We're not saying Uncle Sam has lost control on Twitter, but US Embassy in Riyadh just did a shout out for oatmeal
Serious rethink needed on account policies
History is "a series of lies agreed upon," as nineteenth century orator Wendell Phillips phrased an adage employed by Napoleon, among others.
Online history doesn't even require agreement. It can be changed with a click.
Justin Littman, a software developer and librarian in the Scholarly Technology Group at George Washington University's Gelman Library, recently took over the Twitter username of the US Embassy in Riyadh, Saudi Arabia (@USEmbassyRiyadh) after poring over the the US government's Digital Registry – and found the account had been deleted and was available for reuse.
He used the account to post a picture of actor Wilford Brimley eating Quaker Oats, in lieu of something "more insidious." The account has since been deactivated again.
The Digital Registry is supposed to be an authoritative list of Uncle Sam's official social media accounts, because "users need to trust they are engaging with official US government digital accounts."
Instead, it serves as a shopping list for aspiring government imposters, thanks to its own lax data management and Twitter's account policies, which allow the usernames of deleted accounts, though not suspended accounts, to be assumed by others.
On Monday, Littman described how Twitter accounts once used by US government agencies had been found to be tweeting in Russian after being taken over by unknown parties and later suspended.
On Tuesday, he recounted how he impersonated the US Embassy in Riyadh by adopting its abandoned username and then, to make the deception more credible, he recorded the page in the Internet Archive's Wayback Machine, the closest thing we have to a web library of record.
Littman says he conducted the exercise to demonstrate how easy it is to impersonate American government social media accounts and to support the deception using the Internet Archive.
Official US govt Twitter accounts caught tweeting in Russian, now mysteriously axedREAD MORE
"I would suggest that the implications for our trust in official information from the US government, Twitter as a communications platform, and the Internet Archive as the historical record are significant," he explained, though he acknowledges that the ruse fails to reproduce the blue Twitter check mark for the formerly verified embassy account.
Littman argued that the US Digital Registry should maintain a record of deleted Twitter accounts, and also record Twitter account ID numbers alongside their usernames – reactivated handles are assigned new ID numbers, so a mismatch reveals a change in ownership. The government, he said, should only use verified Twitter accounts. He wants Twitter to stop allowing deleted account usernames to be recycled and to display user ID numbers alongside usernames. And he would like to see the Internet Archive augment page captures from Twitter with Twitter API data, which includes information like Twitter ID numbers that are not visible on web pages.
Mark Graham, director of the Wayback Machine at the Internet Archive, told The Register in a phone interview that it's Twitter's responsibility to ensure the integrity of its accounts. "I don't know if there's an issue here," he said. "The Wayback machine takes snapshots of the web and the web is constantly changing. What [Littman] did was he basically masqueraded as someone else and created a fake Twitter account and he archived it."
If the Wayback Machine archived malicious activity, that's just what happened, Graham suggested.
"We're a camera, but I can't guarantee whether the picture we're taking is going to be posed or not," he said.
The Internet Archive accepts some responsibility for what it presents. Graham explained that last month, the organization's Wayback Machine added timestamps to captured web pages. And a project presently underway aims to provide more details about the provenance of captured web pages.
What's more, if a web page element is missing from a capture, the Wayback Machine won't try to pull it from the live web, to avoid serving malicious code.
But that responsibility only extends so far.
"The fake stuff that's happening, or misdirection, is happening in plain sight," said Graham. "Our job is to record it as faithfully as we can. We're not the source of truth. We can't vouch for what someone else puts on the web."
The Register asked Twitter for comment. We're still waiting for a response. ®
Sponsored: Becoming a Pragmatic Security Leader