SAN FRANCISCO (AP) — From fire departments to governments, school districts to corporations, local utilities to grassroots organizers around the world, Twitter, at its best, is a tool for getting a message out quickly, efficiently, and directly.
It is also a constant risk-reward calculation.
A recent bombshell whistleblower report from Twitter’s former security chief alleges that the social media company has been negligently lax about cybersecurity and user privacy for years. While the revelations are worrying for everyone on Twitter, they could be particularly worrying for those who use them to reach constituencies, break news of emergencies, and political dissidents and activists in the crosshairs of hackers or their own governments.
“We tend to think of these companies as large, well-resourced entities that know what they’re doing – but you can tell a lot of their actions are ad hoc, reactive and crisis-driven,” said Prateek Waghre, policy director at the Internet Freedom Foundation, a non-profit digital rights organization in India. “Essentially, they’re often held together by duct tape or chewing gum.”
Peiter “Mudge” Zatko, who served as Twitter’s chief security officer until his sacking earlier this year, filed the complaints with US federal agencies last month, claiming the company had told regulators about its poor cybersecurity defenses and its negligence in the attempt , rooting out fake, misled accounts spreading disinformation. Among Zatko’s most serious allegations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming it had tightened measures to protect the security and privacy of its users.
Waghre said the allegations in the complaint about India — that Twitter knowingly allowed the Indian government to place its agents on the company’s payroll, where they would have “direct unattended access to the company’s systems and user data” — are of particular concern. He also pointed to an incident earlier this month in which a former Twitter employee was found guilty of leaking sensitive user details to members of the royal family in Saudi Arabia in exchange for bribes.
The consequences of privacy and security breaches can range from inconvenience and embarrassment — like when an Indiana State Police account was hacked and tweeted “Poo-Poo Head” earlier this year — to much worse. In October 2021, a Saudi humanitarian was sentenced to 20 years in prison for an anonymous, satirical Twitter account that the kingdom claims it was running. It’s possible the case is linked to the men accused of spying for the kingdom while working at Twitter.
As an advocate for dissidents and others incarcerated in Saudi Arabia, Bethany Al-Haidari has been concerned about Twitter’s privacy practices for years. They are all the more concerned about the new whistleblower allegations.
“It’s incredibly problematic given what we know about how social media is used around the world,” said Al-Haidari, who works for The Freedom Initiative, a US-based human rights group. The possibility of hackers or governments exploiting Twitter’s alleged cybersecurity vulnerabilities to obtain users’ identities, private messages or other personal information “is quite concerning to me,” she said.
Sino-Australian artist and activist Badiucao, who regularly publishes art critical of the Chinese Communist Party, expressed concern about the whistleblower’s allegations, noting that many users are giving their phone numbers and emails to Twitter.
“Once this personal information is leaked, it could be used to track your identity,” he said. Badiucao said he regularly receives death threats and propaganda from accounts that appear to be bot or spam.
But the artist plans to continue using Twitter, saying it’s probably the best option for Chinese-speaking activists and artists as a “free speech sanctuary.”
Twitter says the whistleblowers’ claims constitute a “misrepresentation” about the company and its privacy and data security practices, and that the claims lack context. “Security and privacy have long been, and will continue to be, company-wide priorities at Twitter,” the company said in a statement.
Despite the heightened concern sparked by Zatko’s claims, none of the groups The Associated Press spoke to this week plan to stop using Twitter. Security experts say while the whistleblower’s claims are alarming, there is no reason for individual users to delete their accounts.
Experts say high-profile Twitter users and world governments may be at greater risk than average users. In 2020, for example, Twitter suffered an embarrassing hack by a teenager who accessed the accounts of then-President Barack Obama, Joe Biden, Mike Bloomberg, and a host of tech billionaires, including Tesla CEO Elon Musk and Amazon founder Jeff Bezos . Musk is currently locked in a battle with Twitter as he attempts to exit a $44 billion deal to buy the company.
Another security incident sparked the alarm of Jennifer Grygiel, a Syracuse University communications professor who follows Twitter closely. In 2017, a Twitter account executive deactivated then-President Donald Trump’s account for a few minutes on his last day of work. While the account was quickly restored, Grygiel said, the incident showed how vulnerable Twitter was when it came to governments, heads of state and military branches using the platform.
“Am I surprised and shocked by the whistleblower’s allegations? I’m not,” said Trav Robertson, leader of the South Carolina Democratic Party, which uses Twitter to communicate with about 18,700 supporters. But he argues that it’s especially important that people don’t assume that “the constant attacks on our emails, our databases, our Twitter accounts, our Facebooks” is the new normal. “If we get desensitized to that, we can’t be proactive,” he said.
At the Denver City Fire Department, Public Information Officer JD Chism admits his concerns about safety issues. But the department must balance that risk against the way Twitter has become a staple of communicating emergencies to the public. The department’s Twitter feed has real-time updates on fires and resulting road closures and injuries, as well as retweets from other agencies warning of hazards like flash floods.
For now, the department will use Twitter as always, Chism said, “Caring for people is good and that’s what we’re here for.”
Associated Press Writers Krutika Pathi in New Delhi; Jesse Bedayn in Denver; Jennifer Peltz in New York; James Pollard in South Carolina; Zen Soo in Hong Kong; Margaret Stafford in Kansas City; Russ Bynum of Savannah, Georgia; Jay Reeves in Birmingham, Alabama; Amy Taxin in Orange County, California; Rebecca Santana in New Orleans; Jonathan Mattise in Nashville, Tennessee; and Michael Goldberg of Jackson, Mississippi contributed to this story.
Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, transcribed or redistributed without permission.