The explosive whistleblower complaint on Twitter which was made public yesterday – detailing a series of damning allegations on security, privacy and data protection issues (among others) by the former former security chief of Twitter, Peiter “Mudge” Zatko – contained references to European regulators as well as claims that the social media company had misled or intended to mislead regional watchdogs about its compliance with local laws .
Two national data protection authorities in the EU, Ireland and France, have confirmed to TechCrunch that they are following up on the whistleblower’s complaint.
Ireland, which is Twitter’s lead supervisor for the bloc’s General Data Protection Regulation (GDPR) – and previously led a GDPR investigation into a separate security incident that resulted in a $550,000 fine for Twitter – said she was “engaging” with the company in the wake of publicity around the complaint.
“We became aware of the problems when we read the media reports [yesterday] and spoke to Twitter about it,” the regulator’s deputy commissioner, Graham Doyle, told us.
While the French DPA said it was investigating the allegations made in the complaint.
“The CNIL is currently investigating the complaint filed in the United States. At this time, we are unable to confirm or deny the accuracy of the alleged shortcomings,” a spokesperson for the French watchdog told us. “If the accusations are founded, the CNIL could carry out checks which could lead to a formal notice or a sanction if breaches are noted. In the absence of a breach, the procedure would be closed.
Machine learning problems
The Irish Data Protection Commission (DPC) and France’s national equivalent, the CNIL, were both named in the ‘Mudge Report’ – in one case in relation to Zatko’s suspicion that Twitter intended to mislead with respect to investigations into the datasets used to train its machine learning algorithms in a manner similar to how the complaint alleges that Twitter misled the FTC years earlier on the matter .
In a section of the complaint titled “misleading regulators in multiple countries,” Zatko claims the FTC asked Twitter about the training materials used to build its machine learning models.
“Twitter realized that truthful responses would implicate the company in numerous copyright/intellectual property violations,” the complaint continues, before claiming that Twitter’s strategy (which it says the executives “explicitly acknowledged that it was misleading”) was to refuse to provide the FTC with the requested information. training materials and instead state “particular patterns that would not disclose Twitter’s failure to acquire the appropriate intellectual property rights.”
The two European regulators jump in because Zatko suggests they were set to do similar investigations this year – and he says a Twitter staffer told him the company intended to try. to use the same tactic she had deployed in response to FTC earlier. investigations into the matter, to derail the regulatory review.
“In early 2022, the Irish DPC and the French CNIL were expected to ask similar questions, and a senior privacy official told Mudge that Twitter was going to attempt the same deception,” the complaint states. “Unless circumstances have changed since Mudge was fired in January, Twitter’s continued operation of many of its core products is most likely illegal and subject to injunctive relief, which could remove most or all of the Twitter platform.”
Neither the Irish nor French watchdog responded to questions about the specific claims made. So it’s unclear what demands EU data protection agencies may have made — or plan to make — of Twitter in relation to its machine learning training datasets.
One possibility – and perhaps the most likely, given European data protection law – could be that they fear or suspect that Twitter has processed personal data to build its AI models without having a legal basis. appropriate for processing.
In another example, controversial facial recognition company Clearview AI has faced a series of regional DPA applications in recent months related to its use of personal data to train its facial recognition models. Although the personal data in this case – selfies / facial biometrics – is among the most protected category of “sensitive” data under EU law, which means that it is subject to the strictest requirements in matter of lawful processing (and it’s unclear whether Twitter could have used such sensitive datasets for training its AI models).
Cookies out of control?
The Mudge complaint also directly alleges that Twitter misled the CNIL on a separate issue — related to improper segregation of duties for cookies — after the French watchdog ordered it to change its processes to comply with applicable laws. December 2021.
Zatko alleges that until Q2/Q3 of 2021, Twitter did not sufficiently understand how it deployed cookies and what they were used for – and also that Twitter’s cookies were used for multiple functions, such as ad tracking and security sessions.
“It was apparent that Twitter violated international data requirements in many parts of the world,” the complaint alleges.
A key principle of EU data protection law that applies here is ‘purpose limitation’ – i.e. the principle that personal data must be used for the purposes stated. (legitimate) for which they were collected; and that data uses should not be aggregated. So if Twitter mixed the cookie function for distinctly different purposes, such as marketing and security – as the complaint claims – it would create clear legal problems for it in the EU.
According to the complaint, the CNIL learned of a problem with the functioning of cookies on Twitter and ordered the company to fix it late last year, presumably relying on its jurisdiction under the EU ePrivacy Directorate (which regulates the use of tracking technologies like cookies).
Zatko writes that a new privacy engineering team at Twitter had worked “tirelessly” to unravel the function of cookies to enable “some form of user choice and control” – for, for example, refuse tracking cookies but accept security related cookies – as would be required under EU law. And he says this patch was rolled out, exclusively in France, on December 31, 2021, but was immediately rolled back and disabled after Twitter encountered an issue – a SNAFU ops which he seizes to further blame Twitter for not having a separate test environment.
But while he writes that the bug was fixed “within hours”, he says Twitter product and legal makers have blocked its rollout for an additional month – until January 31, 2021 – “in order to get the maximum profit from French users before deploying the patch.
“Mudge challenged executives to pretend this was more than an effort to prioritize incremental benefits over user privacy and legal data privacy requirements,” The complaint also claims, adding, “The top executives at that meeting confessed that Mudge was right.”
Zatko further claims that Twitter launched a “proactive” lawsuit – in which he says they were “trying to pretend that all cookies were by definition critical and necessary because the platform is powered by advertisements” – before going on to allege that during internal conversations, he overheard product staff stating that the argument was “false and made in bad faith”.
Twitter has been contacted for a response to the specific allegations referenced in the quoted portions of the whistleblower’s report, but at the time of writing had not responded. But the company yesterday issued a blanket response to the Mudge report – dismissing the complaint as a ‘false story’ from a disgruntled former employee, who it said was ‘tricked with inconsistencies and inaccuracies’.
Either way, the whistleblower’s complaint is already prompting further regulatory scrutiny of Twitter’s claims.
It’s unclear what penalties the company could face in the EU if regulators decide – after closer inspection – that it breached regional requirements after taking action on Mudge’s complaint.
The GDPR allows penalties of up to 4% of annual global revenue – although Twitter’s previous GDPR penalty, for a separate security-related breach, was well below that. However, enforcement actions are meant to take into account the scale and extent (and even intent) of any breaches — and the material breaches alleged by Mudge could — if found by a formal regulatory investigation – lead, in time, to a much more substantial penalty.
The ePrivacy Directive, which gives the CNIL jurisdiction to regulate Twitter cookies, empowers DPAs to impose “effective, proportionate and dissuasive” sanctions – so it’s hard to predict what this might mean in financial terms if it sees fit. that a fine is justified. But in recent years, the French watchdog has imposed a series of multimillion-dollar fines on tech giants for cookie-related failures.
This includes two hefty penalties for Google – a $170 million fine in January for misleading cookie consent banners; and a separate fine of $120 million in December 2020 for setting tracking cookies without consent – as well as a fine of $68 million for Facebook in January (also for misleading cookies), and a fine of $42 million for Amazon at the end of 2020, also for setting tracking cookies without consent.
Update: Twitter declined to provide public comment.
Comments are closed.