>_ datagobes.dev
Privacy Audit ##02
x.com favicon

x.com

6.1
ADEQUATE

Privacy Audit — Episode #02 · 4 trackers · 9 cookies

>_ datagobes.dev
1 / 25
TL;DR

Three Things to Know

🔍
Pre-consent fingerprinting across 5 APIs
Canvas, WebGL, MediaDevices, and WebRTC fingerprinting all fire before any consent interaction — a clear ePrivacy Art. 5(3) violation from X's own vendor.js bundle.
Reject button actually works
Clicking 'Refuse non-essential cookies' prevents all marketing cookies (guest_id_ads, guest_id_marketing, personalization_id) from being set. Only a preference-recording cookie is added.
🤔
guest_id declared as 'authentication' — lasts 396 days
X's cookie policy classifies guest_id as an authentication cookie, yet it's set pre-consent for unauthenticated visitors with a 13-month lifespan. That's tracking in disguise.

Scroll for the full story →

>_ datagobes.dev
2 / 25
Methodology

How We Scanned

🔍
Scout
Banner detection
📡
Pre-Consent
Before interaction
5 cookies0 trackers81 requests5 domains
Post-Consent
After accept/reject
9 cookies0 trackers84 requests7 domains
Scan configuration
BrowserFirefox (stealth mode) Viewport1440×900 Localeen-NL (EU) Variantsignore · accept · reject Banner detectionVision-assisted hints ClassificationTracking fires → consent-mode pings → SDK loads
↧ Download JSON ↧ Download Report

Privacy Audit ##02 in the datagobes.dev series

>_ datagobes.dev
3 / 25
Consent Mechanism

Banner Blueprint

Custom (Vision-Assisted)
"X and its partners use cookies to provide you with a better, safer and faster service and to support our business."
Accept
Accept standard Reject standard
Reject button on first layer 'Refuse non-essential cookies' is visible without extra clicks
Binary choice only No category-level toggles — users can only accept all or refuse all non-essential cookies
No consent revocation No mechanism to withdraw consent after accepting — GDPR Art. 7(3) requires withdrawal to be as easy as giving consent
No TCF or Consent Mode Despite CSP listing Google advertising domains (doubleclick.net, googlesyndication.com), no IAB TCF or Google Consent Mode v2 detected
GPC signal ignored Browser sends Global Privacy Control signal but x.com does not read or honour it
Cookie preferences link present 'Show more about your choices' link exists but does not provide granular category controls
>_ datagobes.dev
4 / 25
UX Fairness

Fairness Scale

Whether the consent interface makes it equally easy to accept or reject tracking.

Reject-biased Balanced Accept-biased
Accept Path
Button style Solid black fill
Visual weight High contrast on white
Reject Path
Button style White with border
Visibility Same size, visible on first layer
Label clarity 'Refuse non-essential cookies' — clear intent
Mild visual asymmetry — accept is more prominent but reject is visible
>_ datagobes.dev
5 / 25
Consent Delta

Before vs After Consent

How many cookies exist before you interact with the banner vs after clicking Accept.

Before Consent

5 cookies
essential 2
tracking 2
functional 1
0 trackers · 5 domains
◉ cookies◉ indexedDB
+4 cookies 1.8× increase

After Accept

9 cookies
essential 2
functional 2
tracking 2
marketing 3
0 trackers · 7 domains
◉ cookies◉ indexedDB
>_ datagobes.dev
6 / 25
Audit Trail

What Happens Before You Click Anything

Network requests fired before any user interaction — these happen without consent.

Phase 1 — Page Load (no interaction)
t+0ms
Page load begins x.com
t+190ms
X vendor bundle loaded (abs.twimg.com) abs.twimg.com
t+244ms
First contact: abs-0.twimg.com (emoji SVG) abs-0.twimg.com
t+500ms
guest_id cookie set (396 days) — pre-consent .x.com
t+500ms
__cuid cookie set (400 days) — pre-consent, undisclosed .x.com
t+500ms
g_state cookie set (180 days) — Google sign-in x.com
t+500ms
__cf_bm cookie set — Cloudflare bot management .x.com
>_ datagobes.dev
7 / 25
Audit Trail

What Happens Before You Click Anything

Network requests fired before any user interaction — these happen without consent.

Phase 1 — Page Load (no interaction)
t+600ms
Canvas fingerprinting: getImageData + toDataURL abs.twimg.com
t+600ms
WebGL fingerprinting: getParameter abs.twimg.com
t+600ms
MediaDevices: enumerateDevices abs.twimg.com
t+630ms
WebRTC: RTCPeerConnection created abs.twimg.com
t+745ms
Google Sign-In SDK loaded accounts.google.com
t+911ms
Apple Sign-In SDK loaded appleid.cdn-apple.com
t+1.1s
Google Fonts loaded fonts.gstatic.com
>_ datagobes.dev
8 / 25
Browser Fingerprinting

API Interception Heatmap

Browser fingerprinting techniques detected — these work even without cookies.

Severity: MEDIUM
Canvas.getImageData PRE
3
Canvas.toDataURL PRE
2
WebGL.getParameter PRE
2
MediaDevices.enumerateDevices PRE
1
WebRTC.RTCPeerConnection PRE
1
Pre-consent (5)
>_ datagobes.dev
9 / 25
Audit Trail

What Happens After Accept

New requests triggered immediately after clicking Accept All.

User Clicks Accept
Phase 2 — Post-Consent
t+0ms
Consent accepted — 'Accept all cookies' clicked x.com
t+200ms
d_prefs cookie set (180 days) — cookie preferences .x.com
t+200ms
guest_id_ads cookie set (396 days) — advertising .x.com
t+200ms
guest_id_marketing cookie set (396 days) — marketing .x.com
t+200ms
personalization_id cookie set (396 days) — undisclosed .x.com
t+0ms
Emoji bundle loaded abs.twimg.com
t+5.6s
Google Play log request play.google.com
>_ datagobes.dev
10 / 25
Audit Trail

What Happens After Reject

Requests that still fire after explicitly clicking Reject — these shouldn't exist.

User Clicks Reject
Phase 2 — Post-Reject
t+0ms
Consent rejected — 'Refuse non-essential cookies' clicked x.com
t+200ms
d_prefs cookie set (180 days) — records cookie preference .x.com
t+1s
No marketing cookies set — guest_id_ads, guest_id_marketing, personalization_id absent x.com
>_ datagobes.dev
11 / 25
Reject Scenario

What Happens When You Say No?

0
Trackers persist
2
Cookies persist
Reject honoured
guest_id .x.com tracking
__cuid .x.com tracking

Rejection prevents all 3 marketing/tracking cookies (guest_id_ads, guest_id_marketing, personalization_id) from being set. Only d_prefs (cookie preference) is added. However, pre-consent cookies and fingerprinting persist regardless.

>_ datagobes.dev
12 / 25
Consent Variants

Ignore vs Accept vs Reject

Side-by-side comparison of what gets loaded depending on your consent choice.

No Interaction Accept All Reject All

Trackers

No Interaction
0
Accept All
0
Reject All
0

Cookies

No Interaction
5
Accept All
9
Reject All
6

3rd Parties

No Interaction
5
Accept All
7
Reject All
5
Rejecting prevents 3 marketing cookies but pre-consent fingerprinting and 2 tracking cookies (guest_id, __cuid) persist across all variants
>_ datagobes.dev
13 / 25
Tracking Systems

Who's Watching?

Google Sign-In SDK
accounts.google.com
Authentication
SDK loaded pre-consent
Apple Sign-In SDK
appleid.cdn-apple.com
Authentication
SDK loaded pre-consent
Canvas/WebGL Fingerprinting
abs.twimg.com
Fingerprinting
Active pre-consent
WebRTC/MediaDevices Enumeration
abs.twimg.com
Fingerprinting
Active pre-consent
2 active pre-consent
2 CSP-only
>_ datagobes.dev
14 / 25
Cookie Lifespan

Persistence Bars

0 30d 6mo 1yr 2yr
Marketing & Tracking 5 cookies
__cuid .x.com
1.1yr
guest_id .x.com
1.1yr
guest_id_ads .x.com
1.1yr
guest_id_marketing .x.com
1.1yr
personalization_id .x.com
1.1yr
Functional 3 cookies
g_state x.com
6mo
d_prefs .x.com
6mo
gt .x.com
Session
Essential 1 cookie
__cf_bm .x.com
Session
Marketing
Functional
Essential
>_ datagobes.dev
15 / 25
Cookie Audit

Declared vs Observed Purpose

Whether cookies are used for the purpose the site claims in its consent banner.

Cookie Declared Observed
guest_id Authentication Tracking
__cf_bm Not in policy (Cloudflare) Essential
gt Functionality Functional
__cuid Undisclosed Tracking
g_state Undisclosed Functional
d_prefs Cookie preferences Functional
guest_id_ads Undisclosed Marketing
guest_id_marketing Advertising (logged out) Marketing
personalization_id Undisclosed Tracking
4 match
5 mismatch
>_ datagobes.dev
16 / 25
Data Transfers

Transfer Circuit

Where your data travels — each destination's jurisdiction and legal safeguards.

🌐 x.com
🌍 US
abs.twimg.com
71 reqs
🌍 US
accounts.google.com
8 reqs
🌍 US
fonts.gstatic.com
2 reqs
🌍 US
abs-0.twimg.com
1 req
🌍 US
appleid.cdn-apple.com
1 req
🌍 US
play.google.com
1 req
Adequate
DPF Certified
No Safeguards
>_ datagobes.dev
17 / 25
Network Activity

Request Pulse

Volume of third-party network requests per domain, split by consent phase.

0 36 71
abs.twimg.com
71
accounts.google.com
8
fonts.gstatic.com
2
abs-0.twimg.com
1
appleid.cdn-apple.com
1
play.google.com
1
Essential / CDN
Pre-consent
Post-consent
>_ datagobes.dev
18 / 25
Security Posture

Shield Rings

4/6
strict-transport-security Active
content-security-policy Active
x-content-type-options Active
x-frame-options Active
referrer-policy Missing
permissions-policy Missing
4 / 6 headers active
SRI Coverage: 0% (0/6 external scripts)
>_ datagobes.dev
19 / 25
Legal Compliance

Document Shelf

Privacy Policy Found
Cookie Policy Found
Terms of Service Found
Impressum / Controller Identity Found
DSAR / Data Subject Requests Found
5 found
0 missing
>_ datagobes.dev
20 / 25
Art. 13/14 Compliance

Privacy Policy Checklist

How well the privacy policy covers the 13 GDPR-required information items.

69%
9/13 required elements
Controller identity
X Corp., 865 FM 1209, Building 2, Bastrop, TX 78602 (US); X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2 (EU/UK)
DPO contact
Attn: Data Protection Officer at Dublin and Bern addresses
Processing purposes
Sections 2.1-2.5: Operate/improve/personalize, safety/security, measure/analyze, communicate, research
Legal basis per purpose
Section 6.1: 'X has carefully considered the legal reasons...' — links to external page, not stated in main policy
Legitimate interests
Not explicitly listed; section 6.1 defers to 'additional information about data processing' page
Recipients / categories
Section 3: service providers, advertisers, third-party integrations, collaborators, APIs, affiliates, law enforcement
International transfers
Section 6.2: DPF (EU-US, Swiss-US, UK Extension), SCCs, JAMS dispute resolution, FTC oversight
Retention periods
Section 4: profile (account duration), usage (account duration), cookies (13mo), ad views (12mo), communications (18mo)
Data subject rights
Section 5: access, correction, portability (5.1), deletion (5.2), objection/restriction/withdrawal (5.3)
Right to withdraw consent
Section 5.3: 'Objecting to, restricting, or withdrawing your consent' — manage privacy settings
Right to complain
Right to lodge complaint with local supervisory authority or Irish DPC
Statutory/contractual requirement
Not mentioned — policy does not state whether data provision is legally or contractually required
Automated decision-making
No mention of profiling logic, automated decision significance, or consequences — despite extensive personalization
9 present
2 absent
2 vague
>_ datagobes.dev
21 / 25
Art. 15-22

Data Subject Rights Accessibility

How accessible GDPR rights are — data access, deletion, portability, and objection.

How many clicks to exercise each right?

Right of access (Art. 15)
3 clicks
Right to rectification (Art. 16)
2 clicks
Right to erasure (Art. 17)
3 clicks
Right to restriction (Art. 18)
Not found
Right to portability (Art. 20)
3 clicks
Right to object (Art. 21)
3 clicks
1-2 clicks 3-4 clicks 5+ clicks
5 accessible
1 not found
>_ datagobes.dev
22 / 25
GDPR Compliance

Compliance Matrix

Art. 6(1)(a)
Valid consent
Banner present with accept/reject but pre-consent cookies and fingerprinting undermine the consent framework
ePrivacy 5(3)
Cookie consent
5 cookies set before any consent interaction including guest_id (396 days) and __cuid (400 days)
ePrivacy 5(3)
Device fingerprinting
Canvas, WebGL, MediaDevices, and WebRTC fingerprinting all fire pre-consent from X's vendor bundle
Art. 7(3)
Consent withdrawal
No consent revocation mechanism found — no way to withdraw cookie consent after accepting
Art. 7(1)
Demonstrable consent
Custom banner records choice but no TCF consent string or standardised audit trail
Art. 13/14
Transparency obligations
11/13 Art. 13 elements present but legal basis per purpose and legitimate interests are vague
Art. 25
Data protection by design
Pre-consent fingerprinting and tracking cookies indicate tracking-by-default rather than privacy-by-default
Art. 44-49
International transfers
DPF participant (EU-US, Swiss-US, UK Extension), SCCs referenced, JAMS dispute resolution available
Art. 12
Clear communication
Privacy policy written in accessible language with clear section structure
2 compliant
4 violations
3 partial
>_ datagobes.dev
23 / 25
Risk Assessment

Privacy Risk Summary

Consent 6.4

Custom banner with binary accept/reject. No category toggles, no consent revocation, GPC signal ignored.

Pre-Consent 3.7

5 cookies and fingerprinting across 5 APIs fire before any consent interaction. All fingerprinting from X's own vendor bundle.

Legal 8

Comprehensive privacy policy (11/13 Art. 13 elements) but legal basis per purpose deferred to external page.

Cross-Border 7.8

All third parties US-based. X is DPF participant. Google services DPF-certified. SCCs referenced.

Security 6.1

4/6 headers present (strong HSTS + CSP) but missing Referrer-Policy and Permissions-Policy. Zero SRI coverage.

Cookies 3.7

Multiple cookies exceed CNIL 13-month max (396d). 3 cookies undisclosed. guest_id misclassified as authentication.

Dark Patterns 7.8

Mild visual asymmetry — accept button is solid black vs outlined reject. Both visible on first layer with clear labels.

Overall
6.1
>_ datagobes.dev
24 / 25
Action Items

Recommendations

1
Remove pre-consent fingerprinting Canvas, WebGL, MediaDevices, and WebRTC fingerprinting fire from vendor.js before any consent interaction. Under ePrivacy Art. 5(3) and EDPB Guidelines 2023, fingerprinting requires prior consent.
2
Implement consent revocation mechanism No way to withdraw cookie consent after accepting. GDPR Art. 7(3) requires withdrawal to be as easy as giving consent. Add a persistent 'Cookie Settings' link in the footer.
3
Gate pre-consent tracking cookies behind consent guest_id (396d) and __cuid (400d) are set before any consent interaction. Either defer to post-consent or reduce lifespans if truly essential.
4
Disclose all cookies in cookie policy personalization_id, guest_id_ads, and __cuid are not listed in the cookie disclosure table. Reclassify guest_id from 'authentication' to its actual purpose.
5
Add granular consent toggles Current binary accept/reject provides no category-level control. Add toggles for analytics, advertising, and personalisation.
6
Add missing security headers and SRI Add Referrer-Policy: strict-origin-when-cross-origin and Permissions-Policy. Implement SRI on external scripts (currently 0/6 coverage).
>_ datagobes.dev
25 / 25