Is the private sector gaming social-media policies to silence security researchers, critics?

22 April 2021
Between 27 and 31 March, Twitter locked three accounts that deal with cyber-security issues and regularly post information about data breaches. These accounts belong to the Free Software Movement of India, Rajshekhar Rajaharia and Robert Baptiste, who goes by the name Elliot Alderson on Twitter. Rajaharia and Baptiste had tweeted about a data breach at MobiKwik, a digital wallet, while FSMI has posted about a leak at Big Basket, on online grocery store. Rajaharia and Baptiste’s accounts were restored within 12 hours, but FSMI was locked out of it’s account for almost 17 days.
Between 27 and 31 March, Twitter locked three accounts that deal with cyber-security issues and regularly post information about data breaches. These accounts belong to the Free Software Movement of India, Rajshekhar Rajaharia and Robert Baptiste, who goes by the name Elliot Alderson on Twitter. Rajaharia and Baptiste had tweeted about a data breach at MobiKwik, a digital wallet, while FSMI has posted about a leak at Big Basket, on online grocery store. Rajaharia and Baptiste’s accounts were restored within 12 hours, but FSMI was locked out of it’s account for almost 17 days.

On 13 April, the Free Software Movement of India, a coalition of organisations promoting the adoption of free software, was allowed access to its Twitter account, almost 17 days after the social-media platform locked it out. Twitter had locked the account of FSMI on 27 March, for a tweet that referred to a data breach of customers’ details at Big Basket, an online grocery store. On 30 March, Robert Baptiste, a France-based cyber-security expert, who goes by the name Elliot Alderson on Twitter, too, was locked out of his account for a tweet referring to a data breach at Mobikwik, a digital payments platform. The next day, another cyber-security researcher Rajshekhar Rajaharia faced similar action by Twitter for a tweet regarding the MobiKwik breach, which affected the personal data of almost ten crore users. This was the second time in a month that Rajaharia had been locked out of his account for tweets on MobiKwik. In each instance, Twitter told the accounts that their tweets violated its rules against “posting private information.” 

Baptiste and Rajaharia’s accounts were restored in less than 12 hours—both of them deleted their respective tweets. Rajaharia shared a screenshot which showed that his account was locked for 12 hours for violating Twitter’s private-information policy, but he told me his account was reinstated after about four hours. FSMI, which was locked out of its account for a tweet dated 12 December 2020, chose not to delete the post and Twitter later took down the tweet. Strangely, another tweet by FSMI, from 11 November, which refers to the same content, remained visible on the account. 

In each case, it was unclear how the tweets on data breaches violated the rules against “posting private information,” and if Twitter took action on its own, or whether some other individual or organisation reported these accounts. In an email response to The Caravan on 31 March, Twitter did not answer specific questions on who reported FSMI’s account and only said, “The referenced account was correctly actioned for violating the Private information policy.” However, on 13 April, Twitter sent an email to FSMI, informing them that their account had been restored and admitted that “After reviewing your account, it looks like we made an error.”

Researchers and experts dealing with cyber security told me that accounts such as those operated by FSMI, Rajaharia and Baptiste perform a public-service duty by informing and alerting people about how their private information may be exposed. Apar Gupta, the executive director of the digital-rights advocacy group Internet Freedom Foundation, said that to lock their accounts by citing rules against posting private information “flies in the face of logic.” The experts I spoke to said that opaque social-media policies may allow private organisations to report any account that can adversely affect their business. “Twitter’s rules can be gamed by anyone,” Srinivas Kodali, a researcher who works on data and internet, said.

Kiran Chandra, the general secretary of FSMI, believed that Twitter’s actions are “about silencing anyone who is asking anything about the breaches.” According to news reports, the Big Basket data breach was first detected on 30 October by a cyber-intelligence firm, Cyble. It reported that personal information of at least two crore customers—names, email ids, password hashes, contact numbers, full addresses, date of birth, location, and IP addresses—had been put up for sale on the dark web for USD 40,000. After informing Big Basket, Cyble made the breach public on 7 November, which was confirmed by Big Basket in a statement issued two days later. On 11 November, FSMI wrote to the ministry of electronics and information technology’s Computer Emergency Response Team, or the CERT, to seek an investigation into the security lapse. As per the Information Technology Act of 2000, CERT’s mandate is to collect, analyse, and disseminate information on cyber security incidents and take appropriate measures to deal with such incidents.

Amrita Singh is an editorial fellow at The Caravan.

Keywords: twitter
COMMENT