Twitter's security issues predate Elon Musk – and firing staff isn't going to help

Elon Musk
(Image credit: Getty Images / PATRICK PLEUL)

A month of Twitter's new management passed and the blue bird icon hasn't stopped making headlines. 

A tumultuous series of back and forths finally led to Musk's takeover at the end of October, culminating in a $44 billion deal.

The richest man in the world offered to buy the popular social media platform for, he said, protecting free speech. However, people are now wondering if he has the same vision in terms of their right to privacy.

From firing top executives along with roughly half the company's staff to setting up a premium version and appointing himself as the new CEO, Musk has been pretty busy in his first 30 days in command. 

While Twitter already tainted by previous data privacy and security pitfalls, cybersecurity experts are now voicing concerns about Musk's reckless behavior. And, while controversial banned profiles have made their return on the platform, many users are flocking towards alternative services instead. 

So, what's at stake for the privacy of those willing to stay?  

Pre-Musk Twitter and privacy issues

It isn't surprising that all eyes are on the blue bird now. 

Twitter's privacy problems started long before Musk's takeover. The popular social media company actually has quite the history when it comes to failing to protect users' data. 

In 2009, a hacker hijacked several high-profile accounts to send out phishing messages using an employee’s corporate login. The hacked profiles included Barack Obama, Fox News and Britney Spears. 

Only a year later, US regulator FTC filed a complaint against the social media firm for abusing users' data. This played out with the commission barring Twitter for 20 years from misleading consumers while maintaining "a comprehensive information security program."

Unfortunately, not much seems to have changed since then. 

The FTC fined Twitter for $150 million for similar allegations in May this year. The company was found guilty of misusing users' data like email addresses and phone numbers for targeted ads. 

While encouraging users to provide their personal numbers for security reasons, the company de-facto abused their trust for six long years between 2013 and 2019. 

In December 2020 it was the turn of an Irish GDPR officer to punish the social media firm with a $550 million fine for failing to correctly report a data breach. 

More recently, a Twitter whistleblower sounded the alarm. Major security flaws threatening users’ personal information and even national security still persist on the platform.  

Famous hacker Peiter “Mudge” Zatko, who worked as the head of Twitter security division between November 2020 and January 2022, claimed that thousands of employees can access any user’s personal information despite not needing so to carry on their job. 

He also alleged that the company kept misleading regional oversight bodies by hiding its security issues.  

What's changed from Musk's takeover?

It is fair to say that Musk not only acquired Twitter, but also its blighted privacy and security infrastructure with it. However, many experts believe that the company's fragile state has worsened since the new CEO took charge. 

The wave of layoffs that followed Musk's takeover is likely the most worrying event - and not just from a worker's rights perspective.

That's a recipe for disaster.

Vuk Janosevic, Blindnet's CEO

More than 50% of staff were fired, and many other employees decided to quit. These included many executives of the most critical departments like data privacy, compliance and transparency.

Privacy expert Vuk Janosevic, CEO and co-founder of privacy consultant firm Blindnet, said that this is particularly worrying for a company like Twitter which lacks a network of privacy-preserving technologies. 

"They have a software that is not built for privacy and the whole infrastructure around - like chief security officer, chief privacy officer and chief legal counsel - they all left, " he said.     

Following the exodus, the legal team is now passing the burden to engineers to self-certify compliance with FTC's rules, GDPR and other regulations. Something that even prompted a warning from one of its attorneys.

That's because each engineer is building just a small part of the entire product flow. So, it needs to rely on the fact that everyone has the same ethics and understanding of data privacy. 

"That's a recipe for disaster," Janosevic told TechRadar. "There are ways to build privacy-preserving software, something called subject rights and consent measurement, radiation interoperability. But rebuilding Twitter to do this requires a massive undertaking." 

These outcomes have already made an impact, with users being locked out from their account for some flaws with multi-factor authentication, for example. 

Elon Musk and Twitter

(Image credit: Getty Images)

"It’s time. Delete your Twitter DMs," wrote again another cybersecurity expert, Graham Cluley, in a blog post as the social media giant's reputation is slowly crumbling.

At the same time, Musk's decision to make Twitter's blue check for verified accounts an exclusive for premium members has also led to an increase in scam profiles looming across the platform. This might facilitate misinformation to spread, too.

Despite Janosevic deeming this issue as a "product flaw," a paid membership means that the firm will have to handle even more sensitive data like payment details and billing addresses. 

What's more, Musk's ambitious vision of turning Twitter into an "everything app" certainly doesn't appease new and old privacy concerns. 

All this requires much more data to be collected, stored, and yes, shared. 

At the moment, both the FTC and GDPR officers confirmed they are carefully following new events as they unfold from inside the HQ.

What's next for users' privacy?

Like it or not, Twitter 2.0 is slowly taking shape. And what's certain now is that Musk and the remaining staff will have to work hard to gain back the trust of everyone: from users and investors to privacy experts and compliance officers.  

"From a privacy perspective I would say I'm very concerned," Janosevic told TechRadar. "It doesn't mean that it's gonna end badly. It can be done, but there's a lot of challenges at Twitter right now. 

"Political challenges, technical challenges, regulatory challenges: I can't even imagine what the priority list looks like for Elon, but there's no excuse not to do it, to rebuild a system that brings back user trust into the platform." 

That's true, Twitter's track record when it comes to privacy is shady to say the least. However, some new features might be reassuring for most users.  

It's been a long time since Elon Musk pointed out the lack of encrypted DMs as a concern. Now, he has officially announced that his Twitter revamp will include end-to-end encryption to all messages. Encrypted voice and video chats are in the pipeline, too. 

"We want to enable users to be able to communicate without being concerned about their privacy, [or] without being concerned about a data breach at Twitter causing all of their DMs to hit the web, or think that maybe someone at Twitter could be spying on their DMs," said Musk, detailing his vision for Twitter 2.0, The Verge reported

"That’s obviously not going to be cool and it has happened a few times before."  

See more

While Twitter is busy healing his public and technical reputation, users can leave nothing to chance around their privacy protection. 

From using security software like VPN services and password managers to carefully customizing privacy settings, as Janosevic argued, in 2022 users need to be aware about their own data. 

"If you're not asked for consent and you don't have the ability to easily control the information in the system, you have to assume that they're abusing it. 

"If you're on Twitter and still tweeting, just be cognizant of it. You can still share information, personal or public, whatever that is. You just have to be cognizant that the system doesn't have the infrastructure to protect your consent and protect your privacy. Your privacy rights." 

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com