A group of senior US senators have sent a letter to Elon Musk and new CEO Linda Yaccarino highlighting the site's poor security and privacy track record since the billionaire took over the social media platform last November.
The letter, sent Friday, was lodged after reports surfaced that two top security executives had resigned from the platform, including the now-former Head of Trust and Safety, Ella Irwin.
Data privacy and security issues at Twitter were common before Musk’s takeover, however, and it’s hard to see how this will improve amid a wave of experienced staff vacating crucial, user safety-focused roles.
Twitter: Not a Safe Place for Your Data?
The letter – signed by four Democratic senators, including Elizabeth Warren – first raises concerns regarding “personnel and product decisions” described as “hasty”.
It notes the recent resignation of top officials concerned with trust and safety on the platform, as well as the security executives that left Twitter in the wake of Musk’s takeover back in November 2022.
Reports that suggest Twitter hasn’t been conducting internal privacy reviews are also referenced, along with the mass layoffs that have seen over 80% of the social media site’s staff leave in the last eight months.
These decisions, the senators say, raise concerns about whether Twitter is violating a consent decree it signed in 2011 amid allegations it misled consumers about how it was using their information.
There have been other strange and seemingly slapdash security decisions taken during Musk’s reign, including the scrapping of two-factor authentication via SMS for users that don’t subscribe to Twitter Blue, a move which weakened the account security of millions of users overnight.
Twitter Had Data Privacy Issues Long Before Musk Arrived
The letter highlights other instances prior to Musk’s arrival in which Twitter has shown a clear disregard for the safety and privacy of its users.
Just last year, in May 2022, Twitter was ordered to pay a hefty $150 million fine for using phone numbers and other personal information handed over by users for two-factor authentication for targeted advertising between 2013 and 2019.
After that, in July, former head of security Peter Zatko filed a complaint to the FTC alleging that egregious security practices were commonplace at Twitter.
He alleged at the time that around half of the company’s servers were running on archaic, obsolete software, leaving Twitter's entire system vulnerable to attacks, and that security executives were not painting an accurate picture of the breaches regularly occurring on the platform when communicating with top brass.
Zatko also said that almost a third of the company’s laptops were blocking crucial security updates, while droves of employees had access to highly sensitive source code.
Some of the most damning accusations leveled at Twitter last year – and discussed extensively by security researchers on the platform – included the intentional installation of spyware by Twitter employees, as well as the fact that 5,000 employees had privileged access to the platform’s production systems.
Of course, there are also millions of Twitter users who have had their information leaked online since 2021, after a severe API bug meant that any individual submitting email addresses or phone numbers to Twitter’s systems would be told what accounts the email addresses or phone numbers pertained to.
Is Twitter Worth the Risk?
Right now, Twitter is still a central hub for heads of state, governments, companies, and individuals to engage in public discourse. Twitter alternatives exist but until the world’s most influential personalities jump ship, it will remain foundational to the global conversation, which is worrying considering the platform's safety track record.
Historical security issues, coupled with the recent exodus of trust and safety-focused personnel – as well as the gutting of the site’s content moderation team – leaves few reasons to be optimistic.
If you have a Twitter account, it’s important you stay up to date with privacy and security stories relating to the platform, and ensure you're using a password manager to bolster your first line of defense against hackers – especially if you've had two-factor authentication removed from your account.