Thursday 25 April 2013

Opinion: That AP Twitter Hack and Issues of Responsibility and Security

Clout is might
Two days ago, we had a major Twitter event that should give those with a large following cause for concern with regards to the responsibility they bear.
Associated Press (AP) was founded in 1846 and it is a news syndication agency that provides a news wire service which I believe is monitored as a reputable source of information by markets, governments and the global public at large.
AP also has a Twitter account @AP with 1,920,114 followers at the time of my writing this blog having posted 50,298 tweets.
It was all of AP
At no time were the AP news wires compromised but by sleight of social engineering someone obtained the password to their Twitter account, posted a few mischievous tweets about explosions in the White House with the President hurt and well, all hell broke loose before the level-headed realised the account had been hacked.
On that alone, the Dow fell 143 points besides other consequences of that unfortunate incident.
For me, it highlighted the burden of responsibility that falls on both AP and Twitter with regards to having the power to disseminate information that can result in inadvertently serious consequences well beyond the intended purposes of the instruments of dissemination.
The duty of care that comes with responsibility
If anything, AP must now realise that the reputation and clout of the organisation undergirds any medium of expression that the organisation chooses and though Twitter has a low security threshold, it is by no means an insignificant vehicle of almost overarching influence on public sentiment.
Therein lies some responsibility on the part of AP to understand that they cannot afford to be hacked even if it is easy to do so and where that might happen some monitoring, evaluation and vetting system needed to be in place to ensure that whatever is posted by that AP Twitter account does not suffer a loss of integrity leading to a loss of face and reputation by a highly reputable organisation.
Premium security for Twitter
On the part of Twitter, a security rethink is required. They provide the medium for the dissemination of content but being a postmaster does not mean you have not responsibility if you end up delivering a packaged bomb to a recipient.
It is clear that especially for verified accounts, there has to be additional security protections beyond just the password, probably verified accounts can be given some premium service that includes multifactor authentication, tweet preview processing with approval processes, delayed publishing on sensitive matters and much else.
More importantly, when a reputable organisation tweets, those tweets should be verifiably authenticated from source to destination, they should be tamper-proof and once published readers should be sure that they cannot be repudiated.
Protected Tweets
Obviously, this adds payloads to tweets if these security mechanisms are to be implemented, but it is a worthwhile price to pay for organisations with reputations to keep and uphold beyond the mere responsibility they have to their followership.
It might also mean that certain tweets be protected from modification and can only be retweeted as posted, possibly with a PT tag, PT being Protected Tweet, audit trails might also be added as the need arises.
Security and responsibility lessons
The main issue here is that security needs to be improved on and organisations knowing the burden of responsibility they carry have to institute workflows to ensure that what is tweeted in their name is what they have sanctioned and approved to be tweeted.
Twitter is no more the playground for lax security controls which could impact negatively on sentiment in the marketplace and other forums of engagement.
Neither AP nor Twitter could have foreseen the consequences of a hacker’s mischievous prank of false news, the lesson to take away from this episode is if you are trusted with a great following, you are responsible for what your followers read from you in professional excellence and in error, what you cannot afford is to be in error.