After several high profile accounts were hacked, the EFF is calling for end-to-end encryption to better secure the users on the platform.
It was a hack that made quite the splash across media last week. Several high profile people including Barack Obama, Elon Musk, MrBeast, Joe Biden, Bill Gates, and many others suddenly started tweeting out a Bitcoin scam. Of course, they didn’t send out those tweets. Instead, an unauthorized third part got those accounts to tweet out the scam. The scam simply asked people to shell out money in BitCoin to a specific address. It’s unclear how many fell for the scam and the tweets have since been deleted.
The hack has since sparked multiple investigations. From The Verge:
Multiple law enforcement investigations, including one from the Federal Bureau of Investigation, are now actively probing the situation over far a deeper concern: that the exploited vulnerability in Twitter’s systems — a result it seems of mid-level employees having powerful access to site-wide admin tools that can fall into the wrong hands — has exposed serious security risks for the platform’s most powerful users. Lawmakers are hounding Twitter for more transparency around the incident, and it seems likely the attack will have longstanding consequences not just for Twitter’s own internal tools and security, but for the broaden cybersecurity industry and every high-profile Twitter user on the platform, too.
We still don’t know how exactly the hack happened or even to what extent Twitter’s own systems were compromised. But following the unprecedented hacks of accounts including President Barack Obama, Joe Biden, Elon Musk, Bill Gates, Kanye West, Michael Bloomberg, and Apple, Twitter took the drastic step of blocking new tweets from every verified user, compromised or no, as well as locking all compromised accounts.
One notable exception in the attack was the account of President Donald Trump. The New York Times is now reporting that Trumps’s account has special protections in place following past incidents — including when a third-party Twitter contractor used internal company tools to deactivate the president’s account in 2017. Those protections may have spared Trump’s account from being taken over, although it is not clear right now whether the hackers even attempted to assume control of his account.
Regardless, the national and international security implications of the Twitter attack are now becoming frighteningly clear, as hackers could have caused far more serious damage with access to such high-profile accounts.
Twitter says it won’t restore access to their owners “until we are certain we can do so securely.” As of Thursday, the company is still working to restore access to locked accounts, although it has confirmed that no password information was stolen by the hackers in control of the affected accounts, seemingly all of which were verified accounts belonging to high-profile companies and individuals. Twitter says that around 130 accounts were targeted, with the attackers managing to take control of a “small subset” of those. Even some accounts not affected by the attack remain locked, as Twitter continues its investigation. Twitter has not yet disclosed whether private and sensitive direct message threads were compromised as part of the account takeovers; the company says it is “continuing to assess whether non-public data related to these accounts was compromised.”
While Twitter is attempting to secure affected accounts, the Electronic Frontier Foundation (EFF) is saying that Twitter needs to implement end-to-end encryption. They say that this latest incident shows that it is time for Twitter to implement this layer of security. From The EFF:
End-to-end encryption provides the robust internal safeguard that Twitter needs. Twitter wouldn’t have to worry about whether or not this week’s attackers read or exfiltrated DMs if it had end-to-end encrypted them, like we have been asking Twitter to do for years.
Senator Ron Wyden also called for Twitter to end-to-end encrypt DMs after the hack, reminding Twitter CEO Jack Dorsey that he reassured the Senator that end-to-end encryption was in the works two years ago.
Many other popular messaging systems are already using end-to-end encryption, including WhatsApp, iMessage, and Signal. Even Facebook Messenger offers an end-to-end encrypted option, and Facebook has announced plans to end-to-end encrypt all its messaging tools. It’s a no-brainer that Twitter should protect your DMs too, and they have been unencrypted for far too long.
While this is a great idea to implement, it raises one political problem. The federal government, through the Trump administration, has been pushing against various platforms from implementing effective security and encryption. In 2019, when Facebook said that they are moving ahead with end-to-end encryption, lawmakers pushed back and tried to pressure Facebook to abandon its plans.
After the public pressure to get platforms like Facebook to not implement encryption, Republican’s introduced encryption ban legislation known as EARN IT. While the legislation was watered down at the 11th hour, the EFF points out that the legislation, as it stands now, is still a threat to encryption. In the midst of all of this, Republican’s introduced a second encryption ban bill known as the Lawful Access to Encrypted Data Act – a bill described by critics as worse than EARN IT before it got watered down.
It is quite possible that if Twitter went ahead with encryption, this could be seen by the Trump administration as a sharp rebuke of their efforts to undermine security online. So, this could quite possibly put Twitter in a spot that compels them to decide between doing what is right and doing what will please the big Republican controlled government. At the very least, there is technically a reason for Twitter to hesitate on doing the right thing for the time being.
Critics of the encryption ban bills will likely point out that this is all the more reason for lawmakers to drop their quest to ban effective encryption in the first place. After all, this latest hack provides yet another reason for the government to support companies that want to secure their information, not discourage it. It’s very unfortunate that this is where we are with encryption in the first place.
It’ll be interesting to see how Twitter responds with preventative measures to stop this sort of hack from happening again. Whether this is the last straw for Twitter and they go ahead with this encryption ideas or not remains to be seen.
Drew Wilson on Twitter: @icecube85 and Facebook.