Twitter sold user data to Cambridge Analytica’s Aleksandr Kogan


It might surprise many Twitter users to be told this, but every tweet they post could, at some point, end up being sold on to private companies to pore over.

Tweets might seem innocuous individually but put them together with millions of others and deeper patterns emerge – or at least that’s what a lot of companies believe.

There’s no secret about this access, and it’s been happening through a developer API that reveals everything said on the platform since the first ever tweet in 2006.

This is the context for a slightly embarrassed admission by Twitter that in 2015 people with access included a Cambridge Academic called Aleksandr Kogan, whose company Global Science Research (GSR) created the personality quiz now infamous for its role in the Facebook-Cambridge Analytica data harvesting scandal.

There is no suggestion of wrongdoing on Twitter’s part for granting access to GSR, but the fact it felt it necessary to mention the relationship at all tells its own story.

Said Twitter:

In 2015, GSR did have one-time API access to a random sample of public tweets from a five-month period from December 2014 to April 2015.

The use of “random” is significant because it implies this was not a targeted, demographic trawl. Furthermore:

Based on the recent reports, we conducted our own internal review and did not find any access to private data about people who use Twitter.

Which sounds reassuring because it seems to be saying that the tweets couldn’t have been correlated to the real user profiles behind them.

This stands in contrast to the accusation that Facebook allowed the personally-identifiable information of at least 87 million users to end up in the hands of a third party without permission.

Still, it’s not hard to imagine Twitter would be nervous about associations, which is why senior director for product management Rob Johnson went to some pains last week to clarify its developer access parameters in more detail.

Johnson said that Twitter never sells access to direct messages (frankly, it would be disturbing if they did), that protected tweets are not shared with developers, likewise deleted tweets.

Pointing to Twitter’s detailed list of restrictions, he added:

We prohibit developers from inferring or deriving sensitive information like race or political affiliation or attempts to match a user’s Twitter information with other personal identifiers in unexpected ways.

But having strict terms and conditions is all very well as long as Twitter has some way of monitoring how the data is being used and enforcing its policies.

What we saw with Facebook is that once you’ve granted somebody access to your data it’s very difficult to control what they do with it or who they then give it to.

Hanging over all of this is the EU General Data Protection Regulation (GDPR), the most significant piece of data protection legislation ever, which amongst its many provisions for EU citizens changes the model of consent that has allowed data to be traded without that being apparent.

Separately, Twitter has published its GDPR-happy privacy policy, as well as pointing out how users can download their data archive to view, using any desktop browser.

If Facebook’s Cambridge Analytica troubles have achieved one thing it is surely to have encouraged more people to read these documents.