Taking Twitter Open Source

Corey Nachreiner, chief security officer at WatchGuard Technologies explores if Elon Musk’s open source vision for Twitter could make the platform more susceptible to cyber attacks

When Elon Musk tweeted his $44 billion acquisition of Twitter he also announced his plans to improve the social network including “making the algorithms open source to increase trust.”

Musk has previously suggested that the algorithm, which determines how tweets are promoted and demoted, could be uploaded to the software hosting platform GitHub to make it publicly available. But what are the implications of this for the security of Twitter and its users?

Open-source software has cyber-security pros and cons, which go either way depending on the nature of the project, but in Twitter’s case, it may be more pro. In theory, open-source projects can be good for security. Anyone can see the source, which means malicious hackers can find flawed code more easily if any exists.

However, the argument goes that this openness also allows many more eyes, including responsible security researchers and auditors to quickly find and correct issues in the code too, which is like how cryptographers only trust openly audited ciphers that the entire crypto community has validated.

However, history has shown us that theory does not always match reality. Some pretty popular open-source projects have had critical vulnerabilities in them for years. Many widely used open-source projects have small voluntary groups of maintainers—in some cases, one person.

Without profit or a big business to drive the support, these open-source projects can sometimes have very few eyes looking at their code, which is why huge issues are still found years later.

Twitter, on the other hand, is a profitable company. Even if it decides to open-source some of its code for integration or community collaboration reasons, it still retains a huge team of its own paid developers maintaining it.

Because it is open-sourcing things it knows will get used widely, the company will also likely increase its focus on secure coding and privacy practices. So, Twitter’s open-source could have better overall security than the average open source out there.

At the end of the day, Twitter going open source with some code does not have to add new risk, and with the right review, could lessen the risk, but it all depends on how it is maintained and reviewed.

What about privacy?

Open-source does not have to have any negative implications for privacy if done right. The openness of the design can benefit privacy with full transparency of where personally-identifying information (PII) is used.

The problem comes when non-profit open-source projects do not have enough voluntary coders with privacy expertise and do not necessarily have a profit-driven reason to force privacy compliance. In short, you get what you pay for.

But Twitter is a profit-motivated business that must comply with privacy regulations.  Open source does not mean the data the code handles is not still private and encrypted. At worst, open-source code will now publicly show where certain code is managing PII data. If that code is done badly, it could expose a privacy weakness.

However, that also means security researchers will also see how the code is handling PII and they can make sure it is done properly.

Whether you’re talking about security or privacy, open-source code that is well audited by security experts can be more secure than ‘black box’ proprietary software where no one but its creators knows what it’s doing. 

When open source’s security and privacy promise doesn’t work out, it’s because we forgot to remember people don’t always go and find new work to do for free.

Authenticate all humans 

Elon Musk has said: “I also want to make Twitter better than ever by enhancing the product with new features, making the algorithms open source to increase trust, defeating the spam bots, and authenticating all humans."

But what does ‘authenticating all humans’ actually mean? Speculating, it could mean additional tokens of validation for humans to create and verify their accounts and may even speak to plans for Twitter to expand its  “social sign-on” or federated identity reach.

I think this plan is for Twitter to validate the real name or person behind every account. It makes sense that they would expand on their existing ‘verified’ user, blue-check program, and ask for additional identifying PII from users so that they can remove any anonymity for users of their platform and add accountability to posts. They will most certainly have to ask users for some additional identification such as passport, driver’s license or national ID, to do this, which is an additional PII risk.

It is unlikely that Twitter will share this PII with anyone else though, including advertising partners. So, its privacy risk is more if Twitter itself was hacked and leaked the info.

As far as the privacy risk of removing the anonymity option; that is a false expectation for any Twitter user to have had in the first place. I get that some have used this platform in hopes of being an anonymous platform to speak out when they live in controlling authoritarian governments or areas. While I support free speech, Twitter is not a public utility for society. It is a product.

You may think of it as ’free’, but it never was. As with all social media, you choose to give up your privacy to use a non-public service for free. So, the fact anyone had any belief that Twitter supported anonymity as a for-profit company seems misinformed.

If you are looking for anonymous services to share free speech, I am not sure you should ever trust the services of a for-profit company. They are not in business to provide an anonymous free platform for everyone. You are indirectly paying for this service by sharing details about yourself.

Only time will tell what Elon Musk has in store for Twitter but security professionals and cyber criminals alike are watching with interest.

Corey Nachreiner is chief security officer at WatchGuard Technologies

Main image courtesy of iStockPhoto.com