In June, Twitter discontinued its support for Do Not Track (DNT), the privacy-protective browser signal it has honored since 2012. EFF argued that Twitter should reconsider this decision, but that call has gone unheeded. In response, EFF’s Privacy Badger has new features to mitigate user tracking both on twitter.com and when you encounter Twitter content and widgets elsewhere on the web. (More technical details are covered in the accompanying technical post.) How did we get here and what can we do about it?
Assembling A Data Dragnet
In 2012 Twitter began to use tracking data to personalize content recommendations to its users, such as accounts they should follow. Twitter collected this data via the Tweet buttons and widgets integrated on sites all over the web. These widgets can set cookies on users' browsers and tell Twitter where the user goes online. This use of social sharing buttons and embedded content to track users is a common practice—Facebook, Google Plus, LinkedIn, and other social media networks do it as well. From 2013 onwards, Twitter also made deals with ad companies who had data about user browsing activity on sites where Twitter had no foothold.
In contrast to its competitors, Twitter once offered users an easy opt-out from tracking: if users enabled the DNT signal in their browser, their browsing history would not be collected. This was a welcome move in 2012, when much of the advertising industry was contesting the definition of "tracking". Rather than support DNT, advertisers pushed their own "opt-out" process, AdChoices, which is difficult to enable and ineffective in practical terms. Apart from a myriad of technical flaws, AdChoices merely exempts users from being shown behavioral ads, not from the data collection behind the ad targeting. This is what Twitter has now bought into.1
The Logic of the Next Investor Call
Twitter claims it dumped DNT because 'an industry-standard approach to Do Not Track did not materialize', but a better explanation may be the pressure on them to increase revenue. DNT users were being shown less lucrative ads targeted on context rather than behavior. This reduced ad revenue from the tens of millions of users who had the setting enabled. By making an opt-out more cumbersome, Twitter will bring some of those users back inside the behavioral targeting corral. The day after dumping DNT, Twitter declared its intention to "double down'"on adtech. Our response at EFF and Privacy Badger is that we're all-in on user protection.
Trackers: Unknown Stalkers and Household Brands
Large-scale tracking is conducted by two types of companies. First are the so-called "third parties": sites that we never visit intentionally, but which sit silently on web pages as an external resource, used to add functionality or to enable tracking by ad networks and data brokers.
But the biggest profilers of users are the basic, go-to services that we all use online. These companies leverage the trust that users place in them as first parties to track even more than third-party trackers can. Google, Facebook, and Twitter are the sites with the longest reach, trailed by Oath (formerly Yahoo and AOL). These companies represent a different challenge because we visit their sites willingly. Each visit is logged on their servers and this log information is supplemented by data from the advertising, analytics services, and the social media widgets they provide as a third party to other sites.
Many of us log in to these sites to access email or messages, upload data, or get personalized content, and the login allows these companies to identify us across our different devices - the computer at work, the laptop at home, the phone, the tablet. Privacy Badger and other tracker blockers can keep you off the third parties’ radar by blocking their resources, but it can’t erase the logs from the sites you visit willingly or the linkages enabled by the login process.
Setting Red Lines for First Parties
These household brands shouldn’t have a blank check to monitor us everywhere just because we log in to them for specific, narrow purposes. That’s why Privacy Badger blocks them as a third party when they plant widgets on other websites. If you are not willingly accessing their services, why should they know where you are? And even when we visit sites like Twitter and Google, there should be limits to the data they can collect about us. Outbound links are a good example. When we use these platforms to discover people or websites, the logs already reveal a great deal about our inclinations and interests. But platforms can also track the links we click to leave their sites. This is neither acceptable nor necessary. So Privacy Badger will be preventing outbound link tracking on Twitter right away, and on other sites in the future.
US Citizens – Second Class Privacy Protection?
If tech companies want us to trust their tools with the most sensitive matters of our lives, they should offer a universal privacy opt-out for those who want it. But experience shows that companies only change their practices in the face of major and sustained public pressure or the threat of political action. In the European Union, data collection is already regulated, and a new tougher regime—the General Data Protection Regulation—will come into effect in May 2018. U.S. companies will have to comply with the regulation for their EU users. There will then be two classes of privacy protection in the world, the EU and everywhere else - U.S. users will be stuck in coach. Evidence of this was spelled out in Twitter’s announcement of its new policy: 'We do not store web page visit data for users who are in the European Union and EFTA States.'2 The online advertising industry in the U.S. trumpets self-regulation, but they haven’t shown themselves worthy of it. We need to turn up the pressure.
- 1. According to TrustE, only 0.00015% of the users who see the “Ad Choices” icon use it. https://www.economist.com/news/special-report/21615871-everything-people-do-online-avidly-followed-advertisers-and-third-party
- 2. Twitter confirms that this includes data accessible via their widgets and embedded content, whether it extends to data acquired from other trackers is unclear.