Is the private sector gaming social-media policies to silence security researchers, critics?

Between 27 and 31 March, Twitter locked three accounts that deal with cyber-security issues and regularly post information about data breaches. These accounts belong to the Free Software Movement of India, Rajshekhar Rajaharia and Robert Baptiste, who goes by the name Elliot Alderson on Twitter. Rajaharia and Baptiste had tweeted about a data breach at MobiKwik, a digital wallet, while FSMI has posted about a leak at Big Basket, on online grocery store. Rajaharia and Baptiste’s accounts were restored within 12 hours, but FSMI was locked out of it’s account for almost 17 days.
22 April, 2021

On 13 April, the Free Software Movement of India, a coalition of organisations promoting the adoption of free software, was allowed access to its Twitter account, almost 17 days after the social-media platform locked it out. Twitter had locked the account of FSMI on 27 March, for a tweet that referred to a data breach of customers’ details at Big Basket, an online grocery store. On 30 March, Robert Baptiste, a France-based cyber-security expert, who goes by the name Elliot Alderson on Twitter, too, was locked out of his account for a tweet referring to a data breach at Mobikwik, a digital payments platform. The next day, another cyber-security researcher Rajshekhar Rajaharia faced similar action by Twitter for a tweet regarding the MobiKwik breach, which affected the personal data of almost ten crore users. This was the second time in a month that Rajaharia had been locked out of his account for tweets on MobiKwik. In each instance, Twitter told the accounts that their tweets violated its rules against “posting private information.” 

Baptiste and Rajaharia’s accounts were restored in less than 12 hours—both of them deleted their respective tweets. Rajaharia shared a screenshot which showed that his account was locked for 12 hours for violating Twitter’s private-information policy, but he told me his account was reinstated after about four hours. FSMI, which was locked out of its account for a tweet dated 12 December 2020, chose not to delete the post and Twitter later took down the tweet. Strangely, another tweet by FSMI, from 11 November, which refers to the same content, remained visible on the account. 

In each case, it was unclear how the tweets on data breaches violated the rules against “posting private information,” and if Twitter took action on its own, or whether some other individual or organisation reported these accounts. In an email response to The Caravan on 31 March, Twitter did not answer specific questions on who reported FSMI’s account and only said, “The referenced account was correctly actioned for violating the Private information policy.” However, on 13 April, Twitter sent an email to FSMI, informing them that their account had been restored and admitted that “After reviewing your account, it looks like we made an error.”

Researchers and experts dealing with cyber security told me that accounts such as those operated by FSMI, Rajaharia and Baptiste perform a public-service duty by informing and alerting people about how their private information may be exposed. Apar Gupta, the executive director of the digital-rights advocacy group Internet Freedom Foundation, said that to lock their accounts by citing rules against posting private information “flies in the face of logic.” The experts I spoke to said that opaque social-media policies may allow private organisations to report any account that can adversely affect their business. “Twitter’s rules can be gamed by anyone,” Srinivas Kodali, a researcher who works on data and internet, said.

Kiran Chandra, the general secretary of FSMI, believed that Twitter’s actions are “about silencing anyone who is asking anything about the breaches.” According to news reports, the Big Basket data breach was first detected on 30 October by a cyber-intelligence firm, Cyble. It reported that personal information of at least two crore customers—names, email ids, password hashes, contact numbers, full addresses, date of birth, location, and IP addresses—had been put up for sale on the dark web for USD 40,000. After informing Big Basket, Cyble made the breach public on 7 November, which was confirmed by Big Basket in a statement issued two days later. On 11 November, FSMI wrote to the ministry of electronics and information technology’s Computer Emergency Response Team, or the CERT, to seek an investigation into the security lapse. As per the Information Technology Act of 2000, CERT’s mandate is to collect, analyse, and disseminate information on cyber security incidents and take appropriate measures to deal with such incidents.

FSMI’s letter requested Ajay Lakra, the public grievance officer at CERT, “to initiate an investigation into this incident and update citizens on what transpired.” FSMI posted this letter on Twitter that same day. On 12 December, FSMI tweeted, “It has been over a month& we have not received any acknowledgment or response from @IndianCERT on our complaint to investigate Big Basket data breach. CERT-In is required to acknowledge citizen complaints in 2 days and resolve it under 30 days according to its citizen charter.” On 27 March, Twitter locked FSMI’s account on the basis of the 12 December tweet and took it down. However, the 11 November tweet that had a link to the letter remained on the account.

Chandra told me that Twitter did not warn the organisation or ask for an explanation before locking the account. “The tweet is missing now. There is no private information in it,” he said Twitter’s email to FSMI asked it to delete the tweet to unlock the account or appeal the decision to lock it. Chandra told me FSMI opted for the latter on 30 March, but Twitter did not give them a timeline of when to expect a response. It should be noted that on 3 April, Twitter declined FSMI’s appeal. Two days later, Chandra told me, FSMI filed a legal notice against the platform. Subsequently, on 13 April, FSMI’s account was restored and Twitter’s email to FSMI apologised “for any inconvenience this may have caused.”

Chandra also pointed out that it was strange that the action was taken three months after the tweet was posted. On 12 March, The Hindu reported that the Tata Group will be acquiring a 64.3 percent stake in Big Basket. The company is currently owned by Hari Menon, whose father-in-law, E Sreedharan, is contesting the Kerala assembly elections on a Bharatiya Janata Party ticket. When I asked Chandra who may have complained against the account, he said, “We are trying to figure it out.” In an emailed response, CERT denied reporting FSMI’s account. Big Basket had not responded to queries at the time of publishing.

While FSMI appears to be the only account that faced action on a tweet commenting on the Big Basket breach, the number of social-media accounts that faced action for posts about Mobikwik is jarring. The MobiKwik breach first surfaced on the dark web as an anonymous, but restricted, data dump on 24 February—it had the Know Your Customer, or KYC, details of over ten crore people including personal details, PAN card numbers, Aadhar numbers and even passport numbers. In a Medium post, Rajaharia noted that by the next day, he deduced the data may have been from MobiKwik and alerted the founder of the company, Bipin Preet Singh. On 26 February, he tweeted about the breach but without naming the company. The next day, CERT reached out to him, asking for details.

On 4 March, MobiKwik put out a statement denying any “security lapse” and called Rajaharia a “media-crazed so-called security researcher” without naming him. The next day, LinkedIn took down one of Rajaharia’s posts about the MobiKwik data breach—he had not named the company in it—stating that it had received a claim alleging that his post was “defamatory.” According to a report by the media platform Entrackr, a LinkedIn spokesperson said that “while we can’t comment on the specifics of a member’s account due to our privacy policy, we can confirm that we only remove content if it’s in violation of our policies.” 

Over the next week, Twitter first locked Rajaharia’s account on 9 March, for “posting private information” with respect to a tweet about another bug in MobiKwik’s systems that he had earlier posted, on 1 March. Rajaharia had flagged this bug to MobiKwik and CERT both. Then on 12 March, Twitter sent him an email stating that Mobikwik had told the platform that four of his tweets violated Indian law. The email noted that Twitter was not taking any action on the reported content at the time. 

Throughout March, MobiKwik consistently denied that there was any data breach despite several independent researchers and media organisations confirming the breach and its provenance. By the end of the month, the leaked data was publicly available for search via the Tor browser. On 30 March, the company again issued a statement and said that they were “closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security audit.” But simultaneously, the firm shifted the onus on customers and said “it is entirely possible that any user could have uploaded her/his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik.” According to news reports, on 31 March, the Reserve Bank of India ordered MobiKwik to conduct a forensic audit of the data breach.

At around 4 pm on 31 March, Twitter again locked Rajaharia’s account for a tweet referring to how he had reported a bug to MobiKwik earlier that month. Rajaharia told me that he deleted the tweet and Twitter restored his account within hours. “Whoever has posted viral tweets about MobiKwik, complaints are being lodged against them,” Rajaharia told me that day. His claim did not seem without substance. The day before, on 30 March, Twitter had taken similar action against Baptiste. On 29 March, Baptiste, had tweeted, “Probably the largest KYC data leak in history. Congrats Mobikwik… ” Baptiste later posted that he chose to delete the said tweet. Multiple emails to Baptiste went unanswered.
Screenshots shared by FSMI, Rajaharia and Baptiste on Twitter in recent weeks showed that they were accused of violating Twitter rules regarding posting private information. I asked Rajaharia if it was possible that whoever is speaking of data leaks is considered to be sharing private data. “No, I don’t think that’s possible,” he replied. “My whole Twitter is full of it—I don’t have a tweet without a mention of some data leak.” He added, “But only Mobikwik has complained against me, no company has done it before.” MobiKwik did not respond to multiple attempts to contact them. Twitter declined to comment on queries regarding the action against Rajaharia and Baptiste’s accounts.

Interestingly, on 3 April, “DissentDoe, PHD,” a Twitter account by an anonymous privacy activist, posted that an anonymous user had tried to take down its blog post on MobiKwik. The activist runs a website with information on data breaches. In 2019, he was sued by 1 to 1Help, a counselling and wellness services firm, after he reported that counselling related data of three lakh employees of its corporate clients had been leaked.

The actions against cyber-security researchers seem to fall into a newly-emerging pattern of Indian corporates curbing criticism by reporting critical social media accounts. The most well-known instance appears to be that of Whitehat Jr, an education-technology firm. Pradeep Poonia, an engineer, and Aniruddha Malpani, an IVF specialist, criticised the operations of Whitehat Jr via multiple posts on different platforms last year. Many of their posts were taken down by the platforms—in some cases, they mentioned that Whitehat Jr had complained against the posts. Eventually Whitehat Jr took them to court for defamation, copyright infringement, among other charges. Poonia’s account was suspended from Twitter, while Malpani was permanently restricted from LinkedIn. The matter is currently sub judice.

I asked Malpani if he saw any similarity in the Whitehat Jr case and the three recent cases. “I think this has become a trend. The worst thing is that this is how you silence dissent,” he said. “People are going to read between the lines and self-censor,” he added. Kodali, the researcher, said, “To my sense, private sector has figured out how they can stop any dissent against their client.” He continued, “If there is a data breach, the brand’s value diminishes for people who are privacy aware. They could stop using the platforms.” 

Gupta, of the IFF, characterised Twitter’s process of acting against accounts as imperfect and arbitrary. “Private companies have been using this imperfect and broken system to assert what were earlier intellectual property claims,” he said. He gave the example of Tata vs Turtle—a game created by the environmental-advocacy organisation Greenpeace in 2010, to demonstrate the impact of Tata operating in Odisha, known for its Olive Ridley turtle nesting sites. The game had used the Tata logo. The company filed a defamation case and asserted a claim of intellectual property rights to get the game removed. “Companies are gaming these systems, sending take-down notices—either under IP or asserting defamation—and it’s something that is not only unethical but it is also borderline illegal.” He explained that under the Supreme Court’s Shreya Singhal judgment, platforms are under no legal obligation to take down material until they get a court order or a notice from a public authority. The 2015 case is considered a landmark judgement on the issue of online speech and intermediary liability. 

Gupta said that none of the three recent instances appeared to fall in any of the categories that Twitter lists as a violation of private information. He referred to a sentence in Twitter Rules: “We also prohibit threatening to expose private information or incentivizing others to do so.” Gupta said, “None of the three accounts are intended towards that. They are intended towards the contrary—by preventing further exposure of private information by letting millions of Indians know that their data has been leaked.” He added, “The truth is that without the work of these three Twitter accounts, this issue would not have become a public issue.” 

Kodali, who is also a volunteer at FSMI, said that security researchers were playing a big role in highlighting issues such as data breaches. “If there’s a complaint to CERT, they have to act,” he said. “Which is what the security researcher is doing, by telling people, by allowing them to understand it and approach courts.”
Chandra pointed out that CERT had not responded to their complaint about Big Basket, even though its own charter said they would respond in two days. “It is an emergency-response team for the country,” he said. “You cannot be thinking you are not answerable. This attitude is really dangerous for Indian democracy.” On 30 March, FSMI had filed a complaint to CERT about the Mobikwik data leak, too. 

Gupta also pointed out that the draft data protection bill, currently being considered by a joint parliamentary committee, does not have a clear obligation on companies that have data breaches or criteria where they need to notify users. In fact, Rajaharia told me that companies often use their bug bounty—open calls to hunt for weaknesses in data systems and frameworks in return for payments—as a way to keep the lid on data breaches. “The bounty they give, they write in their terms and conditions, that whatever you are posting here, you will not be able to inform anyone about it. You will have to remove your evidence.” He added, “So, their end goal is for all the information to be deleted and for users to not find out anything.”