Twitter has been lax on cybersecurity and privacy protections for years: Former security chief

SAN FRANCISCO  — From fire departments to governments, from school districts to corporations, from local utilities to grassroots organizers around the world, Twitter at its best is a tool to get a message out quickly, efficiently, directly. It’s also a constant risk-and-reward calculation.

A recent bombshell whistleblower report from Twitter’s former head of security alleges that the social media company has been negligently lax on cybersecurity and privacy protections for its users for years. While worrisome for anyone on Twitter, the revelations could be especially concerning for those who use it to reach constituencies, get news out about emergencies and for political dissidents and activists in the crosshairs of hackers or their own governments.

“We tend to look at these companies as large, well-resourced entities who know what they’re doing — but you realize that a lot of their actions are ad hoc and reactive, driven by crises,” said Prateek Waghre, policy director at the Internet Freedom Foundation, a digital rights nonprofit in India. “Essentially, they’re often held together by cello tape or chewing gum.”

Peiter “Mudge” Zatko, who served as Twitter’s security chief until he was fired early this year, filed the complaints last month with federal U.S. authorities, alleging that the company misled regulators about its poor cybersecurity defenses and its negligence in attempting to root out fake accounts that spread disinformation.
Among Zatko’s most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.

Waghre said the allegations in the complaint about India — that Twitter knowingly allowed the Indian government to place its agents on the company payroll where they had “direct unsupervised access to the company’s systems and user data” — were particularly worrisome. He also pointed to an incident earlier this month where a former Twitter employee was found guilty of passing along sensitive user data to royal family members in Saudi Arabia in exchange for bribes.

The consequences of privacy and security lapses can range from inconvenience and embarrassment — such as when an Indiana State Police account was hacked and tweeted “poo-poo head” earlier this year — to much worse. In October 2021, a Saudi humanitarian aid worker was sentenced to 20 years in prison because of an anonymous, satirical Twitter account that the kingdom says he ran. It’s possible that the case is linked with the men accused of spying on behalf of the kingdom while working at Twitter.

As an advocate for dissidents and others detained in Saudi Arabia, Bethany Al-Haidari has been concerned for years about Twitter’s user privacy safeguards. The new whistleblower allegations make her all the more worried.

“Given what we know about how social media is used around the world, that is incredibly problematic,” said Al-Haidari, who works for The Freedom Initiative, a U.S.-based human rights group. The possibility of hackers or governments exploiting the alleged cybersecurity lapses at Twitter to get users’ identities, private messages or other personal information “is quite disturbing to me,” she said.

Chinese-Australian artist and activist Badiucao, who regularly publishes art that criticizes the Chinese Communist Party, expressed concern about the whistleblower’s allegations, noting that many users provide their phone numbers and emails to Twitter.

“Once that personal information is leaked, it could be used to trace your identity,” he said. Badiucao said he regularly receives death threats and propaganda from what appears to be bot or spam accounts.

But the artist plans to keep using Twitter, saying it’s probably the best option Chinese-speaking activists and artists have for a “shelter for free speech.”

Twitter says the whistleblower claims present a “false narrative” about the company and its privacy and data security practices, and that the claims lack context. “Security and privacy have long been company-wide priorities at Twitter and will continue to be,” the company said in a statement.

(AP)

Leave a Comment

More News