Twitter Whistleblower's Revelations Are Even Worse Than Imagined

Zach Edwards went through the former head of cybersecurity at Twitter's revelations about the horrible situation at Twitter, and posted his findings on Twitter.

This Thread Reader roll summarizes his postings.

I'll quote his statements. For the actual references to the documents upon which he bases his statements, refer to the link.

I've gone through mudge's redacted whistleblower complaint and there are some really spicy sections that relate to ad tech + privacy + foreign intelligence... brief thread of what I think is most interesting (link to documents in tweet below)

First up... folks have known for awhile that tons of Chinese advertisers were/are buying Twitter ads... But no one had pieced it together that those Chinese advertisers would be using ***Twitter Custom Audiences to doxx VPN users who verified with real contact info...**

"Twitter executives opted to allow Twitter to become more dependent upon revenue coming from Chinese entities even though the Twitter service is blocked in China...."

It seems clear that Twitter is becoming "more dependent" on China.. via.. Twitter advertising. Uhh @Congress ??

If I understand this right -- and I probably don't -- the Chinese government flooded Twitter with fake ads which were not designed to advertise anything, but to merely tag anyone viewing them with tracking cookies. They hit users with so many tracking cookies that they were able to pierce the anonymity of Chinese Twitter users accessing the platform through a VPN -- and punish them, obviously. They weren't evading China's ban on Twitter use and posting on Twitter to say supportive things about the Chinese communist government, after all.

Twitter was warned China was doing this and didn't care-- they just accepted more ad-buys from China, because they wanted that filthy money. They didn't care that they were helping the Chinese communists identify, locate, and imprison (or kill) dissidents.

"After Chinese entities paid money to Twitter, there were concerns within Twitter that the information the Chinese entities could receive would allow them to identify and learn sensitive information about Chinese users who successfully circumvented the block..."

I would show this in a native twitter ads interface but I'm banned from twitter ads for unknown / probably doing weird stuff reasons. But Twitter's Custom audiences can be built with *emails* (historically phone numbers too) + MobileIDs == DOX risks

link

If the Chinese entities had specific lists of people to dox, and had their protonmail emails or androidIDs, they could load those up into twitter ads campaigns w/ custom audiences filled w/ bad data, so that you "accidently" only target 1 person or a small group. == DOXX city

And what Mudge is describing is a common Doxxing scenario -- if you let someone spin up countless custom audience segments, upload countless variations of the same data, don't police them doing weird ass shit with their campaigns, and don't care who pays those bills? DOXX CITY

"...the Chinese entities could receive would allow them to identify and learn sensitive information about Chinese users who successfully circumvented the block, and other users around the world."

**the Chinese entities uploaded Custom Ad Lists w/ non-Chinese data**

So they can do it to any user, anywhere, not just to Chinee dissidents.

Do you understand what it means if Twitter isn't policing Chinese entities who run content ad farms from uploading custom audiences with data from people all over the world? And if Twitter lets them run ads with that data? Doxx city Doxx Doxx city

Twitter apparently used their cookies for "all purposes" (security cookies used for advertising) ++ once told by the French CNIL to change this, they kept it on purposefully for another month "in order to extract maximum profit from French users before rolling out the fix."

"Twitter employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations. Twitter learned of this several times only by accident, or because of employee self-reporting."

Which external orgs????

Interesting process to redact an external audit so that you can't be held accountable to the findings:

"Twitter counsel explicitly told Mudge that this was intended to hide the findings and prevent them from becoming known internally or externally"

"Twitter maintains a list of hateful terms and slurs that cannot be used for ad targeting. But Mudge learned that the list was not "stemming" properly, meaning that even minor variations on slurs were able to be used for targeting for an unknown period..."

uhh who used those??

That was confusing. I think they mean that Twitter supposedly doesn't allow advertisers to serve ads based on what racial slurs a user uses -- so that you can't target for racism -- but they either deliberately or negligently implemented the code stopping this poorly, so that you can, in fact, buy ads specifically targeting people using racial slurs.

This is... interesting. And alarming.

"...The Indian government forced Twitter to hire specific individual(s) who were government agents... it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll..."

So Indian spies at Twitter, huh? neat.

Agarwal, huh?

Ending this thread w/ :

"Shortly before Mudge was [REDACTED] terminated, Twitter received specific information from a U.S. government source that one or more particular company employees were working on behalf of another particular foreign intelligence agency."

g'night, goodluck!

posted by Ace at 01:55 PM

| Access Comments