A Twitter whistleblower’s allegations that the Indian government forced the company to hire at least one individual who was a government agent and had access to user data should be taken seriously, warn experts in the technology and policy sectors.

Given the enormous access technology giants like Twitter have to user data, a leak to a state or a rogue actor can undermine organisations that the government finds inconvenient. It can also endanger the personal safety of users, especially those viewed as political dissidents or those who belong to minority groups, say experts.

The claims about the Indian government were made by former Twitter security chief Peiter “Mudge” Zatko to the United States Securities and Exchange Commission and the Department of Justice, according to a leaked disclosure reported by The Washington Post on August 23.

Amidst a host of other allegations about lax security at Twitter, Zatko said that the platform’s transparency reports did not “disclose to users that it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll”.

Zatko has submitted a separate disclosure including details and documentation of these incidents to the Counterintelligence and Export Controls within the National Security Division of the US Department Of Justice, and to the Senate Select Committee on Intelligence.
Zatko has submitted a separate disclosure including details and documentation of these incidents to the Counterintelligence and Export Controls within the National Security Division of the US Department Of Justice, and to the Senate Select Committee on Intelligence.

The disclosure added: “By knowingly permitting an Indian government agent direct unsupervised access to the company’s systems and user data, Twitter executives violated the company’s articulated commitments to its users.”

Other countries that were able to pressure Twitter to hire local full-time employees are Nigeria, which banned the platform in 2021, and Russia, Zatko alleged.

Zatko was hired by co-founder and former chief executive officer of Twitter Jack Dorsey in late 2020. A well-known hacker, Zatko has worked with both the US government and with the industry. At Twitter, he was tasked with improving the company’s security and protecting its user data.

“I joined Twitter because it’s a critical resource to the world,” he told The Washington Post. “All news seems to be either from Twitter or goes to Twitter for the colouring and context, and as such, it not only paints public opinion, it can change governments.”

Twitter whistleblower Peiter “Mudge” Zatko. Credit: US federal government/Handout via Reuters

But, said Zatko, the company’s inadequate security measures have resulted in hacks. Twitter was unable to protect sensitive user data and gave into demands by foreign powers that affected the national security of the US, he claimed.

Saudi Arabia provides an example of how private data could be misused. Earlier this month, two former Twitter employees were charged and one found guilty of spying on behalf of the kingdom.

The men had been offered cash and luxury goods in return for sharing personal information like birth dates, email addresses, and phone numbers of Twitter users – including critics of the Saudi Arabian government.

One of the implicated Twitter employees, an associate of Saudi Crown Prince Mohammed bin Salman, was able to access information of a prominent dissident Omar Abdulaziz. Abdulaziz was close to journalist Jamal Khashoggi who was assassinated in 2018.

Saudi journalist Jamal Khashoggi (left) and Saudi Arabia's crown prince Mohammed bin Salman. Credit: Mohammed Al-Shaikh, Oscar Del Pozo/AFP

Reactions in India to Zatko’s complaint have ranged from outrage to indifference. But security researchers emphasise that it is important for users to take note of his disclosures because the private data of activists, protestors and minorities might be at risk.

Can user data be exploited?

Security researcher Anand Venkatanaryanan said it may never be possible to understand the true extent of data collected by digital platforms.

According to Twitter, it collects the following information about its users:

  1. Name
  2. Username
  3. Age and birth date
  4. Gender
  5. Email address
  6. Phone number
  7. IP address
  8. Browser type and mobile devices used to access Twitter
  9. Operating system
  10. Login history and locations from which a user has accessed Twitter
  11. Account activity
  12. Account creation details
  13. Profile location
  14. Apps connected to an account
  15. Accounts a user has muted or blocked
  16. Data on a user’s interests is based on what kind of content and people they engage with.
  17. Tweets that a user has posted and private messages they have sent or received.

However, Venkatanaryanan said that even Twitter does not know what kind of data it collects. “They collect some parts of the data themselves,” he said. “Rest of it is gathered by their ad engine, which collects data from hundreds of sources.”

Venkatanaryanan said it will be unclear which data is primary or secondary or tertiary. Additionally, platform algorithms generate “data on data”, he said. “So, you have no idea what data is being held about a particular person and in which database inside the company.”

An example of a relationship graph made using publically available Twitter data. Credit: "20120212-NodeXL-Twitter-socbiz network graph" by Marc_Smith is licensed under CC BY 2.0.
An example of a relationship graph made using publically available Twitter data. Credit: Marc_Smith, CC BY 2.0, via Flickr.

Simply put, data extraction is not just limited to what users knowingly share. This data is added to the information gathered from a user’s contacts, people they engage with and their interests. Anyone with access to all the data Twitter collects would be able to create a “relationship graph” and map their life – their likes, dislikes, interests, habits, location, friends, family and much more. This would help them even monitor a user’s actions and movements.

“If I know your relationship graph, I know everything about you,” Venkatanaryanan said. “They are exceptionally powerful.” Such data, he said, would allow the government to “know exactly who to target to crumble a movement”.

These relationship graphs can be even better understood, he said, if there is insider access.

Zatko said that half of the company’s 7,000 employees have access to Twitter’s internal software, which allows them to look at sensitive user data. However, only hundreds of employees have access to “god mode”, which enables them to tap into the company’s core systems.

Vulnerable users

In India, experts say, a common response to news about the infringement of individual privacy is: “If you haven’t done anything wrong, you have nothing to worry about.”

But, as Prateek Waghre, policy director at the Internet Freedom Foundation, said, “It is not just about protecting yourself. Your information can be used in various ways, including making you financially vulnerable.” Waghre said those from the minority or LGBTQ+ community are at even greater risk.

Credit: Canva.

According to Waghre, there are different levels of risk. “People who see themselves as low risk do not account for the fact that others may be at a higher risk,” he said. “It shows a lack of empathy.”

Waghre said such users underestimate the risk to themselves. “You never realise you can be scammed until you are scammed. It is a difficult mindset to get over.”

Mishi Choudhary, legal director at the Software Freedom Law Center, said that the more someone knows about a user, the more power they have over them. “Personal data is used to make a variety of decisions in and about our lives: jobs, government benefits, relationships, and insurance are just a few of them,” she said. “Personal data can be used to affect our reputations and shape our behavior.”

Twitter in India

On the face of it, a lot has changed in the relationship between Twitter India and the Bharatiya Janata Party government. In 2016, Twitter India published a blog applauding Prime Minister Narendra Modi for “transforming India” through its platform and “pioneering a new wave in digital governance”. But in July, Twitter sued the Indian government in the Karnataka High Court, challenging content takedown orders.

Prime Minister Narendra Modi with former Twitter CEO Jack Dorsey in November 2018. Credit: @jack via Twitter.

In its complaint, the platform alleged that between February 2021-’22, the Ministry of Electronics and Information Technology asked it to take down 175 tweets and more than 1,400 accounts.

The notices and blocking orders under contention were sent under Section 69A of the Information Technology Act, which allows the government to block public access to content in the interest of national security. But Twitter alleged that these orders do not fall under the ambit of this section of the legislation.

“Several of the URLs contain political and journalistic content,” the petition said. “Blocking of such information is a gross violation of the freedom of speech guaranteed to citizens – users of the platform.”

In February 2021, the Indian government asked Twitter to remove hundreds of accounts that had criticised its handling of the farmer protests against three new agriculture laws. When the company refused to act on its request, the government threatened prison time for some employees in India. Twitter later complied with the request.

A farmer holds the tricolor during a protest against the farm laws at Singhu border. Credit: PTI

Two months later, in April 2021, Twitter was asked to pull down accounts criticising the Indian government’s mismanagement of the deadly second wave of Covid-19. In May, after Twitter flagged some tweets by BJP leaders as “manipulated media”, indicating that they had been “deceptively altered or fabricated”, the Delhi police raided the company’s offices in Delhi and Gurgaon.

“Countries look at social media as a national security problem,” Venkatanaryanan said. “India is no different. So, if they think something is a national security problem, anything goes to get a handle on it.”

The latest Twitter transparency report (July and December 2021) reveals that:

  1. India made the maximum number of demands of any country to remove tweets by verified handles of journalists and news outlets.
  2. India accounted for 114 of the 326 legal demands Twitter received from across the world.
  3. India made a total of 3,992 legal demands to remove content, putting it among the top 5 countries in the world to do so.
  4. With 19% of the total, India came second in the number of government information requests during this reporting period. The US made the most.

On July 5, 2021, the government filed an affidavit in the Delhi High Court arguing that Twitter had lost the immunity from legal action provided to online platforms because it had failed to comply with portions of the new IT rules, which were passed that year.

In May 2021, the Delhi Police carried out searches at the offices of Twitter in Delhi. Credit: PTI.

Alok Prasanna, co-founder of the Vidhi Centre for Legal Policy, said that Twitter’s case against the Indian government “is unlikely to have a good outcome” unless the Supreme Court looks at the Shreya Singhal case again.

In its judgement in the Shreya Singhal case in 2015, the Supreme Court ruled that online intermediaries such as Twitter would only be obligated to remove content if they received an order from a court or government authority.

Choudhary of the Software Freedom Law Center, accused Twitter of playing all sides. “By filing a lawsuit in Karnataka, it can appease its users, ‘look here, we are fighting for your rights’.”

However, she added that she was certain that the platform “works very closely with the government as all companies do to accommodate their requests”. This cooperation should not be viewed just as business as usual. “Data is everything and is much more powerful than many other traditional businesses that the human race has seen thus far,” she said.

Can users protect themselves?

Waghre said that since Zatko’s disclosure showed that any potential leak or unauthorised access was internal, there is not much users can do to protect themselves. Prasanna, on the other hand, suggested that the best protection from such breaches of privacy is for users to delete their Twitter account.

Credit: Canva

Independent researcher Srinivas Kodali points out that many demands have been made in India and the US for Dorsey to encrypt Twitter direct messages.

Facebook was criticised for sharing with the Nebraska police private messages exchanged by a mother and daughter discussing how to obtain abortion pills in June, in the wake of the Supreme Court decision later that month overturning the right to abortion. The mother and daughter are now facing criminal charges.

Choudhary emphasised that data protection and security are two separate matters. “Users can do enough to be secure in their usage but what power does a citizen have against powerful tools like Pegasus or where our government insists on its agents being employed by private parties?” she asked.

Choudhary said there should be a demand for a strong law that can be implemented swiftly and effectively. “Without the right to privacy, there is no possibility of exercising any other rights,” she said.

On August 4, the government withdrew the Personal Data Protection Bill, 2019, which had been discussed for nearly five years with multiple consultations, reviews and revisions. The Bill proposed restrictions on the use of the personal information of Indian citizens by companies such as Google, Meta (formerly Facebook) and Twitter without their explicit consent.

Requests for interviews to Rajeev Chandrashekhar, Minister of State for Electronics and Information Technology of India, and Samiran Gupta, Twitter Head, Public Policy and Philanthropy, India and South Asia, went unanswered.