Security
Headlines
HeadlinesLatestCVEs

Headline

If Musk Starts Firing Twitter's Security Team, Run

What’s next for the social network is anyone’s guess—but here’s what to watch as you wade through the privacy and security morass.

Wired
#git#intel#ssl

Elon Musk is buying Twitter for $44 billion after the least sexy will-they-won’t-they saga of all time. And while Musk attempted to reassure advertisers yesterday that “Twitter obviously cannot become a free-for-all hellscape, where anything can be said with no consequences,” the acquisition raises practical questions about what the social network’s nearly 240 million active users can expect from the platform in the future.

Chief among these concerns are questions about how Twitter’s stances on user security and privacy may change in the Musk era. A number of top Twitter executives were fired last night, including CEO Parag Agrawal, the company’s general counsel Sean Edgett, and Vijaya Gadde, the company’s head of legal policy, trust, and safety who was known for working to protect user data from law enforcement requests and court orders. Gadde ran the committee that ousted Donald Trump from Twitter in January 2021 following the Capitol riots. Musk, meanwhile, said in May that he would want to reinstate Trump on the platform and called the former US president’s removal “morally bad.”

This afternoon, Musk wrote that “Twitter will be forming a content moderation council with widely diverse viewpoints. No major content decisions or account reinstatements will happen before that council convenes.”

Content moderation has real implications for user security on any platform, particularly when it involves hate speech and violent misinformation. But other topics, including the privacy of Twitter direct messages, protection from unlawful government data requests, and the overall quality of Twitter’s security protections, will loom large in the coming weeks. This is particularly true in light of recent accusations from former Twitter chief security officer Peiter “Mudge” Zatko, who described Twitter as having grossly inadequate digital security defenses in an August whistleblower report.

“Personally, I don’t know what to do, especially when you take Mudge’s whistleblower complaint into consideration,” says Whitney Merrill, a privacy and data protection lawyer and former Federal Trade Commission attorney. “I’m just not putting any sensitive data or data I’d like to stay confidential into DMs.”

Twitter offers a tool for downloading all the data it holds in your account, and reviewing your own trove is a good first step in understanding what information the company has linked to you. It’s unclear, though, exactly how much control you currently have over deleting this data, and the policies could continue to evolve under the Musk administration. Twitter DMs, for example, only offer the option to “Delete for You,” meaning delete messages from your own account but not for other users.

More broadly, Twitter’s current policy on account deactivation simply says, “If you do not log back into your account for the 30 days following the deactivation, your account will be permanently deactivated. Once permanently deactivated, all information associated with your account is no longer available in our Production Tools.” It is unclear what exactly this means in terms of long-term data retention and, again, policies may change in the future.

“It appears Twitter isn’t even deleting data of end users, and private messages are kept forever or maybe until all participants delete,” Merrill says. (Twitter did not yet respond to WIRED’s request for comment.)

It’s worth noting that for most users, Twitter’s core purpose as a public microblogging service is something of a saving grace. A lot of the things most people have done on Twitter over the years were meant to be publicly accessible. But private Twitter accounts and direct message chats are both popular Twitter features and important considerations as the company evolves.

“This is an emerging situation, but to the extent DMs were ever considered safe from inspection by staff, the threat is greater with the extensively reported rumors of staff reductions,” says Jake Williams, director of cyber-threat intelligence at the security firm Scythe and a former National Security Agency hacker. “Some of the first staff to be cut in any reorganization are personnel involved in nonfunctional activities, such as security specialists and internal policy oversight.”

Zatko, the former Twitter chief security officer, warned in both his written report and subsequent Congressional testimony of rogue insiders at Twitter, including nation-state actors, woefully inadequate access controls, and weak digital security defenses. As a result, a lack of security investment in the Musk era could pose a real danger to users over time. And Twitter has been plagued by both criminal and state-backed attacks over the years.

It’s important to keep in mind, though, that the social giant is still a public company and that Musk himself would face legal liability if he or any of his appointees personally access user data or take other rogue actions like, say, leveraging the Twitter mobile application to grab user data outside of Twitter’s scope.

“This all should be very concerning, but users don’t need to overreact,” Williams says. “There will still be disincentives to run afoul of regulators.”

Even if many users are sticking around to see how things shake out, some are already balking at the extreme uncertainty of the situation. This evening, General Motors said it was temporarily suspending advertising on the social network.

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist