Editor's Note: (Kara Alaimo, an associate professor in the Lawrence Herbert School of Communication at Hofstra University, writes about issues affecting women and social media. She was spokeswoman for international affairs in the Treasury Department during the Obama administration. The opinions expressed in this commentary are her own. )
The latest bombshell about Twitter's alleged lack of security and potential vulnerabilities is yet another sign that social media networks shouldn't be trusted to regulate themselves.
Last month, Twitter's former head of security, Peiter "Mudge" Zatko, told Congress and federal agencies that the company's security practices pose grave threats to national security. As part of his disclosures, which were revealed by CNN last week, Zatko claims that the company allows about half of its staff — which amounts to thousands of employees — access to critical controls, and one or more of them may be working for a foreign intelligence agency. He also alleges that the company does not adequately protect the security of user data, using servers with outdated software that are missing critical security features like encryption. What's more, he claims that he was discouraged from sharing the full extent of the company's security problems with its board.
Twitter, of course, disputes the idea that it has big security problems. It told CNN that engineering and product teams can only access the production environment if they have "a specific business justification," that employees use devices that IT and security teams oversee, and that if a device is running on outdated software, they can prevent it from connecting to sensitive internal systems. However, Twitter did not respond to questions about its alleged foreign intelligence vulnerabilities.
A spokesperson told CNN that "Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance." The spokesperson also said, "What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context."
(Zatko contends that he was fired in retaliation for raising security concerns at the company.)
This latest whistleblower report makes clear that social media platforms not only pose potential privacy risks to users, but also national security risks. Congress needs to urgently pass a law regulating what data social networks can collect, how they can share it, how they can store it, who can access it and under what circumstances. Lawmakers also need to give the Federal Trade Commission (FTC) a specific mandate to closely oversee social media companies' security and privacy practices. That would ensure that these companies follow any new regulations put in place. We simply can't trust them to maintain their own data collection and sharing and security standards.
Consider the ramifications of a social media company's inadequate security protocols. If a company lacks proper safeguards to protect user passwords or employees' accounts, the accounts of legitimate sources such as high-profile people could be taken over and used to issue dangerous, even deadly, claims or directives.
Recall that, in 2020, hackers took control of the Twitter accounts of people like Elon Musk, Bill Gates and Barack Obama to promote Bitcoin, and Twitter users were tricked into forking over more than $100,000. The hackers accomplished this by targeting employees who had access to internal tools and were able to post the tweets.
Further, if a company lacks protections against how many employees have access to user information and safeguards to ensure that employees and users aren't hacked, then hackers — or even employees — could gather sensitive information about users from their social media data and share it with foreign intelligence agencies. Gaining access to their passwords or private messages can reveal evidence of things like affairs or abortions that bad actors can use to try to blackmail them into spying.
Does it sound crazy to think that a Twitter employee would sell user data to a foreign government? Just this month, a former Twitter employee was found guilty of giving private information about Twitter users to the government of Saudi Arabia in exchange for money.
That's why it's critical for social networks to limit access to sensitive user information, store and share as little user data as possible, and take every possible measure to prevent hacks. Zatko's allegations suggest, at least at Twitter, this simply isn't happening.
Such threats are too serious to leave to social media companies to manage on their own. We need legislation that strictly limits the number of employees who can have access to user data, prohibits the sharing of that data with third parties, and requires companies to take stronger measures to guard against hackings.
Congress needs to step in urgently to help protect social media users — and the country — from the possibility of these kinds of breaches.