EU watchdogs begin privacy probe into Twitter

The explosive Twitter whistleblower complaint that was made public yesterday — detailing a raft of damning allegations across security, privacy and data protection issues (among others) by Twitter’s former former head of security, Peiter “Mudge” Zatko — contained references to European regulators along with claims that the social media firm had misled or intended to mislead regional oversight bodies over its compliance with local laws.

Two national data protection authorities in the EU, in Ireland and France, have confirmed to TechCrunch that they are following up on the whistleblower complaint.

Ireland, which is Twitter’s lead supervisor for the bloc’s General Data Protection Regulation (GDPR) — and previously led a GDPR investigation of a separate security incident that resulted in a $550,000 fine for Twitter — said it is “engaging” with the company in the wake of the publicity around the complaint.

“We became aware of the issues when we read the media stories [yesterday] and have engaged with Twitter on the matter,” the regulator’s deputy commissioner, Graham Doyle, told us.

While France’s DPA said it is investigating allegations made in the complaint.

“The CNIL is currently investigating the complaint filed in the U.S. For the moment we are not in a position to confirm or deny the accuracy of the alleged breaches,” a spokesperson for the French watchdog told us. “If the accusations are true, the CNIL could carry out checks that could lead to an order to comply or a sanction if breaches are found. In the absence of a breach, the procedure would be terminated.

Machine learning concerns
Ireland’s Data Protection Commission (DPC) and France’s national equivalent, the CNIL, were both cited in the ‘Mudge report’ — in one instance in relation to Zatko’s suspicion that Twitter intended to mislead them in relation to enquiries about data-sets used to train its machine learning algorithms in a similar way to how the complaint alleges Twitter misled the FTC years earlier over the issue.

In a section of the complaint given the title “misleading regulators in multiple countries”, Zatko asserts that the FTC had asked Twitter questions about the training material used to build its machine learning models.

“Twitter realized that truthful answers would implicate the company in extensive copyright / intellectual property violations,” runs the complaint, before asserting that Twitter’s strategy (which he says executives “explicitly acknowledged was deceptive”) was to decline to provide the FTC with the requested training material and instead point it to “particular models that would not expose Twitter’s failure to acquire appropriate IP rights”.

The two European regulators come into the picture because Zatko suggests they were poised to make similar enquiries this year — and he says he was told by a Twitter staffer that the company intended to try to use the same tactic it had deployed in response to earlier FTC enquiries on the issue, to derail regulatory scrutiny.

“In early 2022, the Irish-DPC and French-CNIL were expected to ask similar questions, and a senior privacy employee told Mudge that Twitter was going to attempt the same deception,” the complaint states. “Unless circumstances have changed since Mudge was fired in January, then Twitter’s continued operation of many of its basic products is most likely unlawful and could be subject to an injunction, which could take down most or all of the Twitter platform.”

Neither the Irish nor French watchdog responded to questions about the specific claims being made. So it’s not clear what enquiries the EU data protection agencies may have made — or be planning to make — of Twitter in relation to its machine learning training data-sets.

One possibility — and perhaps the most likely one, given EU data protection law — could be they have concerns or suspicions that Twitter processed personal data to build its AI models without having a proper legal basis for the processing.

In a separate example, the controversial facial recognition firm, Clearview AI, has in recent months faced a raft of regional enforcements from DPAs linked to its use of personal data for training its facial recognition models. Although the personal data in that case — selfies/facial biometrics — is among the most protected ‘sensitive’ class of data under EU law, meaning it carries the strictest requirements for legal processing (and it’s not clear whether Twitter might have been using similarly sensitive data-sets for training its AI models). TechCrunch