Exclusive: Security Absent from Twitter Terms 🤝 "No Party" Architecture 🚫🎉 Quiet Quitting 🏚️

🧔Personal News

I've been told my life would make a funny YouTube series. I guess it's worth sharing!

My biggest personal news of the week involves my partner being invited to discuss her field of expertise on national television on a Saturday morning from a Zoom call at home.  We had designed a tight plan to avoid her becoming the next Robert Kelly only to learn the interview was delayed 2 hours. We still managed to pull it off. She impressed everybody, especially yours truly. Her talk was a huge online hit.

Funnily, we never had cable or broadcast TV at home, so our kids do not understand how big of a deal it is. They were much more excited when my bunny TikTok got over 1,000 likes than their mom being broadcast on Quebec's biggest news channel.

I designed a risk assessment for the occasion:

🔦This week's spotlight: EXCLUSIVE! I reviewed Twitter's public documentation and security is absent

After last week's incendiary allegations against Twitter from a whistleblower, I decided I would go through Twitter's publicly available contracts to determine the gap between the allegations and the requirements Twitter committed itself to uphold.

Terms of Service

I began with the Terms of Service, which looked standard for a Business to Consumer (B2C) model. The beauty of B2C for Twitter is that nobody actually reads these, except maniacs like me that do it so you don't have to.

Its two main elements are part of the Limitation of Liability (LoL - no, really, that's what lawyers call it: the LOL): products are provided "as-is" at "our own risk" and there are no guarantees on the security of the service (see highlighted below). The second part of the LoL, in all capitals like somebody yelling in MSN Messenger so you know they mean business, restricts damages to $100 USD in case of a lawsuit. In other words: if Twitter gets hacked, they expect users to settle for $100 USD in a class action lawsuit. This is actually a pretty good deal considering Canadian restaurant chain Tim Horton's got away with "free coffee and donuts" for unauthorized geolocation data collection.

DPA

Things were pretty bare in the ToS security-wise so I went a bit out of the box and found Twitter's standard Global Data Processing Addendum (DPA) for its partners. A DPA is basically the "GDPR contract" where companies agree on how personal data will be shared between them and their respective responsibilities towards privacy rights: who gathers consent, who enforces the right to be forgotten, the right to accessibility, foreign data transfers, and... "technical and organizational measures" a.k.a Security. Technical and organizational measures (I call them TOMs) are basically GDPR Article 32 copy-pasted. When a company feeds you Article 32 verbatim in a DPA it is usually what I call, pardon my French, compliance bullshit. And this is what Twitter has in its DPA (see below). The funny thing is that Twitter refers to "Your Agreements", which I could not find a copy of!

The only mention of security is highlighted in the second image, where Twitter confirms it maintains a SOC report. This in my opinion does change a lot with regards to the allegations against Twitter! A state-of-the-art SOC2 audit would ask for samples of servers and workstations to see whether they are adequately patched and encrypted. The beauty of such audits is that, by design, they generate a TON of evidence and trails: that's the whole point of the exercise! The audit artifacts would immediately reveal either:

• the whistleblower lied,
• or Twitter representatives lied to the auditor,
• or the auditor was complacent/complicit.  

Who said SOC2 was useless?

Sorrrrrrry!

Contracts stopped there, although I kept searching for any written public commitment from Twitter.

Twitter Blog

I was able to find four blog posts about Twitter's platform security: from 2017 (GDPR prep), 2019 (indirectly addresses security through "technical debt"), 2020 (as a response to an incident), and 2021 (which coincide with the whistleblower's report of the board seeing a "whitewashed" report on security). The 2021 blog post has this especially chilling bullet point: "Providing annual reports from our CISO and CPO to our full Board of Directors to drive awareness, alignment and accountability on privacy and security." Amongst these posts, only the 2020 one illustrates Twitter's platform's tangible security measures. All in all, we can all agree that a corporate marketing blog does not make a security program.

Security in the Help Centre

The Support centre Security section solely focuses on Twitter's security features which allow Twitter users to protect their accounts. There is no mention of Twitter's backend or organizational processes.

The Developers Portal

Twitter's API documentation has a security section as well, which almost entirely tells developers how to secure their applications. On the other hand, Twitter's bug bounty program has no red flags, with an impressive $1.5 million paid to security researchers.

Remaining Questions

I feel shocked by Twitter's silence on security considering how good their Privacy approach is. I used their Privacy Policy in the past as an example of how it should be written with an educational, no lawyer-ish way to address the reader. Since privacy and security go hand in hand (can't have privacy without security), the latter's absence is glaring.

I am not a conspiracy theorist and I believe in Hanlon's razor: "never attribute to malice that which is adequately explained by stupidity". I do not believe Twitter's legal deliberately obfuscated security to hide the weaknesses Peiter Zakto points out. I think both teams were working in silos and security never made it to these areas because that's what happens in most organizations!

In conclusion, based on the publicly available information, I cannot assess how secure the Twitter platform really is or could be. As a B2C, Twitter does not have a sufficient incentive to be transparent. Compare Twitter's silence with Salesforce, one of the world's biggest B2B platforms, 27-page security eBook!

When market pressure is not enough, regulators must step in. Twitter is one of the world's leading platforms. It is critical to share ideas and knowledge. Peiter Zatko is right when he claims Twitter's security deficiencies are a threat to democracy and national security. Its owners have a duty to protect their users, whether they intended the platform to become so critical or not. Now the question remains: who, in the information security field, will want to work for them?

🥑Legal Jam

🍰No Party Data Architecture is more than a buzzword

In my favourite news article of the week, Dark Reading shares its thoughts on the future of online advertising once third-party cookies are done for good. The "no party" data architecture is based on Tim Berners-Lee's "Solid" concept. All personalization happens on the user's machine instead of being processed on remote servers by companies who then correlate and enrich the information with other third parties and data scrapers. Users can decide, from their browsers and mobile devices, which data is shared with which entity and for what purpose, and the personalization consumes the data provided by the user. Apple's ATT service, in that sense, could be interpreted as a "prototype" of such architecture, giving more power over the user's ability to share.

There is no denying that cookie banners and lawyered-up privacy policies are failing right now at informing users. Privacy-minded apps and devices will step in and the companies that can deliver personalization to the "edge" will thrive.

I wonder if ad-techs will organize a campaign based on the Beastie Boys hit: "Fight For Your Right (To Party)".

🎥Chinese Government Auditing Algorithms of Its Major Tech Companies

BBC explains how the "Cyberspace Administration of China" compels Alibaba, ByteDance (TikTok's parent), Tencent (Epic Games stakeholder), NetEase (Blizzard videogames partner) and Baidu (China's main search engine since Google is banned) to share its algorithms "descriptions". It is believed that the authoritarian regime aims to tighten its control over the technology sector, both on the economic front and for information control reasons.

👮Dads Taking Photos of Their Toddler's Genitals Get Flagged as a Criminal by Google

The New York Times reports the story of two fathers who took pictures of their child's private parts for telemedicine which were identified by Google's machine learning as sexual abuse imagery. While both men were cleared by law enforcement, Google refused to reinstate their user accounts and data. These events triggered an unintentionally hilarious quote: "He now uses a Hotmail address for email, which people mock him for." Since when has Hotmail become a source of shame?

Google's refusal to restore users' data even after police cleared them feels like an attempt to avoid responsibility: better to delete everything than be sorry. Based on the previous story about China's grip on technology companies, and Google's ability to read all our e-mails and scan all our pictures, populations are right to feel scared of surveillance. The stories of these men show how dangerous such power can be. Privacy enthusiasts always hear this: "I have nothing to hide!" All it takes is one bad law, or one authoritarian regime, to make you reconsider everything you do online.

Ultimately, Google's initiative prevents terrible harm to children. While the tradeoffs are extremely complex, I can't help but feel, as a dad, that such measures are warranted - despite the immense risks of such technological capability falling into the wrong government's hands.

Tech-savvy individuals will tell you to use a PureOS-powered phone such as Librem 5 and build a private cloud running on open source technology to avoid such surveillance. While I admire the ingeniosity, these solutions will never match Google's convenience and ease of use. Uncle Bob who likes to read horoscopes on Facebook will just not embark on that journey.

🗣️Social media Chronicles

A new section where I tell the fascinating story of our social media landscape.

😎Meta Launching a New Headset That Will Fail

Mark Zuckerberg announced on Joe Rogan's podcast that there will be a new VR headset launching in October which will somehow be awesome. VR is the one technology that I don't give a rat's ass about. People will never want to wear these ridiculous devices on their heads, messing up their hair and having them walk around like fools in public. I said it.

Pictured: An offended rat

🐵Instagram copying BeReal

In its latest attempt to keep up with the times, Instagram is launching a new feature to imitate BeReal's anti-Instagram approach of "taking one untouched selfie at a random time". Playing catch-up like that tells you everything you need to know about Instagram's product management. If this was ten years ago, I guess Meta would flat out acquire BeReal which is unthinkable given Congress' 2021 push on Meta about antitrust issues. Wait, what? Are regulations working as intended? Yup. Yelling about a broken system would probably get me more shares on Facebook, but oh well...

📎Pinterest Innovating

Much buzz was made about Pinterest's new social app, Shuffles. The platform's "invite-only" model created a sense of exclusivity which propelled it on Tiktok. Shuffle allows users to create easy "collages" of pictures on their mobile. I failed to get an invite myself to try it out. Pinterest's ability to stay relevant vis-à-vis Tiktok deserves recognition. On the other hand, Clubhouse's invite-only "social audio" success from 2020 (wow, that feels forever ago) quickly fizzled out.

🎯Quick Hits

💔Password Manager Hacked

LastPass' development environment was breached two weeks ago by compromising a developer user account. I saw overblown reactions clamouring to go back to self-hosted password managers. My take is that LastPass claimed all this time that it does not store master passwords in its vault and, well, it seems they have told the truth all along. We are slowly moving towards a world where everybody got breached. Those who claim they didn't have just failed to detect it. We must stop thinking about some organizations being "invincible" and start to evaluate them based on how well they handle the breach shitstorms. More than ever, incident response plans have become a prominent indicator of an organization's trustworthiness and integrity. Put incidents on your CISO's roadmap!

🌊Malware Floods npm and PyPi again

Log4j was already the decade's biggest vulnerability. There will be a before and an after Log4j because it allowed hackers to "ramp up" supply-chain attacks. Another week goes by with infected packages using "typo-squatting" techniques to lure developers into installing crypto-miners. It is really the perfect vector: developers are willing to try many packages, they often run on machines with admin privileges, and there is a chance that the malicious code can be promoted to production. If your organization does not run software composition analysis tools, you should put this #2 on your "CISO Christmas Wishlist", right after incidents (see above).

Note that both incidents and supply chain risk can only be solved through tiring cross-department process implementations. Technology cannot do this on its own. You may leave your soul when herding all those people, but doing the hard things is often the most rewarding long-term.

🎼Capitol Record Signs AI-powered Rapper

FN Meka, Tiktok's favourite rapper, signed a record deal. The company behind the rapper uses proprietary AI to "blend" popular music into an original production. The approach seems to resemble sampling, to an extent. This news provides another indicator of AI's meteoric rise in art. A new marketplace, Super Prompts, already sells Dall-E, MidJourney and Stable Diffusion prompts. YES! It has been one month since Dall-E went beta and there are now 3 of these, with Stable Diffusion being open source! It blows my mind how fast things are going, and I am a techie! Any artists should start getting involved with these new expression forms, as "expert prompters" are tomorrow's graphic designers and soundbites creators.

🐶This week's rant: Brief Discussion on Remote Work and 'Quiet Quitting'

In 2021, there were 245 business days. For 106 of them or 43%, I suffered a disruption that would have prevented me from doing a standard 9 to 5 day in the office. Leading causes were, in order of frequency: covid restrictions, 1-month long kindergarten strike, teachers strike, school bus drivers strike, covid itself, gastro-enteritis, power outages, doctor appointments, snow storms, and home appliances failures. I could write a novel about that year.

If my employer hadn't provided its workforce with flexible hours and generous paid sick leave, I wouldn't have made it. I'm grateful for their choice to prioritize employee wellness above all during the covid crisis.

🐈Flexibility is Necessary for Wellness

I will not rewrite the book on remote work. As a matter of fact, my LinkedIn feed is full of Simon Sinek speeches about how employers should trust their employees to get things done regardless of the time and place. I sense an urgency in these quotes being shared and celebrated ad nauseam. We are scared of things going back to the way they were before.

Future.com has an excellent piece about the competitive advantages of startups that provide flexibility to their employees. Sure, memes about "9 to 5 being an artifact of the industrial age" are fun, but nothing beats data; the Future.com article provides data. Among the surveys cited by the article, I was surprised to learn that the "water cooler talk" effect is probably overestimated on an enterprise scale (that's not to say individuals don't benefit - I would consider myself the counter-example: I love me some coffee machine gossiping).

The most interesting part of the article is about the disputes over the "hybrid" model. Most employees feel hybrid means working from either the office or home, whichever is the most convenient at a given time. Employers, on the other hand, may view it as "have x employees go in office on a precise day so we can optimize our obscenely onerous office space". You need to clarify this with your employer!

🦥When Flexibility Breeds Slacking

I suspect Meta and Apple's move to bring back people to offices is a reaction to "quiet quitting". As the Wall Street Journal reports, a slew of Gen-Z are going viral on Tiktok about how they've been coasting at work: doing the bare minimum, checking out once their hours are done, not chasing that promotion or that pay raise, and valuing other ways to accomplish themselves outside of their careers.

Quiet quitting to me feels like nothing new. Analysts linking the behaviour to a social phenomenon or generational changes are just smelling their own farts. Coasting has always been present; what changed is merely the demographics. In a shrinking active population, workers now possess the bigger end of the stick. Employees can afford to coast (for now).

My take on this is that if employees can coast on a job, chances are that the tasks will be automated within the next 5 years anyway. Standford University students opened a fully automated restaurant in San Francisco and chatbots are becoming commonplace to take orders.

There is no such thing as a free lunch. In the future, we will see privileged knowledge workers benefit from the flexibility of the most successful companies. A "virtuous circle" will emerge: proficient employees will gravitate towards flexible companies, which will benefit them both. On the other hand, while the rich get richer, companies struggling with their sense of control over employees will lose their competitive edge; employees taking it easy will get replaced by AI.