Twitter’s reported vulnerabilities — what you need to know
Last week, Twitter’s former chief of security blew the whistle on his former company — accusing them of negligent security practices and misleading federal regulators about the state of the platform.
According to Peiter Zatko, who goes by the alias “Mudge”, the company fired him in January this year after refusing to stay silent about the platform’s vulnerabilities. Following this, he filed a complaint with the Securities and Exchanges commission and published over 200 pages detailing the flaws in Twitter security practices.
Among the accusations leveled by Zatko against the company are claims of reckless and indiscriminate data access, misleading the FTC and ignoring the rampant bot problem on the platform. The latter point was also brought up by Elon Musk in his everlasting will-he-won’t-he Twitter buyout, although experts disputed his claims.
What exactly do these revelations mean for regular Twitter users? Read on.
Twitter’s alleged vulnerabilities — what you need to know
The gravest allegation put forth by Zatko is certainly the one about indiscriminate data access. According to him, as much as half of Twitter’s full-time workforce has blanket access to sensitive user data, such as phone numbers.
In real numbers, this is about 3,500 people with access to extremely sensitive data. This is a staggering number — under no circumstances should that many people be allowed to retrieve sensitive user information. After all, every single one of those accounts provides an opportunity for a massive leak.
This isn’t the first time Twitter has been in hot water due to their sensitive data handling. The Federal Trade Commission has settled a case with the company as far back as 2010. The results of that trial compelled Twitter to put strong user data security protections in place. According to Zatko, the company has then gotten into the habit of lying about these protections to the FTC.
If these allegations are correct, the possibility of your personal data leaking is not a question of if, but when.
Will the disclosure affect Twitter?
It’s certainly a possibility. As we mentioned previously, claims of misleading investors and regulators were already levelled at Twitter. Most recently, Elon Musk backed out of his prolonged misadventure into purchasing the platform, alleging that Twitter provided him with falsified information.
If the disclosures are correct, and a data leak does indeed occur, the ramifications could be massive. According to Statista, Twitter has over 440 million users worldwide. Data leaks on this scale are almost unheard of — as such, it’s really difficult to predict the potential consequences. Mass class-action lawsuits are likely, as are a slew of new regulations similar to the GDPR. Whether the company could survive something so catastrophic is up in the air.
One thing is for certain: the fact Zatko filed complaints with regulators compels authorities to investigate the situation. If Twitter’s security isn’t up to the required legal standards, the company will be hit with extremely large fines.
The whistleblower: hacker turned chief of security
Peiter Zatko has been a mainstay of the hacker community for decades. It’s his reputation and experience that landed him a job as Twitter’s Chief of Security. His assistance was sought out by Jack Dorsey following the July 2020 hack that left hackers in control of some of the largest accounts on the platform.
He was unceremoniously let go from the company in January of this year. According to a statement cited by The Verge, his allegations are “rife with inconsistencies”. This assessment of Zatko is currently being disputed by many cybersecurity experts who worked with him in the past decades.
Twitter is yet to issue a wider statement about the situation.
What does this mean for the wider social media landscape?
Unfortunately, stories like this are simply going to continue happening as long as social media companies continue prioritising profits over user safety. We have seen this happen time and again, most notably with Facebook.
Downplaying security concerns inevitably ends in a disaster. Cast your mind back to the halcyon days of 2018 — remember the Cambridge Analytica scandal? We’re still living through its reverberations.
Unless Zatko’s allegations are completely fabricated, Twitter is in really hot water. The best case scenario for the company is just getting off with several large fines for breaching their FTC agreements.
Ultimately, stories like this are the price we pay for participating in a social media ecosystem composed of a dozen large corporate fiefdoms, who operate without much supervision and forcibly resist any and all attempts at regulation. This is why many experts have been calling for a return to a decentralised Web. Jack Dorsey himself expressed a similar sentiment several years ago.
Twitter wants to develop an open, decentralized, federated social media standard…and then join ithttps://t.co/nHdcSMbstK pic.twitter.com/n7bu3G1Acy
— Cory Doctorow AFK until Sept 7 (@doctorow) December 11, 2019
Open-source projects, such as Mastodon, PeerTube, and Cohost, have emerged as alternatives to corporate-owned platforms. However, they face an uphill struggle when competing with established market giants. This is why these alternative services focus their promotional efforts on their one distinguishing feature — heavy commitments to privacy.
While we’re years (if not decades!) away from replacing current social platforms with open alternatives, the current market leaders still need to watch themselves. Continuing fumbles on the data protection and user privacy fronts will undoubtedly lead to more regulation and more lawsuits, as has been proven by previous incidents. We still live in the shadow of the Cambridge Analytica scandal — and nobody wants to be responsible for “the next big one”.