Our continued work to keep Twitter secure

By and
Thursday, 24 September 2020

At Twitter, we’re acutely aware of the role we play in society and we take that responsibility seriously. We have been, and will continue to be, focused on empowering the public conversation. To do this, we must protect the security and privacy of the people who use our service. You can see some of this work on Twitter, such as in the privacy and account security settings and controls we offer you, but a lot of it happens behind the scenes. We want to share more on the work we're doing to protect your account and keep Twitter secure.

1. Improving our access management processes and authentication systems.

As we shared in July, we have teams around the world that need to access customer data to provide account services and keep Twitter running. For example, engineering team members have access to build and operate the features that people rely on every day. Other teams use proprietary tools to help with a variety of support issues including to review content for potential violations of the Twitter Rules and respond to user reports. We are constantly working to balance how we build products and provide support to people who use Twitter while ensuring the security and privacy of people who use our service. That means access is limited and is only granted for valid business reasons (i.e., ensuring an account holder can get support if they are locked out of their account).

To further secure our internal tools from potential misuse, we have been strengthening the rigorous checks that team members with access must undergo. This also helps reduce the potential for an unauthorized person to get access to our systems. We have strict principles around who is allowed access to which tools and at what time, and require specific justifications for customer data to be accessed.

2. Improving our detection and monitoring capabilities.

Similar to how we proactively detect and alert you of suspicious behavior on your account to help you keep it secure, we have internal detection and monitoring tools that help alert us of unusual behavior or possible unauthorized attempts to access our internal tools. These tools are constantly being improved, even since the July incident, to include things like expanding our detection and response efforts to include suspicious authentication and access activity. 

In addition to the improvements we’ve made on the backend, it’s important for you to have meaningful controls over your account security and privacy on Twitter. We recently implemented some of these security measures for a designated group of high-profile, election-related Twitter accounts in the US, and we encourage everyone on Twitter to enable security controls such as two-factor authentication and password reset protection.

3. Investing in tools and training for our employees and contractors.

In addition to requiring Security and Privacy & Data Protection training for all newly hired Twitter employees, we introduced new courses and increased the frequency and availability of existing courses for all employees. For example, we introduced two new mandatory training sessions for people who have access to non-public information. These trainings make clear the dos and don'ts when accessing this information and ensure employees understand how to protect themselves when they are online so they can better avoid becoming phishing targets for attackers. In addition to existing security training courses, we’ve also enhanced training content on secure coding, threat modeling, privacy impact assessments, and privacy by design so privacy is integrated into everything we design and build by default. 

Our teams have also been investing in additional penetration testing and scenario planning to help secure Twitter from a range of possible threats, including in the context of the upcoming 2020 US elections. Specifically, over a five month period from March 1 to August 1, Twitter’s cross-functional elections team conducted tabletop exercises internally on specific election scenarios. Some of the topics included: hacks and other security incidents, leaks of hacked materials, platform manipulation activity, foreign interference, coordinated online voter suppression campaigns, and the post election day period.

Internally, we’re rolling out phishing-resistant security keys and requiring our team to use them when authenticating to systems around the world. This is work we had already begun but have accelerated in recent weeks. This will help reduce the risk of an unauthorized third-party gaining access to our internal systems using compromised employee credentials. 

Finally, we continue to invest in and scale the processes in place to review products for security and privacy concerns before they launch. If a project could have significant privacy impacts, we conduct a detailed impact assessment to make sure we’re taking appropriate measures before we launch it. We’ve significantly increased the number of privacy reviews and impact assessments the past few years. Specifically, in 2018, we did about 100 privacy reviews; in 2019, we did almost 500 privacy reviews; and in the first 6 months of 2020, we have completed more than 300 privacy reviews.

So what’s next?

We are continuing to invest more in the teams, technology, and resources to support this critical work. We also know that we can do more to make it easier for you to find and use the settings and controls we offer, so we’re working on rolling out improvements to the design and navigation of our privacy settings. You’ll see these improvements in Twitter soon. 

We want you to have peace of mind when you come to Twitter that the data you share with us is secure, and that you understand and feel empowered to use the controls we offer you to keep your account secure. This will always be ongoing work for us, but trust that we are committed to acting in the interest of the people who use our service. Where we discover an issue, we will work quickly to fix it, learn from it, and hold ourselves accountable by keeping you informed. 

This post is unavailable
This post is unavailable.