I’m seeing in the news today that a subset of Twitter users have been receiving notifications that they may well be the targets of surveillance by nation state actors. Step one, let’s all take a deep breath.
Twitter has taken this extraordinary step to warn users and I find it both commendable and troubling. The reason I am concerned about this is that it makes me wonder if they have suffered a breach that has not been publicized. The flipside of this is that it could be the perfectly innocent product of analytics work. Twitter has not indicated how they know these users have been targeted. Nor has the social media company indicated how many users are affected.
From the letter:
As a precaution, we are alerting you that your Twitter account is one of a small group of accounts that may have been targeted by state-sponsored actors. We believe that these actors (possibly associated with a government) may have been trying to obtain information such as email addresses, IP addresses, and/or phone numbers.
At this time, we have no evidence they obtained your account information, but we’re actively investigating this matter. We wish we had more we could share, but we don’t have any additional information we can provide at this time."
Some nonsensical talking heads in the security space spun up in a blink of an eye citing “proof” from the alleged North Korean breach of Sony Pictures last year. They also were quick to blame China. While I don’t dispute that some users are being targeted I hesitate to point the finger at anyone without…you know, PROOF.
One of the users who received the email from Twitter is Runa Sandvik:
Twitter suggests I use Tor to protect my online identity, yet frequently blocks accounts accessed over Tor. pic.twitter.com/5ChKERPscC— Runa A. Sandvik (@runasand) December 11, 2015
Sandvik makes an important point. Things take a bit of an odd turn in the email that they sent out when they take the step of suggesting users leverage the Tor Project. Take for example, just this past September users were reporting that they were not able to access their Twitter accounts while using Tor while apparently blocking the accounts that do.
Recently, several users—including a Tor developer—have reported being locked out of their accounts whilst using Tor, and have then been asked to provide a phone number to regain access.
In March of 2015 there were reports that Twitter was pushing for phone numbers to be provided for new Twitter accounts. I have seen this myself when I tried to set up a new account and opted against it in the end.
Asking these people to provide a phone number puts them at risk: in many places they will be forced to tie any phone number to a real-life identity. To pick just one example, a new law in Pakistan requires fingerprints from all cell phone users. Similar laws are common around the world, and obtaining a truly anonymous cell phone can be prohibitively difficult. Beyond that, a national phone provider could be pressed to provide details, say, of who is receiving Twitter confirmation texts.
I would like to think that this email to users encouraging them to use Tor is signaling a new point of view for the social media giant. They are by no means the only company that are taking the step to block Tor. This list provides a number of the services that block the anonymity service.
I’m looking forward to learning more about this "state-sponsored actor” issue and how the company was able to puzzle this out.