Twitter says hello to hacking; Users say goodbye to privacy

The President has illustrated the power of social media by his use of Twitter. Like Facebook and LinkedIn, Twitter is a “platform” that enables users to interact “socially” with each other online. However as Twitter has gained popularity with hundreds of millions of users, it has also come under attack by hackers and bad actors worldwide. These global social platforms have enormous armies of employees guarding their crown jewels to avert hacking. But as with any system, it is the weakest link that can cause the stronger links to fail. Witness the Target hack that was caused by an HVAC contractor’s connection to Target’s intranet.

On March 14, 2017, thousands of global Twitter accounts were compromised, apparently by racists and/or a rogue government. The EU Parliament, Forbes, Amnesty International, UNICEF, Nike Spain and other social sites were defaced. These accounts were flooded with swastikas and hashtags including “#NaziHollanda”. Profile pictures of users were changed to pictures of the Turkish flag. A link to a Youtube site was inserted into many of these Twitter accounts with text containing the cruel words “Nazi Germany, Nazi Netherlands! Do not force the patience of the Turk. We got out of this way by wearing our kefen.”

Politics aside, the real legal issue and technological quandary is that the Twitter accounts were illegally accessed via a weak link in the flow of social information. In this instance, a 3rd party application called TwitterCounter.com was hacked, and in turn Twitter Counter unwittingly and robotically instructed Twitter to modify the contents of its users’ accounts.

Twitter Counter is an analytic tool that connects to Twitter and enables its users to determine information about their accounts’ metrics. Twitter Counter is one of thousands of so-called 3rd party apps that are used to access or interact with major social media platforms. What is a 3rd party app? As examples, Apple does not produce all of the mobile apps that are available from its App Store, and Google does not develop all of the apps on Google Play. These apps have been developed by outside companies who have been granted permission to interface with the main social platforms. They are called third-party applications, or 3rd party apps for short.

In the world of social media, many people use TweetDeck and HootSuite to monitor and post their tweets, Facebook posts and LinkedIn seamlessly, with scheduling and other useful features that are not readily available on Twitter or Facebook’s own platforms. These are 3rd party apps. So is Twitter Counter. But not all 3rd party apps are as safe and secure as you’d like. And none of them have the manpower (sorry for the sexist word) and financial strength of the Big 3 (Twitter, Facebook, LinkedIn) to ensure cyber protection. Thus you have to use 3rd party apps with caution.

Where is the legal part to this story? Privacy of information is the gold standard to which one must strive. A company’s website needs to have its own privacy policy. If a company’s web user clicks its site’s Facebook or Twitter button, the user will suddenly find herself on Facebook instead of the company’s proprietary site. She is traveling on Facebook’s webpages. As a result, entirely different privacy practice will affect them. As a dramatic example, Mark Zuckerberg renamed his Privacy Policy as a Data Policy because there is no such thing as privacy on Facebook. Without politicizing the matter, it is important for websites to inform their users that once they travel through cyberspace to a social media site, their privacy will be regulated by the social site’s privacy rules, not their own.

And what of 3rd party apps? When you access a social media site (such as a company’s Facebook page) via HootSuite, for example, your usage is governed by the privacy policies of the 3rd party app as well as the Facebook platform. Remember the weak link in Target. Not all 3rd party apps are safe to use. Some are soft because of financial insecurity. Others are unsafe because they may have unsavory owners or employees who can access customer data. In any case, 3rd party apps create a backdoor to the major social platforms. If the backdoor to your home is not locked securely, a thief can enter and steal your property. Similarly, if a 3rd party app is insecure (by design or error or just bad computer coding), a hacker or bad actor or disgruntled employee can steal your identity and private information.

Companies’ privacy policies need to inform their users about all of these risks. Most CEO’s don’t realize that they may be unwittingly putting their customers in harm’s way by linking to LinkedIn with a button – and they’d be shocked to find this out the hard way, after a data breach has occurred. From a lawyer’s vantage, disclosure can cleanse many problems. Telling your users about the potential pitfalls to their privacy can be a good defense to a lawsuit or criminal investigation following a breach. The “I told you” defense is my own mantra when I prepare Internet policies for clients.

So travel the Internet safely and protect your business with technology and with solid legal safeguards in place.