Last week was a huge news week for Twitter security apparently. There were a few stories about it: Trump’s feed was deleted for eleven minutes by an angry customer support rep leading to a host of folks calling for better security for the platform, there was continued investigation about election tampering and the role of social media in it, and then we also had a leaked memo from Twitter CEO Jack Dorsey about the release schedule for security measures that is bound up in the whole Harvey Weinstein affair because of Rose McGowan’s account being locked following posts about him.
Here’s the question that I would have about this. Fundamentally, what are our security expectations for a service like Twitter? I mean this both from a societal perspective (i.e. social norms) as well as from a regulatory perspective. For example, here we have an article from India Times highlighting the fact that Twitter is “stepping up security” because of the Trump thing. However, note that this is entirely voluntary on their part.
This particular article caught my attention for a few reasons. First, there is the fact that the security of Twitter is being referred to as a “national security matter”; from the article:
Jennifer Grygiel, a Syracuse University professor who studies social media, said the deactivation is worrisome. “This is no laughing matter,” she said. “This is a serious issue and one of national security.”
At what point did Twitter go from “toy” to “issue of national security”? Because there’s a line there and I legit can’t figure out where it is. Is it based on volume? Meaning, the security of Plurk isn’t a national security matter (because it has fewer users) while the security of Twitter is? Or is because of who uses it? Like, if someone accidentally installs Snapchat on Trump’s phone, it goes from “who cares” to “national security”? I’m not following the logic on when the security of <insert arbitrary Internet service> escalates to national security status. I’m not saying it should be on way or the other… I’m just saying I wish I better understood where this line is.
The article then goes on to say:
“It is shocking that some random Twitter employee could shut down the president’s account,” Blake Hounshell, the editor-in-chief of Politico Magazine, wrote on Twitter.
Is it? Is it really? Why are you shocked? The fact of the matter is that Twitter has no regulatory reason (currently) to do anything for or about security other than a few “bare minimums” — that don’t, by the way, include anything related to their customer service team. Excepting the small portion of their environment that processes credit card transactions (because PCI) and financial reporting (because SOX), there’s nothing covering this. They’re not regulated, they’re not critical infrastructure… So any screening of their customer service personnel? Any protection measures they might choose to employ? They’re entirely voluntary. Under this view, they owe the world nothing.
Here’s what I mean. Say Twitter wanted to outsource their customer service to the Arkham Asylum for the Criminally Insane? Could they do this? If not, why not? It seems like a bad idea to me, but isn’t that a risk/reward decision they are within their rights to make? If they wanted to hire Lucifer himself as their privacy officer, what rule are they breaking should they do so? So long as they adhere to the agreements they have made with users (via the EULA and their privacy policy)… and so long as they adhere to the letter of the law with respect to breach notification, avoid negligently harming people (tort), and ensure the integrity of their financial reporting (because SOX)? Seems to me like, within these boundaries, they can do whatever they want.
This magic happens because they are a “communications platform” and not, for example, a media company or communications infrastructure provider. The fact that they are a “platform” rather than a “provider” means they are not regulated by the FCC. The fact that they are a platform likewise means that they don’t have the same obligations (for example w/r/t newsworthiness of what they put on that platform) compared to, say, a television station or newspaper. They can pretty much do whatever. If we as a society don’t want this, we need a framework for them to fit into. We have them already; it’s just that Twitter isn’t voluntarily getting into one of those boxes and we as a society aren’t forcing the issue.
From the article:
Twitter responded with a pledge to review its policy while noting that “newsworthiness” and public interest must be considered in deciding whether to take down a tweet. Grygiel said it is problematic that the president is using a private entity to issue important statements on policy. “There are communications risks with the president’s reliance on a public communications company,” she said, noting that Twitter has a right to ban Trump at any time.
See? Voluntary. They consider themselves the arbiter of both what measures are appropriate as well as their own obligations about what is newsworthy or in the public interest. Should it be this way? That’s a different question. For example, the USA Patriot Act defines “critical infrastructure” as:
…systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
It sounds to me like the root argument here is that Twitter falls under the definition of critical infrastructure. I would argue that if Grygiel is accurate in her assessment about this being a vehicle for policy, it is arguable that it is. If that policy could have economic or geopolitical implications, it becomes a lot clearer. If tweets can impact stock prices (and we know they do), it likewise becomes a whole lot less “shades of grey”-ish. At a minimum, I would argue that current usage of Twitter – not just by Trump but by politico’s more generally, fits the definition. Twitter is now, by virtue of how it’s used, “critical infrastructure”. I may not love that, but it’s the practical reality. Arguing otherwise misses the intent of this in the first place.
It seems to me clear that Twitter doesn’t see it this way. At least not yet. If Twitter were CI, it would fall under the umbrella of “Information and Telecommunications”, right? Or under “communications” per the NIPP? I think so. One can extrapolate the type of companies that self-identify as being in those groups based on their participation in the IT-ISAC. The members list is here. Twitter (or any other social media company) isn’t on it. As a starting point, I would encourage you to read the DHS pages about both communications and information technology sector-specific planning.
In the meantime though, if we as a society feel like Twitter has an obligation as a critical infrastructure provider, seems like someone should tell them about it. If we feel like they should do something specific about security (like have a reasonable amount of it), we need a regulatory instrument to cause this to occur. If not, we shouldn’t be surprised when an intern can delete people’s accounts, post spurious tweets on their behalf, or really do just about anything else.