The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

A Twitter data tracker inhabits tens of thousands of websites

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! We’ll next publish on Tuesday, so see you then.

Below: Apple has a new iCloud encryption announcement, and a massive defense bill with cyber provisions could pass the House this week. First:

A 202 exclusive: Twitter can track other websites’ visitor information, with few checks

Tens of thousands of websites belonging to government agencies, Fortune 500 companies and other organizations host Twitter computer code that sends visitor information to the social media giant, according to research first reported by The Cybersecurity 202. 

And virtually none of them have used a Twitter feature to put restrictions on what the company can do with that data, said digital ad analysis firm Adalytics, which conducted the study.

The presence of Twitter’s code — known as the Twitter advertising pixel — has grown more troublesome since Elon Musk purchased the platform.

  • That’s because under the terms of Musk’s purchase, large foreign investors were granted special privileges. Anyone who invested $250 million or more is entitled to receive information beyond what lower-level investors can receive. 
  • Among the higher-end investors include a Saudi prince’s holding company and a Qatari fund.

“Government agencies, hospitals, over half of all U.S. members of Congress, media publishers, and brands may not be aware that they are sharing terabytes of their visitors’ and audience’s data with Twitter,” Adalytics founder Krzysztof Franaszek wrote.

The company’s analysis found that at least 70,000 websites are still using Twitter’s advertising pixel on their pages as of late November 2022. The study didn’t examine when the sites began using the pixel.

Among the websites where the tracking pixel was present was, a Department of Education-operated site where prospective college students apply for federal financial aid. The site also previously had Meta’s equivalent pixel (something two Republican lawmakers criticized the department for).

Any firm collecting browsing data holds risks – but Twitter’s actions are of particular concern.

“It’s dangerous for any firm to collect this kind of … data about our browsing habits, but given that Twitter has a spotty privacy and data security history, it’s particularly alarming for Twitter to have that information,” John Davisson, director of litigation and senior counsel at the Electronic Privacy Information Center, told me.

The Adalytics study points to a larger problem, said Sen. Ron Wyden (D-Ore.).

“Researchers and journalists are revealing the full scale of the online surveillance schemes built by companies like Meta and Twitter,” Wyden said in an emailed statement. “Americans’ data is being collected from websites belonging to hospitals, tax preparation companies and even the U.S. government. Organizations have an obligation to protect the privacy and security of users on their sites, but the sheer scale of this problem means that whack-a-mole solutions are not enough.”

Twitter did not respond to a request for comment.

How it works

Twitter offers snippets of JavaScript code to websites, which can embed the code on their sites to track and target Twitter users with their ads. The pixel collects information like cookie IDs, IP addresses, website data and in some cases, email addresses and phone numbers. Advertising pixels in general can also include information that users are submitting on forms on a website, Davisson said. Notably, it can collect web browsing data from consumers who have never even used Twitter.

  • “I think businesses believe, right or wrong, that it does help them make the most of their advertising dollars,” Davisson explained. “Sometimes pixels are installed without really thinking … and not appreciating the consequences of that and how it might lead to Facebook or Twitter or other platforms getting information like medical data or student loan information.”
  • “They’re adding these code snippets and adding these functionalities and they think they’re getting a nifty analytics tool and a way to hone the targeting of their advertisements,” Davisson said. “Meanwhile, the company is exposing itself to liability and putting the users at risk of significant privacy harm.”

Twitter has a “Restricted Data Usage” feature, which, in the words of the Twitter, “enables an advertiser to limit Twitter’s use of individual level [site visitor or purchase data] for specific business purposes only on that advertiser’s behalf.” But more than 99 percent of websites Adalytics found hosting the pixel aren’t using the feature.

Users, and interesting nonusers

A spokesperson for the Education Department said: “FSA uses the Twitter Pixel to understand user behavior across, improve the user experience and customer outcomes, and assess campaign and website analytics. FSA’s privacy policy for notes the use of Twitter and other social media platforms.”

 A spokesperson for House Minority Leader Kevin McCarthy (R-Calif.), whose leadership website was among the more prominent government websites hosting the Twitter pixel, didn’t return a request for comment. 

Many automotive industry competitors to Tesla, which Musk runs, had embedded the Twitter pixel. One of them was Cadillac’s website, according to Adalytics. Cadillac is a division of U.S. auto giant General Motors, which said it suspended its advertising on Twitter in late October.

“It’s important for us to ensure our advertising strategies and data can be safely managed by a platform owned by a competitor,” the New York Times quoted a GM spokesperson as saying. Neither a GM nor Cadillac spokesperson responded to requests for comment about its use of the pixel.

Interestingly, Tesla and SpaceX, which Musk also runs, aren’t using the Twitter pixel. Neither company responded to a request for comment.

(The Washington Post uses the Twitter pixel, according to Adalytics’s research. Vice President of Communications Shani George told us The Post is running the Twitter pixel “only in a limited set of pages and relevant contexts.”)

Additional study

Adalytics also looked at websites that use a Twitter widget without additional security safeguards. Those restrictions could help prevent sharing of data with Twitter. Websites with the widget show recent tweets from a given Twitter account. Beyond sharing data, the presence of the widget could theoretically open up the website to defacement by hackers if Twitter suffered a breach, Adalytics said.

The study found nearly 638,000 sites were using a Twitter social media embed, including prominent government websites. On this count, however, Twitter is moving in the right direction, Wyden said.

“I was pleased by Twitter’s recent policy change to announce that they will no longer collect data from Twitter widgets embedded on .gov or .mil sites,” he said.

A note on limitations

The Adalytics study relied on analyzing web-crawler data and inspecting the underlying code behind websites. As such, it’s not possible to fully determine what Twitter does with the data it receives, Franaszek wrote.

“Furthermore, many of the websites examined in this study could quickly remove or change the configuration of the Twitter Pixel or the Twitter social media widget on their webpages,” he wrote.

Updated 12/8/2022:  with comment from the Department of Education.

The keys

Apple announces iCloud encryption, which the FBI criticizes

The company will allow users to make fully encrypted backups of their sensitive data — like photos and chat histories — in its cloud storage system iCloud around the world, Joseph Menn reports. Governments could protest the move by taking legislative or legal action against the company or refusing to allow Apple to access their markets. 

In a statement, the FBI said it was “deeply concerned with the threat end-to-end and user-only-access encryption pose.” It “hinders our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime and terrorism,” the FBI said in an emailed statement. “In this age of cybersecurity and demands for ‘security by design,’ the FBI and law enforcement partners need ‘lawful access by design.’”

The feature will be rolled out to U.S. customers by the end of the year and to other companies next year, though the company said it may not reach every country by the end of 2023.

Privacy experts hailed the feature and Apple’s decision to drop its plan to scan user photos for child sex abuse images. The company paused the plan, which was roundly criticized, last year.

House expected to pass defense bill with cyber provisions

The $858 billion defense authorization bill is stacked with cybersecurity measures aimed at U.S. Cyber Command and other federal agencies like the State Department, which would get a long-awaited cyberspace bureau codified into law, the Record’s Martin Matishak reports. The House is expected to pass it as soon as this week.

“Notably cut from the bill was a proposal to designate ‘systemically important entities’ to the most vital U.S. critical infrastructure that would have required operators to enact strong digital security standards and share threat intelligence with the government in return for federal support,” Martin writes. “It was originally a recommendation by the Cyberspace Solarium Commission.”

Cyber-related House committee chairmanships begin taking shape

Rep. James Comer (R-Ky.) will lead the House Oversight and Reform Committee, while Rep. Patrick T. McHenry (R-N.C.) is poised to lead the House Financial Services Committee. Neither chairman selection is surprising — both congressmen are their committees’ top Republicans — but their histories of engaging on cybersecurity issues could provide clues about how they’ll handle the issue. 

Last year, McHenry introduced legislation to require financial institutions to report ransomware attacks and payments to the Financial Crimes Enforcement Network. The bill, which didn’t advance, would have also banned payments of more than $100,000 without law enforcement approval. He has backed other cybersecurity-related bills as well.

Comer has backed revamps of major bipartisan cybersecurity bills, including a bill to update cybersecurity law FISMA and a proposal to codify cloud-security rules known as FedRAMP.

Global cyberspace

Leaked: The Altrnativ world of cybersurveillance (Politico Europe)

Iranian hackers accused of targeting diamond industry with wiper malware (The Record)

Government scan

CISA's 2023 priorities include election security, corporate cyber risk (CyberScoop)

Secure log off

Thanks for reading. See you next week.