BREAKING EXPERT COMMENT: Whistleblower Hands Musk The Key To Twitter

Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Russell.king
Russell.king , CEO
InfoSec Expert
August 24, 2022 7:48 am

When it comes to bots, having a robust onboarding process that verified individual identity would significantly reduce the exposure to the numbers of ‘bot’ accounts. As part of the onboarding service the reusability of a digitally verified user record presents a compelling opportunity to further reduce the platform’s ongoing vulnerability to account takeovers. Applying the verified user record in the subsequent authentication of users accessing their accounts provides a robust defence to such nefarious activities. Digitally verified user records do not require the holders’ personally identifiable information to be persisted or stored making them a highly attractive credential for broad and ubiquitous application.

The onus is on businesses to take the initiative here and not rely on government regulations to act. If anything, regulations have hurt previous attempts to create viable reusable digital identity frameworks. For example, COPPA regulations in the US created an environment where social media organisations were reluctant to cross the line and commit to robustly verifying users in the account opening process as they could potentially face liability for the exposure or actions on the part of users.

Finally, there are user concerns over privacy and the exposure of their personal information that have prevented this technology from being used to remove bots. However, the current leading identity verification software can create secure records storing no PII at all, holding no directly identifiable information on the part of the user.

Last edited 3 months ago by russell.king
Patrick.dennis
Patrick.dennis , CEO
InfoSec Expert
August 24, 2022 7:41 am

There are a few really important takeaways from the first reports of the Twitter whistleblower disclosure. First, it underscores the extent to which security that is treated as merely a technical issue is doomed to fail. Cybersecurity policies and practices need to have the full support of the organization, including its board and leadership. If the whistleblower’s allegations are true, security was—at best—an afterthought for Twitter’s leadership.

Second, it sheds new light on what many hinted at during the Elon Musk takeover bid: the Twitter platform itself has serious vulnerabilities that the company isn’t taking seriously at all. In the Musk deal, Twitter’s refusal to provide relevant data regarding the prevalence of bots on the platform ultimately resulted in Musk pulling out, and for good reason. Bots are not only used by nation states for cyberespionage and digital Kompromat, they are also used for social engineering that conditions users to click on malicious links and engage in other unsafe online behaviour. Given their refusal to acknowledge or deal with the bot problem in any material way, it should come as no surprise that Twitter also lacks the willingness to address other major security concerns regarding the privacy and safety of its users.

In terms of what consequences Twitter will face, I expect that regulators in the EU will be very keen to understand how consumer data has been mismanaged for purposes of GDPR. I expect similar investigations in California under CCP. But I think the one to watch is how federal authorities will treat the allegations that Twitter employees are working for a foreign intelligence service. There has long been speculation about tech company employees being planted by nation state governments. If this is true, it could bring substantially more scrutiny around hiring practices.

Last edited 3 months ago by patrick.dennis
2
0
Would love your thoughts, please comment.x
()
x