The Cambridge academic at the centre of the Facebook data-harvesting scandal also had access to Twitter data, the social network has confirmed.
Aleksandr Kogan, who developed the app that sucked up the data of users and their friends to sell on to political consultancy Cambridge Analytica, had access to Twitter data for one day in 2015.
Twitter said that Kogan's firm, GSR, had "one-time API access to a random sample of public tweets from a five-month period from December 2014 to April 2015".
This is because Twitter sells access to the data it holds – each tweet has more than 65 different metadata elements – and developers are often willing to pay for access in order to avoid the rate limits imposed on free APIs.
For instance, standard – free – APIs have two buckets for GET requests: 15 calls every 15 minutes, and 180 calls every 15 minutes.
The standard API also only allows API searches against a sample of tweets published in the past seven days; enterprise APIs allow access to either the last 30 days or to tweets from as far back as 2006.
Twitter's Enterprise search API page says that each customer has a defined rate limit for their search endpoint, but the default per-minute rate limit for Full-Archive search is 120 requests per minute, for an average of two queries per second.
Twitter declined to say how much data Kogan had access to, but even 1 per cent of public tweets sent over a five-month period could be information from more than 7 million tweets.
The firm has also consistently declined to put a figure on the cost of the Enterprise API, but it last year announced a new Premium API to fill the gap between the high costs of enterprise access and the basic free version.
Prices for this service ran from $149 per month for up to 500 requests to up to $2,499 a month for up to 10,000 requests.
In the first quarter of 2018 (PDF), Twitter made $90m from data licensing and other revenue, a 20 per cent year-on-year increase – although this still only accounts for about 14 per cent of overall revenue.
'People come to Twitter to speak publicly'
However, in contrast to Facebook – where Kogan's app was able to suck up information on some users without them knowing, due to developer policies allowing users to grant access to their friends' data without that friend having to also give permission – Twitter argued that the information was public anyway.
"Unlike many other services, Twitter is public by its nature. People come to Twitter to speak publicly, and public tweets are viewable and searchable by anyone," a spokesman told The Register.
He added that Twitter had carried out an internal review of GSR's access and "did not find any access to private data about people who use Twitter".
Facebook can't admit the truth, says data-slurp boffin KoganREAD MORE
This means GSR could have scraped up the content of public tweets, and elements like tweet IDs, but not content from direct messages or info on IP addresses, emails or phone numbers.
Meanwhile, geolocation is off by default, and the developer terms say: "Your license only allows you to use such location data and geographic information to identify the location tagged by the content. Any use of location data or geographic information on a standalone basis or beyond the license granted herein is a breach of this Agreement."
Breach of the agreement can lead to immediate termination of a developer's access.
The biz emphasised such points in a blogpost by Twitter's senior director of product management Rob Johnson last week – clearly issued in a bid to put distance between the use of its data and that of Facebook's.
"We prohibit developers from inferring or deriving sensitive information like race or political affiliation, or attempts to match a user's Twitter information with other personal identifiers in unexpected ways," he wrote.
Which might be more reassuring if it wasn't for Kogan's attitude towards Facebook's developer terms and conditions. The academic is widely regarded to have broken the agreement by selling on data to Cambridge Analytica, but he disagrees.
"I do not think they have a developer policy that is valid," he told MPs last week. "For you to break a policy it has to exist... the reality is that Facebook's policy is unlikely to be their policy." ®