Twitter discloses bug that allowed for some iOS users’ location data to be shared

You’re not going to love this.

Twitter on Monday disclosed a bug that in certain conditions resulted in an account’s location data being shared with a Twitter partner, even if the user had not opted in to sharing that data. The bug only affected a portion of Twitter’s iOS user base, the company says, and they’ve since been notified of the issue.

Affected users would have to have more than one Twitter account on iOS, and had chosen to share their precise location via an optional feature in one account. Twitter, in turn, stated that the company may have accidentally collected location data for one or more accounts on the mobile device, even if the user hadn’t opted in to location data sharing.

“Due to a bug in Twitter for iOS, we inadvertently collected and shared location data (at the zip code or city level). We have fixed the bug, but we wanted to make sure we shared more of the context around this with you.” offered the company in a support message.

This information was then shared during the real-time bidding process with an unnamed Twitter partner, which meant they received the unauthorized location data. Twitter notes that none of this was “precise” location data, because the data was already “fuzzed” to be only a ZIP code or city (5 km squared).

Twitter stated that the data “could not be used to determine an address or to map your precise movements.”

In terms of those worried about their location being disclosed, Twitter assured impacted users that the partner receiving the location data didn’t also receive their Twitter handle or a unique account identifier. They wouldn’t have been able to determine your identity, the company says. And the location data was not retained by the partner, Twitter says.

Twitter offered the following announcement:

“We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process.We have fixed this problem and are working hard to make sure it does not happen again. We have also communicated with the people whose accounts were impacted to let them know the bug has been fixed. We invite you to check your privacy settings to make sure you’re only sharing the data you want to with us.”

It’s presently unknown at this time when the location sharing took place, or for how long. Twitter has yet to name the partner that had possession of the data, or how the bug emerged in the first place. It only said that it failed to remove the location data.

Twitter does say affected users have been notified, and anyone with questions can fill out a form to contact Twitter’s Data Protection Officer with more questions. It’s unclear to what extent the bug will result in a GDPR fine at this time, given the lack of specifics on hand.

Stay tuned for additional details as they become available.

Via TechCrunch