Lauren WeinsteinSo let's be clear about this, we're being told that Musk ordered employees to give an outside reporter access to *everything* internally at #Twitter. Without exceptions. That would mean users' direct messages as well. Think about it.
The reported Signal message from Elon: “Please give Bari full access to everything at Twitter. No limits at all.”
Brian Vastag@lauren where can I find the source on this?
Bradley_JF
Peter Principle@lauren cc: FTC
Todd Vierling 
@lauren
This is brand-new news? This, or something very close to this, was mentioned in news articles the moment the so-called "Twitter Files" brouhaha broke. Possibly nobody was paying attention to that subtle but *very important* detail at the time.
This is brand-new news? This, or something very close to this, was mentioned in news articles the moment the so-called "Twitter Files" brouhaha broke. Possibly nobody was paying attention to that subtle but *very important* detail at the time.
Matt@ToddVierling @lauren repetition for emphasis never hurts
Comrade Hound@lauren I"m pretty sure If I'm going to expect privacy on messages I send through another platform I'm going to use something cryptographical like Signal.
@skylos That is not always an option. For example, many firms now do their customer support through Twitter, including detailed account information. They link Twitter to their backend systems to verify customer identities, etc.
@lauren I'm puzzled that I am supposed to care about randos knowing about my customer service interactions... It seems realistic to understand those weren't private in the first place - just obscure an inconsequential.
@skylos That is sometimes the case. But in the course of those conversations, PII can easily be discussed, and often is.
@lauren if I toot or tweet, I've *already* PII'd myself right from the get-go, haven't I? Hmm. I guess its a distinction between what identity you're using at the time, but my social media identities I use for such things are irrevocably self-doxed since creation. Getting PII out of that would be redundant. Heh.
@skylos PII has specific definitions.
@lauren sure. "any information that permits the identity of an individual to be directly or indirectly inferred,"
the drymifolia collective@drymifolia @lauren is your phone number really secret? its disseminated fairly widely across many systems. Your home address? This also isn't actually very secret. approximately secret than your bank account number that's printed on every check. I have some doubts that these informations are nearly as 'private' or secret as the pearl clutching about privacy would indicate.
@skylos @drymifolia Having worked on privacy issues for decades, and still running my PRIVACY Forum mailing list on the Net for over 30 years continuously, I will assert that these issues are a bit more complex than you seem to be suggesting.
Summer Breeze@skylos @drymifolia @lauren Your phone number, combined with other information that a customer service person would normally ask, can allow someone to compromise your account, impersonate you, and steal your identity.
Which can be extremely expensive, disruptive, and time consuming to fix.
Which can be extremely expensive, disruptive, and time consuming to fix.
@SummerBreeze @drymifolia @lauren I wonder if the real solution to this is to fix the inadequate mechanisms we have to secure important accounts - rather than trying to pretend the not-really-secrets we're currently using are adequate so we just need to be more careful with them. They're all almost arbitrary and silly, security through obscurity.
@SummerBreeze @lauren Is the safety in numbers, like a herd of gazelle? like, 'if there are a billion possible identities to steal, any one identity is unlikely to be stolen?
@SummerBreeze @lauren By the logic the gazelle isn't safe because the entire herd is going to be eaten shortly. There aren't enough cheetahs. Same for identity thefts - each operation requires manual hand-action its not scalable like that.
@SummerBreeze @lauren I have not encountered or been made aware of any identity theft that happens without manual hand action. I couldn't make a decision or judgement based on that information. And now I know you say this is so.
@SummerBreeze @lauren human curation requirement - most people don't have identity worth stealing - wasting your viable access to identity stealing channels on useless identities would obviate the utility of doing it at all - you can't just file massive applications for credit or hack banka ccounts - there's heavy tarbitting and monitoring of those avenues.
eyajpng@jepyang @lauren Hm. One of the problems we deal with is that contexts *do* change - we don't get to arbitrarily freeze a context just because we used it, never shall it ever change. This effect happens in many situations both RL and virtual. Such matters should be a consideration but considering doesn't preclude a violating decision being made. of course, in the related directive, we know musk doesn't consider. :[
Max Riethmuller (TechLife)@skylos @jepyang @lauren I'm having trouble grasping exactly what you are saying. Are you saying users of twitter (or any type of online account), should expect that at any time the CEO of the company (or other agent of the company) should have the legal power to provide access to anyone they choose anything you have posted including in DM or added to your account profile? Correct me if I'm wrong.
Ana
Jake Mannix@pbrane @skylos Many of the services that most consumers depend on for email, including spam control and malware scanning -- and more -- cannot effectively function in a practical way with end-to-end encryption. And just as a point of interest, Google is organized in a way as to make a hostile takeover essentially impossible. And access to user data there is extremely strictly controlled on a tight need to know basis, with detailed logging. I've worked inside Google twice, they really do care about protecting user data.
@skylos @lauren my point is not about “Google” specifically. Pick any company which provides email. Or imagine Google had antitrust which forced them to divest of GMail. My point is that DMs shouldn’t be considered “unsafe, never put anything important” while e-mail we magically pretend is fundamentally different and will be protected
@pbrane @lauren email is not and has never been secure. Its used for time sensitive multifactor sometimes but that is a reflection that only by adding the time factor is its security relevant - all that expires and is useless to hackers after minutes or sometimes hours- so post hoc release has no danger regarding the security utility of email delivered security tokens.
Tom Stoneham@lauren I wonder how many people read the Privacy Policy before using DMs? It makes clear that from Twitter's point of view, there isn't really a difference between Tweets and DMs.
At least that is transparent to the user on Mastodon.
Ed Bott
Mister Shade@lauren Is this a violation of privacy? Could Musk face lawsuits over this?
@Maxanadu_MX02 I'm not a lawyer. My layman view is that the biggest issue would be the existing FTC consent decree.
ArdentSlacker@lauren @Maxanadu_MX02 There's also other countries with varying privacy laws. Twitter and Musk can be sued in many nations at once, for the same violation.
Scenario@lauren Sounds like Musk got extorted.
ShaneLee@lauren Free Speech has no Privacy when that speech is exercised on anything privately owned - all Twitter content belongs to the owner
@sp2962 Subject to national laws and international treaties. In the case of the U.S., this is mainly the FTC and the existing Twitter FTC consent decree. In Europe, there are a whole array of privacy and other laws impacting Twitter.
@sp2962 @lauren no, they don't. For a start in your user agreement with Twitter, they agree that you retain copyright ownership of your content. They also agree to certain privacy controls.
Further to that there are legal statutes that cover protection of consumer data. Legally A user of Twitter is a consumer. Please don't mention that mumbo jumbo about "being the product".
Mark@lauren When I wear my tinfoil conspiracy hat, I can conceive of a situation where Mr Musk and his middle eastern backers paid the huge buyout not for the company but for the possible priceless DMs of politicians, activists, and business leaders contained in the database. If that is the case then Twitter Files is probably just a low level spinoff of the real blackmail and identification findings.
@lauren Wouldn’t that violate the consent decree?
Martin@lauren J. Edgar Musk is very generous in sharing his files. 😬
Lokpal
Kingsley Uyi Idehen@lauren,
This may go down as the ultimate showcase for the kind of vulnerability baked into the utterly flawed #Web20 app worldview.
Solution?
Loosely-coupled apps that are architected with “zero trust” at their core. Anything less is susceptible to #SurveillanceCapitalism and the inevitable “bad emperor” effect.
John Philpin Ⓜ️@lauren I bet ‘everything’s doesn’t include ‘anything musk’
bazkie bumpercar | unfluencer@lauren Wait.. that's illegal!
toxtethogrady@lauren Can said reporter be sued? I mean, what would stop Matt Taibbi with sharing with Russian hackers my bank statements, lab results and other things they're best not knowing?
MylesRyden@lauren I would assume that Musk OWNS all the DMs and everything else that went through the platform and can sell them to whoever he wants.
GuitarGirl@lauren Happy lawsuits! 🥳
lamy, david@lauren
Direct messages are a data point that Twitter collects. Twitter states this explicitly in their Privacy Policy.
The real shock here is that so many never read privacy policies and then are shocked, yes shocked at how Twitter and other private companies treat them.
There is no iteration of Twitter that I would trust.
#FreeSofwareRespectsUsers
#ProprietarySoftwareUsesUsers
Direct messages are a data point that Twitter collects. Twitter states this explicitly in their Privacy Policy.
The real shock here is that so many never read privacy policies and then are shocked, yes shocked at how Twitter and other private companies treat them.
There is no iteration of Twitter that I would trust.
#FreeSofwareRespectsUsers
#ProprietarySoftwareUsesUsers
@led You're "shocked" that so many people haven't read privacy policies? C'mon. We've know for many years that most privacy policies and TOSes more broadly are not only rarely read, but are usually written in legalize that most people don't understand, and can be subject to change at any time. You're blaming users for this?
@lauren
You are describing perfectly the flaws of proprietary platforms: Alphabet (Google), and Twitter for two of many.
Twitter's abuses of users started well before Elon overpaid.
But here is the thing that will sound cavalier to your ears: Twitter's terms of service (TOS) and privacy policy (PP) are not contracts of adhesion. They are there to read before interacting with their service. You should be encouraging people to read them!
If a TOS or PP is unclear, then decline the service.
You are describing perfectly the flaws of proprietary platforms: Alphabet (Google), and Twitter for two of many.
Twitter's abuses of users started well before Elon overpaid.
But here is the thing that will sound cavalier to your ears: Twitter's terms of service (TOS) and privacy policy (PP) are not contracts of adhesion. They are there to read before interacting with their service. You should be encouraging people to read them!
If a TOS or PP is unclear, then decline the service.