Twitter bug in iOS app shared location data with advertisers

By Malcolm Owen

Twitter has admitted to its iOS app having privacy issues issues, that iPhone and iPad users may have had their location data collected in instances where multiple accounts were used, data that may have also been unwittingly shared with third-party advertisers on the microblogging social network.

The collection of a user's location data by tech companies has become an issue for those concerned with maintaining their privacy. On Monday, Twitter joined the ranks of tech firms advising to users of their location data potentially being collected and misused, but one that was caused by a bug rather than from an intentional move by the company.

"You trust us to be careful with your data, and because of that, we want to be open with you when we make a mistake," the Twitter support page advises. It continues to advise the company has discovered it was "inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances."

The post goes on to advise the bug involved cases where multiple Twitter accounts were active within the iOS app, and that a precise location feature was active on one account. The bug "may" have collected location data for other accounts used on the same device, even if the feature wasn't turned on at that moment.

A separate issue involved an intention to remove location data from fields sent to a third-party firm during "real-time bidding" for advertising on the service. The removal did not occur as planned, but a technical feature to "fuzz" the data made it so it was "no more precise than zip code or city" to the marketers, namely a range of about 5 square kilometers.

Twitter asserts the location data would not have been able to allow the advertiser to determine a specific address or map precise movements. Further, the data did not include the Twitter handle or unique account Ids that would have compromised a user's identity.

"We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process," the page advises. Twitter says it has also fixed the problem, has reached out to affected accounts, and invites users to check their privacy settings to "make sure you're only sharing the data you want to with us."

While the collection of data relating to a user is seen as an invasion of privacy by critics, location data is considered bad due to revealing where a user has been, or in some cases, currently positioned. The practice has led to some unexpected results, such as Google's data archive effectively being used by law enforcement to find potential suspects for crimes via so-called "geofence warrants."

Tech companies are slowly making changes to tighten up on lapses relating to location data, such as Amazon's restriction of access to such data by transcription teams analyzing Alexa audio snippets, and Sprint promising to end the sale of location data to third parties. Google is also taking positive steps, by giving users the option to automatically delete Location History data after a set period of time instead of needing to manually delete it.

A study of 20 iOS and Android apps in December revealed the extent of location data distribution, with one app found to share exact latitude and longitude data to 40 companies.