For fire departments, governments, school districts, businesses, and organizations around the world, Twitter is a tool for getting messages across quickly, efficiently, and directly.
But it is also a constant calculation of risk and reward.
A recent report from Twitter’s former chief security officer alleges that the social network has been recklessly lax on digital security and privacy protections for its users for years. While troubling for anyone on Twitter, the revelations could be especially worrying for those who use it to reach constituents, spread news about emergencies, and political dissidents and activists targeted by hackers or their own governments.
“We tend to see these companies as large, well-resourced entities that know what they’re doing, but you realize a lot of their actions are ad hoc and reactive, crisis-driven,” said Prateek Waghre, policy director at Internet Freedom Foundation, a non-profit organization based in India. “Essentially, they are often held together with tape or chewing gum.”
Peiter “Mudge” Zatko, who served as Twitter’s chief security officer until he was fired earlier this year, told federal authorities last month that the company misleads regulators about its digital defenses and is negligent in its attempts to to remove fake accounts that spread disinformation. Among Zatko’s most serious allegations is that Twitter violated the terms of a 2011 settlement with the US Federal Trade Commission (FTC) by falsely claiming that it had implemented more stringent measures to protect the security and privacy of its users. .
Waghre said the allegations in the India complaint — that Twitter knowingly allowed the Indian government to place its agents on the company’s payroll, where they had “direct and unsupervised access to company systems and employee data users”—were particularly worrisome. He also pointed to an incident in early August where a former Twitter employee was found guilty of passing sensitive user data to members of the Saudi royal family in exchange for bribes.
The consequences of security breaches can range from inconvenient to embarrassing, or worse, like when an Indiana police account was hacked and tweeted “poop head.” In October 2021, a Saudi aid worker was sentenced to 20 years in prison for an anonymous, satirical Twitter account that Riyadh claimed he ran. The case may be related to the men accused of spying on behalf of the kingdom while working on Twitter.
Twitter says the whistleblower’s claims present a “false narrative” about the company and its privacy and data security practices, and that the claims lack context. “Security and privacy have long been company-wide priorities at Twitter and will continue to be,” the company said in a statement.