Advertising on Twitter: give us your personal data or we're going to bomb your timeline with NSFW, sexual ads

A few months back I started writing on freeCodeCamp, with the spirit of “giving back” to the community whatever I used to share on my personal blog as well.

FCC is a very interesting publication, and one of the personalities I got to “discover” was Quincy Larson; it was by following Quincy that I discovered I could opt-out of Twitter’s ad tracking, something that turned out to be quite of a journey.

Quincy’s pinned tweet is a gem:

“Amazing”, I thought, let me do the same — I would definitely like to opt out from all those personalized ads: not because of their content, but simply because I’d like advertisers (and Twitter) to connect fewer dots when it comes to my interests and habits.

How beautiful was to “Control how Twitter personalizes content and collects and shares certain data.” — I would never have imagined what kind of Pandora’s box I had just opened.

Within a few days from opting-out, I spot a relatively “weird” tweet on my timeline:

“Ouch”, I told myself, “this must the result of turning off personalized ad data”: now Twitter will just serve ads from the richest bidder, and this time it was a NSFW one. Without jumping to conclusions, I quickly flagged the ad as not relevant, blocked the user and moved on, thinking this isolated episode wouldn’t be much of a problem.

Except that, as the weeks went by, my timeline started to look like a Hooters joint:

The ads are practically identical: a burner account posting a link with a media and the content of the tweet being a mere “click here” — how hard would it be for Twitter to prevent this from happening?

I’d say not so hard, and before you ask me to consider the technical implications of such a feature, let me introduce you to Eega Beeva, an interesting character from the Mickey Mouse comics. “Why?”, you ask — just hold on for a second.

Now, Eega is a funny character — a human-sort-of-figure from the future who is very popular in the Italian version of the comic: I know of him since my dad used to buy me the Mickey Mouse comics every single week, so I had a good understanding of the characters in the MM universe back then.

A few days ago, I saw a tweet from the Italian edition of the MM magazine that caught my attention, as it was flagged for containing what Twitter thought it might have been a sensitive picture:

The tweet reads “A good friend from the future is the co-star of the new edition of #MickeyMouseSuperStar…do you like Eega Beeva? #MickeyMouseMagazine”

And, right there, I knew that this was all about: Eega Beeva does not wear anything in the upper part of his body, so an algorithm deciding whether a tweet might contain explicit content might have thought that because of his resemblance to a naked body, Eega Beeva must be flagged down… …and this was the “may contain sensitive material” picture:

Note that “Eega Beeva” is translated to “Eta Beta” in the Italian edition of the magazine

Now, Twitter, can you please tell me how the picture on the right may contain sensitive material, but you have no problem with the one on the left?

So don’t tell me there’s nothing Twitter can do to fix this — it can be done, but it might also be that they don’t really care about fixing the problem, as it would require for them to invest time and money into a part of the ad business (being able to serve pertinent ads to users who opted out of ad tracking) that’s probably not very profitable. Who cares for those hippy, freedom-lover users!

This was a sad realization: that when we try to protect our privacy Twitter thinks we’re clickbait material.

That’s a really, really, really sad thing for me to write.

No photoshop skill was harmed in the writing of this blog post and editing of the images. That’s because I have no skills to begin with.

I would also like to take some (serious) time to mention that corrections to the way Twitter serves ads are more than welcome: sometimes these kind of glitches are not foreseen, and I’m sure the engineering team at Twitter would love to get rid of such stuff. The question is, would the ad team want the same? ;–)


Hi there! I recently wrote an ebook on web application security, currently sold on leanpub, the Amazon Kindle store and gumroad.

It contains 160+ pages of content dedicated to securing web applications and improving your security awareness when building web apps, with chapters ranging from explaining how to secure HTTP cookies with the right flags to understanding why it is important to consider joining a bug bounty program.

Feel free to skim through some of the free chapters published on this blog and, if the content seems interesting enough to you, grab a copy on leanpub, the Amazon Kindle store, gumroad or simply checkout right down below!

Buy the Web Application Security ebook for $6.99

In the mood for some more reading?

...or check the archives.