private data about people who use Twitter,” the spokesperson told Threatpost. “Unlike many other services, Twitter is public by its nature. People come to Twitter to speak publicly, and public tweets are viewable and searchable by anyone.”

According to the spokesperson, GSR had access during a five-month period, from December 2014 to April 2015. Since then, Twitter has made the policy decision to off-board advertising from all accounts owned and operated by Cambridge Analytica.

“This decision is based on our determination that Cambridge Analytica operates using a business model that inherently conflicts with acceptable Twitter Ads business practices. Cambridge Analytica may remain an organic user on our platform, in accordance with the Twitter rules,” the spokesperson said.

Cambridge Analytica is a U.K.-based company that helps political parties target voters with specific messages. The company recently put Facebook in hot water after it was revealed that it harvested data of 50 million Facebook users using one of the social network’s APIs. Cambridge Analytica worked on several high-profile political campaigns, including the presidential bids of Donald Trump and Senator Ted Cruz (R-Tex.).

In 2015, app developer Aleksandr Kogan requested access to information from users who downloaded his third-party app, “thisisyourdigitallife,” on Facebook, which billed itself as “a research app used by psychologists.” In reality, that data was being given to Cambridge Analytica.

Kogan owns GSR, the Cambridge, U.K.-based company founded in 2014 with a goal “to optimize marketing strategies with the power of big data and psychological sciences,” according to its website.

While both situations are raising questions about data privacy on social-media platforms, key differences exist between Facebook’s data privacy debacle involving Cambridge Analytica and that of Twitter.

While Facebook user private data was sold through a third-party app unbeknownst to the social media giant,  Twitter sold public user data to GSR, giving them access to data through its API. Twitter’s API platform provides broad access to “public Twitter data that users have chosen to share with the world,” Rob Johnson, senior director of Product Management at Twitter, recently said in a post outlining Twitter API policy.

“Some of our APIs allow users to manage their own non-public Twitter communications (e.g., direct messages) and provide this information to developers whom they have authorized to do so,” he said in the post. “Access to this information is not granted by default, and we do not sell direct messages.”

Last week, Twitter tightened its developer platform to make user privacy more transparent. One such change prohibits developers from deriving sensitive information – like race and political affiliation – from end users.

“Even for people who will never use one of our developer products, it’s our job to appropriately educate and provide resources to those who wish to understand how their data may be used in our developer platform,” Johnson said in the post about the changes.

Still, the stakes are high for Twitter and social-media companies in general as they grapple with data-protection policies. Twenty-six percent of users deleted or plan to delete their Facebook accounts on the heels of the headlines about Cambridge Analytica misusing Facebook user data, according to a recent study by Centrify.

“Social media and data privacy are antonyms by design,” Ilia Kolochenko, CEO of web security company High-Tech Bridge, told Threatpost. “Even in the light of current efforts of Facebook and Twitter to protect as much of their users’ data as possible, the very purpose of social media is to share information. …social networks can merely educate about privacy concerns and better explain how users’ personal data will be used and in which context.”