Elon Musk has access to user data from more than 70,000 websites belonging to the US government, healthcare firms and Fortune 500 companies that advertise on Twitter, according to a new bombshell report from Adalytics.
The data sharing is enabled through Twitter’s advertising tool called a pixel, which advertisers embed on their website to track, analyze and target users of the Musk-owned platform with their ads.
The pixel funnels this data to Twitter, which includes the user’s IP address, payment information and activity on the website.
The report notes that Apple is one of the few advertising on Twitter that does not use the tool, along with Musk’s own Tesla and SpaceX, which recently paid more than $160,000 for a campaign.
A total of ‘70,772 websites were found to make HTTPS requests to static.ads-twitter.com,’ Adalytics founder Krzysztof Franaszek wrote in the report.
‘These included many government, media, non-profit, university, and brand websites.’
Franaszek also notes that entities advertising on Twitter ‘may not be aware that they are sharing terabytes of their visitors’ and audiences’ data with Twitter.’
And it is even more likely that these advertisers have not enabled the Restricted Data Usage (RDU) setting, which ‘enables an advertiser to limit Twitter’s use of individual-level conversion events for specific business purposes only on that advertiser’s behalf.’
‘There is a possibility that every website that does not use this RDU feature is allowing Twitter to co-mingle and reuse that advertisers’ web traffic data for other purposes,’ Franaszek said.
Websites using pixel include:: The Department of Education’s Free Application for Federal Student Aid or FAFSA; the US Department of Health & Human Services; Doctors Without Borders; webmd.com; and the Federal Bureau of Investigation.
However, the report also shows that various major carmakers advertise on Twitter, suggesting Musk, who owns Tesla, can analyze traffic to those sites.
The New York Times reported that ‘automakers are among the most concerned advertisers, with General Motors raising questions about whether Twitter’s data would be shared with Mr. Musk’s car company, Tesla, three people said.’
‘It’s important for us to ensure our advertising strategies and data can be safely managed by a platform owned by a competitor,’ a GM spokesman said in a statement.
Among academia, the websites of the University of Washington, Johns Hopkins University, Purdue University, University of California, City University of New York (CUNY) embedded the Twitter Pixel and did not enable RDU.
About 99 percent of websites analyzed by Franaszek were not using the feature.
‘Currently, there does not appear to be any legislation, laws, or legal mechanisms in the US that would allow organizational entities to direct Twitter to delete large amounts of log data,’ he wrote in the report.
‘Policymakers in Congress may wish to consider legislation that would govern what happens in the event that a data processor or data broker changes ownership as part of a Merger or Acquisition event.’
Meta also offers a pixel tool to advertisers and has found itself in court several times because of the same data sharing found by Adalytics.
An anonymous hospital patient, named John Doe in court papers, filed a case in the Northern District of California this past June, alleging Facebook received patient data from at least 664 hospital systems or medical providers.
‘Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook,’ the lawsuit stated.
The lawsuit alleges: ‘Facebook monetizes the information it receives through the Facebook Pixel deployed on medical providers’ web properties by using it to generate highly-profitable targeted advertising on and off Facebook.’
Meta was hit with another lawsuit this month, claiming the company’s pixel shared financial information from tax-filing websites.