Wednesday, October 29, 2014

Twitter app snoops contacts data and messaging activity on my mobile phone


Twitter app snoops contacts data and messaging activity on my mobile phone

Recently Twitter started to send me notifications when someone that “I know” joins Twitter and makes their first Twitter post.

Today I received yet another notification on the Twitter client on my mobile phone saying Jussi K. has posted his first message on Twitter. I know only one person of that name and he is the dad of my friend called Samuli K. What puzzled me was that I don't actually know his dad very well. The last time I met him was bit over 20 years ago, well before social networking.

How does Twitter know that I may be interested in a tweet from Jussi K? Who I haven't had any dealings with for a very long time?
  
Figure 1 Today's events on Twitter
The only link that I can think of between Jussi K. and I is a relationship via a person called Samuli K. Samuli is the son of Jussi K. I am close friends with Samuli K. and vice versa (I like to think).

If Samuli and I had been in frequent contact with each other on Twitter and Samuli and his dad were the same, I wouldn't be too surprised about being notified about tweets from his contact.

What concerns me is the fact that Samuli hasn't got a Twitter account, when I checked recently. I checked the list of the people his dad is following, Samuli wasn't there. I know from the list of 400+ people I follow Samuli is not on my list. I searched Samuli K. and found 3 matches but these accounts belong to other people.

Figure 2 The real life connection I've with Samuli and Samuli has with his dad.
 
So how does Twitter know that I'm interested in Jussi K's tweet without us having direct link between us?
There must be a link that resides outside the network because Samuli doesn't have account on Twitter.

A clue is found in Twitter app settings on Android phone.
In app permissions section of Twitter app settings I can see that I've given permission for Twitter app to read your contacts. Jussi K. has done the same when he installed Twitter on his device.

As we both have given Twitter permission to read our contacts it looks like Twitter has joined 2 contact lists, compared them and found a contact that exists in both of our lists.


Figure 3 The link between Jussi K. and me
But wait.
If Twitter simply links 2 users based on the contacts they have in common then I'd expect to receive more frequent notifications for tweets from people that have no relevance to me. I assume Samuli's phone number exists in many other Twitter users' contacts list that I'm not directly linked with. But I've never before received notifications for tweet from a person that doesn't exist in contacts on my phone. Why did it happen this time?

I believe that Twitter is taking further advantage of the read your contacts permissions and analyse the frequency how often Jussi K and I are in contact with Samuli. As we both are in regular contact with him it makes it likely that we, Jussi K and myself, both know Samuli well and through Samuli we are likely to know each other.

The read your contacts permission enables detailed analysis as per description “Allows the app to read data about your contacts stored on your phone, including the frequency with which you've called, email or communicated in other ways with specific individual”

I've no problem with app analysing my contacts when I've given it the permission to do so. For example messaging app Viber asks for the access to read your contacts and it uses the permission to notify me when someone from my contacts installs Viber. Im OK with this.

But to use the data in the way that Twitter appears to be using it concerns me a lot. Samuli has never installed Twitter app nor accepted any Terms and Conditions of Twitter, but still he appears to be added into Twitter database and used as a link to relay notifications between registered Twitter users. Did Twitter ask his permission to do that? No. What if he would like to get his records removed from the database? There is no account for him to close, so then what?

I feel a little bit guilty about allowing this to happen to Samuli. I don't want the same thing to happen to any of my other non-Twitter contacts, so I've decided to get rid of the Twitter client on my phone and continue using Twitter on browser which hasn't got access to my contacts.

Twitter has to become more transparent on how our personal data is used and for what purpose. The Twitter client is now banned from my mobile and I won't install it again until this happens.


footnote
Big thanks to @Mackie_Jas for reviewing this post