Gettr, just one of the interminable Facebook/Twitter clones for MAGA chuds angry about social media rules against conspiracy theories and bigotry, sold itself to potential users as a way to escape the totalitarian tyranny of tech giants like Facebook and Google. Surprise! That pitch comes with a million caveats, the first and foremost of which is that Gettr doesn’t actually seem to do that at all.
According to new research conducted by Yale Law School’s privacy lab founder Sean O’Brien and recently published by Talk Liberation Investigates, Gettr’s web and smartphone apps contain trackers that would allow Facebook and Google to follow users as they roam Gettr’s supposed free-speech utopia. (O’Brien is also the chief security officer of Panquake.com, a crowdfunded, blockchain-enabled social network that has yet to launch, meaning he works for a competitor.)
Gettr’s code includes two trackers which are ubiquitous across the web — a browser cookie that tracks users for Google’s sprawling AdSense network, and the infamous Facebook pixel, a tiny dot embedded in millions of sites across the web that pings Facebook every time it’s loaded. These tools functionally allow Gettr to take advantage of the same kind of omnipresent web-tracking technology its principals, such as former Donald Trump aide and CEO Jason Miller, have decried. The price of admission is of course sharing that trove of data with Facebook and Google.
In addition to the Facebook and Google trackers, Gettr uses similar tools from third parties like AppsFlyer and Countly, which provide web browser fingerprinting (the creation of unique user identifiers) and behavioural data. Altogether, these trackers are capable of transmitting “fine-grained behaviour and location data” on and enable persistent, cross-device tracking of Gettr users, according to the report. AppsFlyer alone is capable of collecting such details as “IP address, cell network provider, operating system version, phone model, and both coarse and fine-grained location information.”
The privacy issues don’t end there, with the report also identifying a number of major security flaws.
“A large amount of JavaScript code is delivered via cloud [content delivery networks] such as Amazon AWS and Cloudflare in addition to embedded content that is directly loaded from around the web,” O’Brien’s report states. “As users browse GETTR, they are connected to literally dozens of domains simultaneously… GETTR utilises a variety of third-party services for user communication and support. Transparency about GETTR’s relationships with these parties is lacking. They include ZenDesk, Postmark, Mailgun, and SolarWinds Pingdom.”
Furthermore, the report states that Gettr “connects to numerous external domains” to hotlink content such as news articles, blogs, and videos. It notes that standard security practices like adding security headers, referrer headers, and other defaults don’t appear to have been implemented, while GETTR loads a lot of unencrypted or mixed HTTP content. Not only is this a major security risk — content from those third-party domains could theoretically be infected with malware — it also potentially exposes users to “surveillance by the originating source.” It also creates opportunities for police or network admins, such as university or corporate IT departments, to monitor any unencrypted traffic. Given that this is a site that got hacked within hours of opening and the obvious lack of technical expertise among the type of users Gettr is courting, this is a pretty gaping vulnerability.
Despite a massive data leak involving scraped personal data last year, Gettr still allows anyone to access its API without security measures such as a verification key, O’Brien wrote. While Gettr removed email addresses and location data from the API following the leak, according to the report, the lack of verification means it can be “queried by anyone with basic technical skills” to download data like the entirety of a user’s post history or everyone they follow with virtually no restrictions.
O’Brien told the Daily Dot in an interview that Gettr’s pledges to users regarding privacy and security are “disingenuous,” adding: “People don’t realise the full range of tracking with Gettr…. I think there’s a number of things they need to change architecturally.”
Gettr’s privacy policy does admit to use of trackers, specifically acknowledging that it uses Google tools: “We may use Third-Party Services such as Google Analytics to help us analyse our performance and our delivery of Services and advertising to you.”
Miller’s core pitch has been that Gettr won’t censor users in the same way right-wingers accuse social networks like Facebook and Twitter of doing. But while it might have looser rules than those competitors (and questionable capabilities to actually enforce them), it’s discovering that deleting content, banning accounts, and purging spam is the bare minimum for keeping the site usable at all. As TechDirt noted last month, Gettr not only banned white supremacist Nick Fuentes for violating its terms of service, it went so far as to ban the word “groyper” — an internet meme that has become a colloquialism for Fuentes’s small legion of followers — from the site entirely. Gizmodo tested this out on Tuesday and found that attempting to post the term “groyper” returns an error stating “Oops! There was an error submitting your post.” Whatever system is in place doesn’t seem to be working very well, though, as repeated attempts to post the term eventually result in success.
Getter didn’t respond to a request for comment on this story, but we’ll update if we hear back. Miller did send Motherboard a statement that’s excerpted below:
This report gets a lot of things wrong, and a more responsible fact-check on the front-end would have helped the author avoid any unnecessary confusion. Unlike the Big Tech social media platforms, GETTR does not sell user data, and we are committed to protecting users from Big Tech’s overreach and political discrimination. On GETTR, everyone is treated the same regardless of ideology. We’re a safe space for free speech, independent thought and very importantly, user data. That’s the difference between us and our Silicon Valley competitors.
These so-called trackers are only used for targeted Facebook and Google ads that we run to promote GETTR, and as part of our remarketing efforts designed to encourage people to return to our platform. This information is not shared with anyone else. As for data analytics, they are strictly used for internal quality assurance and customer experience improvement purposes only.