Whatever your opinion of Elon Musk, it would be an understatement to say that his $44 billion takeover of Twitter has not gone smoothly. Completed at the end of October after a very protracted and uncertain process, the acquisition has culminated in pandemonium both on the platform itself and at Twitter HQ.
Most memorably, the well publicised and ill-fated revamp of the blue-tick profile verification system resulted in countless legitimate-looking impersonations of famous people and companies. One such case, where a user impersonating pharma giant Eli Lilly tweeted “We are excited to announce that insulin is now free”, is credited with causing the company’s stock price to drop nearly 4.5%, wiping $15 billion off its market cap. A similar incident also occurred with weapons manufacturer Lockheed Martin, dropping its share price by over 5%.
While it might be difficult to find anyone other than the companies’ direct investors losing any sleep over this, the newfound ease with which a celebrity or well-known brand could be impersonated, also (unsurprisingly) saw an instantaneous rise in scammers utilising this functionality to attempt to commit fraud, identity theft and so on. Because of this, even more unsurprisingly, the self-christened “Chief Twit” ‘s new verification system was suspended after only a handful of days.
There are also numerous concerns from a privacy and security standpoint which have yet to be addressed. One of these is the abrupt sacking of over half of Twitter’s current workforce, followed by the resignations of the company’s Chief Information Security Officer, Head of Compliance and also the Chief Privacy Officer, which then saw many other staff in cybersecurity and related teams follow suit. This is concerning for a company which already has a history of privacy-related incidents. Just this year, the US Federal Trade Commission (FTC) hit Twitter with a $150 million fine for using the email addresses and phone numbers of its users for advertising purposes, despite telling individuals that this personal information would only be used for account recovery and/or multi-factor authentication.
Another concern has to do with some of the accompanying investors involved in the takeover. The Qatari sovereign wealth fund put $375 million into Musk’s acquisition bid, while prominent Saudi investors linked to the gulf state’s government are now the joint second largest investors in Twitter after Musk himself, with shares worth around $1.9 billion. While Twitter is potentially more vulnerable from a cybersecurity and data protection perspective, the financial involvement of states that are well documented as having a disregard for human rights raises concerns for the personal data of the platform’s users – and has even been posited as a potential national security concern by US authorities. US President Joe Biden said recently that Musk’s “cooperation and/or technical relationships with other countries is worthy of being looked at”, while the FTC has expressed ‘deep concern’ regarding the current goings on at the social media giant – a rare occurrence and one which has implications for the very existence of the site. As Twitter is still operating under the twenty-year term of an FTC settlement reached in 2011 (following serious lapses in data security which allowed hackers to gain admin-level access and control of the site), further privacy violations could potentially see millions more in fines levied at the company, which Musk himself has indicated that it would be unable to pay. What would happen to users’ data if Twitter went under, is really anybody’s guess.
Some comments that the new CEO has made also do not bode well from a privacy standpoint. One of these detailed his intention to “authenticate all humans” on the platform, whatever that might mean. Conceivably, and given that Musk has previously expressed his displeasure with the prevalence of bot accounts on the site, this could translate to users being required to tie their account much more closely to their real identity, making personal information much easier to track and link together – and thus much more profitable to sell to advertisers.
Some commentators have posited that perhaps the most troubling aspect, is that the Chief Twit himself now has direct access to the entirety of the user data stored by the platform. Every single email address, direct message, IP address and any other personal identifier is at his fingertips. No one can say what he will end up doing with this information, but it is not outlandish to imagine that this trove of data could be leveraged to benefit partnered companies or those that Musk is also involved with. One such company of Musk’s, SpaceX, signed a contract with the US Air Force in 2020 worth hundreds of millions of dollars, making it particularly difficult to envisage Twitter putting up much resistance should US intelligence services wish to leverage this data too.
Musk is also potentially on course for a major collision with EU regulators, particularly following the coming into force of the bloc’s landmark Digital Services Act just yesterday (the 16th of November). The Act creates comprehensive new obligations for online platforms to reduce harms and counter risks online, introduces strong protections for users’ rights, and places digital platforms under a unique new transparency and accountability framework. It will require Twitter, as a huge platform, to demonstrate a significantly increased level of technical and legal compliance with these obligations. Twitter representatives are supposed to be meeting with EU officials later this month to discuss the implications of the new rules, but with the company’s top compliance leads having abandoned ship and many others following suit or being sacked, it is not clear who will be there to attend on behalf of the company.
In general, this debacle serves to highlight once again how data subjects lose out as a result of a small handful of companies and individuals dominating and monopolising tech and online spaces. (Especially the kind of individual that is thin-skinned and impulsive enough to publicly fire an employee of the social media company he just bought for disagreeing with him, from his personal Twitter account.)
The EU is making steps in the right direction to address these issues, most pertinently with the complementary introductions of the Digital Markets Act (intended to make markets in the digital sector fairer and more contestable), and the Digital Services Act referenced previously. Hopefully, UK legislators also recognise the problems these Acts are aiming to address, and are able to emulate the EU’s approach.