The dust is still settling, but July 15, 2020, already looks to be one of the worst days in Twitter’s 14-year history. A devastating hack, apparently taking advantage of internal tools, enabled hackers to take control of dozens of high-profile accounts and solicit bitcoin donations. Noteworthy was the delta between the scale of the attack and the financial reward; the hackers brought a $28 billion company to its knees but appear to have collected a paltry $120,000 in bitcoin.
The real fallout will be reputational. Details are still fuzzy, but one must imagine that the hackers may have had access to private communications for accounts that they penetrated. The contents of these DMs could easily be weaponized, either for extortion or embarrassment. While this particular crew of hackers seems to have operated in a fairly haphazard manner, starting with accounts on crypto Twitter and moving up the supply chain to Bill Gates and Elon Musk, a more sophisticated and determined group could have wreaked absolute havoc had it wanted.
And the hits just kept coming. Twitter’s response was slow and shambolic. The period of anarchy lasted several hours. Twitter personnel were undoubtedly aware but were either unable or unwilling to shut down the platform during the turmoil, as they should have. Verified accounts were unable to post for hours afterwards.
The blows to Twitter’s reputation are multifaceted. High-profile accounts were embarrassed and associated with scams, regardless of any security measures they may have taken. If Motherboard’s reporting that the hack relied on assistance from an insider is accurate, Twitter’s controls look exceptionally weak.
‘TRUSTED THIRD PARTIES ARE SECURITY HOLES’ ISN’T JUST A SLOGAN; IT’S A CONCEPT THAT MILLIONS OF PEOPLE WILL HAVE INTUITIVELY GRASPED FOR THE FIRST TIME YESTERDAY.
Twitter will undoubtedly face questions from governments over this failure. Already, Missouri Sen. Josh Hawley has demanded answers from CEO Jack Dorsey. The Trump administration will likely see another means to apply pressure to Twitter, aggrieved by Twitter’s aggressive fact-checking. From now on, many users will not feel comfortable sharing information via DM, mindful of potential future hacks. It’s ironic that the same day as the hack, Twitter rolled out new DM features designed to make the experience more akin to Facebook Messenger.
And perhaps most damning, leaked screenshots revealed more information about Twitter’s secretive abilities to control accounts and narratives on the site. The leaked internal dashboards (evidence of which Twitter is aggressively deleting from the site) contain keywords like “trends blacklist” and “search blacklist,” seemingly an admission that Twitter does exercise some editorial judgment when it comes to which concepts receive algorithmic boosting and which don’t.
The hack plainly illuminates issues that cryptocurrency and Web 3.0 enthusiasts have been raising for years. “Trusted third parties are security holes” isn’t just a slogan; it’s a concept that millions of people will have intuitively grasped for the first time yesterday. The sheer centralization at play evidenced by the godmode key is striking.
One wonders why it’s even possible in the first place for Twitter employees to commandeer any account on the platform. Everyone knows that Twitter is the political discussion platform of choice for world leaders. Had the attacker been more inclined towards chaos rather than entrepreneurship, they could have used their access to contrive an international incident among hostile nations. While hacks of centralized services are standard fare these days, rarely are they broadcasted in such a direct, explosive manner in real time.
Additionally, the accidental reveal of Twitter’s long-rumored deboosting tools will intensify the view among critics that Twitter is a partisan, editorializing service rather than the neutral one it claims to be. The gradual insertion of more discretion into the internet’s most vibrant discussion forum is a recipe for disaster. As many have pointed out, it invites governments to pressure or infiltrate the platform to obtain efficient tools to control speech. These aren’t conspiracies; it’s a matter of public record that former Twitter employees have been caught spying for Saudi Arabia and that a current Twitter executive also happens to work for the British Army’s information warfare unit. How many more Twitter employees are proxies of foreign states seeking to gain enormous leverage by nudging the platform in a favorable direction?
Ultimately, there’s no assurances Jack Dorsey can provide to guarantee his platform will be free from future interference or capture. He has simply created too big a honeypot. Twitter is a platform with well over 300 million monthly active users globally. It has also been aggressively pursuing more controls alongside algorithmic (rather than chronological) timelines, more fact checking and more direct intervention in trending topics. All of these measures constitute an efficient toolkit to control speech. What more could a despot intent on censuring discourse want?
In response, many, including myself, have argued social media handles, as well as user-contributed content, ought to be understood as property. This contrasts with the established model in which the platform controls and owns everything, and retains the discretion to both monetize user-contributed content and kick users off the platform for any reason. The digital squatters rights argument holds that users generating the value for the platform, and by enclosing a handle and mixing it with their labor, should be entitled to a lasting and well-codified claim. Censorship and bans are better understood as expropriation and eminent domain.
Mindful of the current balance of power between users and platforms, such an arrangement is unlikely to emerge within the current crop of internet oligarchs. Instead, it’s more likely that a wholesale reimagining of social platforms will need to take place.
For once, this use case represents a non-monetary application for public blockchains that makes sense. Social systems that piggyback on top of Bitcoin and Ethereum allow users to genuinely own their online selves through public key cryptography. This is more fragile at the individual layer, since key loss is a threat, but far more robust globally.
It’s impossible to compromise every Urbit or Blockstack user because the actual user registry is stored on-chain and users custody their own keys. The Urbit philosophy, in which users can freely associate and disassociate with – but not ban – other accounts, allows for the coexistence of mutually rancorous individuals without relying on top-down censorship.
Granted, such blockchain-based social systems are still immature despite years of work and advocacy, so their flaws are not yet fully evident. But as of yesterday, we can no longer claim they are a solution searching for a problem. A user-owned and operated social internet built on a public key infrastructure is an absolute necessity, if we are to resist tyrants both in the public and the private sector.