Trump's Twitter Deactivation Begets Scrutiny on Security Policy

(Bloomberg) -- The fact that U.S. President Donald Trump’s Twitter account was deactivated by a rogue employee has raised questions about how much access and control Twitter Inc.’s workforce has over an individual user’s account.

Trump’s personal page was shut down for about 11 minutes Thursday evening by a customer support employee who was leaving the company. Though Twitter has controls to prevent employees from making tweets from user accounts, the incident suggests that the employee still had some access to accounts and the ability to make changes without much oversight or the need for approval.

“At a high level, this implies a level of complacency, that organizations generally are perhaps trying to convince themselves they have technology risk managed,” said Yvette Connor, chief risk officer at Focal Point Data Risk, which consults with boards and executives on technology security. “In Twitter’s case, the reputational risk that they face is that the information that’s under their care, custody and control is not really under their care, custody and control.”

The person responsible for deactivating the account may also not have been a full-time employee but a contractor, according to a report from The New York Times, which didn’t cite its sources.

“We have learned that this was done by a Twitter customer support employee who did this on the employee’s last day,” the company tweeted, after citing inadvertent “human error” in an earlier post. Twitter said in its posts that it was investigating and taking steps to prevent a recurrence of the incident but didn’t give specifics. The company declined to comment beyond the tweets.

This incident highlights the need for companies, especially those with a lot of data, to bulk up their monitoring capabilities and keep track of which employees have administrative control and access to information, Connor said. Consumer technology companies in particular collect and store a tremendous trove of customer information and don’t always strictly control employee access, a point privacy advocates have often highlighted. Uber Technologies Inc. faced backlash after it was revealed that employees could find and track customers’ rides.

With an accurate system constantly keeping track of activity and controls, “Twitter would have known in 30 seconds -- in 15 seconds -- that the account of the president had been turned off,” Connor said.

Twitter has mistakenly frozen accounts in the past. In 2016, Chief Executive Officer Jack Dorsey was locked out of his own for a few minutes. Dorsey said in a tweet that the suspension was “an internal mistake.” Users can also deactivate their own accounts. Once someone chooses to do so, Twitter retains that data for 30 days, after which it begins the process of deleting the information. An account can be reactivated during that period simply by logging in.

When Trump’s account went down, attempts to call up his personal page, @realDonaldTrump, turned up a message saying, "Sorry, that page doesn’t exist!", prompting many Twitter users to send out screenshots. The official feed for the U.S. president, @POTUS, wasn’t affected.

“My Twitter account was taken down for 11 minutes by a rogue employee,” Trump tweeted early Friday. “I guess the word must finally be getting out -- and having an impact.”

Twitter has come under fire from critics who say the company should banish Trump for violating its terms of service. The U.S. president often uses Twitter to disseminate his thinking, sometimes making disparaging remarks. Twitter’s rules let the company suspend accounts for violent threats, gender-based attacks and other forms of abuse and harassment.

The company updated its rules Friday, clarifying that the context of tweets -- including whether the content is “newsworthy” -- is key for deciding what abusive behavior is and how to deal with it. Twitter said it would provide more detail on these policies later this month.

The incident prompted a tweetstorm online. And while Trump supporters used the opportunity to highlight security issues, many Twitter users praised the employee’s last act, some calling the person a hero or a national treasure, others inviting the person over for Thanksgiving dinner. U.S. Representative Ted Lieu, a Democratic from California, tweeted an offer to buy the employee a Pizza Hut pizza for making “America feel better for 11 minutes.”