Silicon Valley is facing yet another disastrous privacy scandal. Last week, Ireland’s Data Protection Commission (DPC) decided to officially launch an investigation into Twitter’s alleged tracking of its users through their special shortened t.co links, which could potentially violate protections under Irish and EU laws and cost Twitter millions in damages.
According to Fortune, the social media giant is suspected of “obtaining information when people click on t.co links,” which “track people as they surf the web by leaving cookies in their browsers.” This was the analysis of privacy researcher Michael Veale (University College London), the man who directly requested information on these links from Twitter, as is his right under the EU’s new General Data Protection Regulation (GDPR) laws. However, the social media company rejected his claim because it would apparently take too much effort to compile the entitled data.
Given that Twitter refused to honor his right to data access, Veale took the complaint up with the DPC in August. This eventually led to the investigation opened last Thursday.
“The DPC has initiated a formal statutory inquiry in respect of the complaint,” the commission declared.
“The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of the complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”
The regulator went on to suggest the investigation will be handed off to the newly organized European Data Protection Board, a multi-national data protection group that specifically enforces GDPR protections for EU citizens, due to Veale’s complaint “involving cross-border processing.” The magazine notes this will be the first GDPR investigation facing Twitter, echoing the similar Facebook probes made when their refusal to hand over user data to their customers led to a lawsuit that could cost the company €3.9 billion.
The researcher believes the results could be somewhat similar, given the technical possibility of Twitter utilizing a user’s location to best direct their advertising efforts, which could violate their privacy policy. Their site only states that advertisers might collect the IP addresses of users when people click on Twitter links directly, though nothing is mentioned about harvesting information to external sites through the t.co links.
“Data which looks a bit creepy, generally data which looks like web-browsing history, [is something] companies are very keen to keep out of data access requests,” Veale told the magazine. “The user has a right to understand.”
Twitter, of course, declined to comment on the investigation. Companies tend to face fines upwards of €20 million ($23.2 million) or up to 4% of global annual revenue if found violating GDPR protections like data access requests. Fortune estimated that Twitter’s 2017 revenues totaled around $2.4 billion, meaning their GDPR fine could be $96 million if the investigation shows to have merit. This could be a serious outcome for a company’s incompetence when it comes to data privacy, particularly when it comes to shortened URL links initially designed so that tweets wouldn’t exceed the 280 character limit. Whether it results in a fine is up for speculation, though such investigations could force the hand of Twitter to honor the rights of users in the future.
The European Union, despite all the faults that come with a multinational superstate, appear the only ones who care about the preservation of online rights. Big tech monopolies like Twitter, Facebook, and Google, notorious as the usual suspects in online censorship and privacy violations, show the need for defined liberties and entitlements users deserve.
Outside of Europe, who leave these rights to common bureaucratic regulators, there are no serious checks and balances on tech in the United States. Other than the Federal Trade Commission (FTC), who continue to give slaps on the wrist to complaints while ignoring others, Americans have little means of ensuring their complaints see a meaningful response. Perhaps these GDPR rules should be the basis of some form of new bill of rights for the internet age, as proposed by Democratic Rep. Ro Khanna, representing California’s 17th district of South San Francisco Bay, which is quite literally the heart of elitist Silicon Valley.
“It could bring some control to the Wild West of the third parties operating on these platforms,” said Karen Kornbluh, senior fellow for digital policy at the Council on Foreign Relations, according to Vox.
“I think it’s fair to say Europe is leading global policy on privacy and data protection, and they’re doing it at a time when they see the U.S. system has been severely deficient,” added Bill Kovacic, Commissioner for the FTC. “The [tech] policymaking capital is not Washington, it’s Brussels.”
By Bailey Steen