Zach Edwards Profile picture
Aug 24, 2022 15 tweets 7 min read Read on X
I've gone through mudge's redacted whistleblower complaint and there are some really spicy sections that relate to ad tech + privacy + foreign intelligence... brief thread of what I think is most interesting (link to documents in tweet below)🌶️🐦🌩️⚖️🧵
First up... folks have known for awhile that tons of Chinese advertisers were/are buying Twitter ads... But no one had pieced it together that those Chinese advertisers would be using ***Twitter Custom Audiences to doxx VPN users who verified with real contact info...** 🚨🥵🥵🚨 "Twitter executives opted to allow Twitter to become mo
"Twitter executives opted to allow Twitter to become more dependent upon revenue coming from Chinese entities even though the Twitter service is blocked in China...."

It seems clear that Twitter is becoming "more dependent" on China.. via.. Twitter advertising. Uhh @congress ?? "Twitter executives opted to allow Twitter to become mo
"After Chinese entities paid money to Twitter, there were concerns within Twitter that the information the Chinese entities could receive would allow them to identify and learn sensitive information about Chinese users who successfully circumvented the block..."

View Through DOX "Twitter executives opted to allow Twitter to become moCustom Audience options are dangerous when used to check if me reading this section
I would show this in a native twitter ads interface but I'm banned from twitter ads for unknown / probably doing weird stuff reasons. But Twitter's Custom audiences can be built with *emails* (historically phone numbers too) + MobileIDs == DOX risks

business.twitter.com/en/help/campai… Options to build list custom audiences on twitter
If the Chinese entities had specific lists of people to dox, and had their protonmail emails or androidIDs, they could load those up into twitter ads campaigns w/ custom audiences filled w/ bad data, so that you "accidently" only target 1 person or a small group. == DOXX city
And what Mudge is describing is a common Doxxing scenario -- if you let someone spin up countless custom audience segments, upload countless variations of the same data, don't police them doing weird ass shit with their campaigns, and don't care who pays those bills? DOXX CITY
"...the Chinese entities could receive would allow them to identify and learn sensitive information about Chinese users who successfully circumvented the block,🚨 and other users around the world🚨."

**the Chinese entities uploaded Custom Ad Lists w/ non-Chinese data** 👀🥵🌩️ "Twitter executives opted to allow Twitter to become mo
Do you understand what it means if Twitter isn't policing Chinese entities who run content ad farms from uploading custom audiences with data from people all over the world? And if Twitter lets them run ads with that data? Doxx city Doxx Doxx city 🥵🥵🥵
Twitter apparently used their cookies for "all purposes" (security cookies used for advertising) ++ once told by the French CNIL to change this, they kept it on purposefully for another month "in order to extract maximum profit from French users before rolling out the fix." 😅🫥 Details from mudge in footnote 52 "In December 2021, th
"Twitter employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations. Twitter learned of this several times only by accident, or because of employee self-reporting." 👀📴📴

Which external orgs???? 🧐🧐 Footnote 54 "Twitter did not actively monitor..."
Interesting process to redact an external audit so that you can't be held accountable to the findings:

"Twitter counsel explicitly told Mudge that this was intended to hide the findings and prevent them from becoming known internally or externally" Footnote 61 "Anomalous Handling of Report on Platform I
"Twitter maintains a list of hateful terms and slurs that cannot be used for ad targeting. But Mudge learned that the list was not "stemming" properly, meaning that even minor variations on slurs were able to be used for targeting for an unknown period..."

uhh who used those??🥶 Footnote 63 "Failed "stemming" for hateful ad
"...The Indian government forced Twitter to hire specific individual(s) who were government agents... it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll..."

So Indian spies at Twitter, huh? neat.🙄🥵 Section on government interference "The indian governme
Ending this thread w/ :

"Shortly before Mudge was ___ terminated, Twitter received specific information from a U.S. government source that one or more particular company employees were working on behalf of another particular foreign intelligence agency."

g'night, goodluck!🌩️⚖️ "Shortly before Mudge was ___ terminated, Twitter recei

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Zach Edwards

Zach Edwards Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @thezedwards

Nov 14, 2022
Last year, while conducting audits on SDKs installed in mobile apps for @SafeTechLabs, a popular SDK installed in thousands of apps called “Pushwoosh” started to raise some odd questions, was it secretly Russian? Reuters has an explosive story out today: reuters.com/technology/exc…🧵
This is a complex but important story for folks to understand -- this is the start of the discussion about these types of risks.

There was a SDK company -- "Pushwoosh" -- pretending to be based in Washington, D.C., but was really based in Russia, and has been the ~entire time.
Have you seen this man? Nah.. unlikely because he’s not a real person. But this fake marketing dude was apparently created in ~2018 by a Pushwoosh 'contractor' to market services in Washington, D.C.

Unfortunately for Pushwoosh, the fassbender-carell face mash.. wasn't great..🤣 Picture of fake personPicture of fake person -- t...
Read 16 tweets
Nov 10, 2022
I have some really disappointing & horrifying news about how Twitter ads is ingesting + storing advertiser credit cards. They have a ~new "reviewData" field that is a plain text ingestion (CC fields are encrypted) which includes the "firstSix" and "lastFour" #'s of your CC.🌩️⚖️🧵 Twitter ads screenshot - this is a plain text JSON payload sCredit card form submit pushing plain text credit card numbe
I want to make sure it's clear that storing credit card numbers in plain text in a "reviewData" field is maybe used for fraud and abuse, potentially for the Twitter ads fraud and abuse vendor Sift which you agree to share data with. But the data is stored on Twitter's side.👀🥵🌩️ Twitter advertiser add a new credit card form plain text credit card fields ingested into twitter infrastr
And so currently, the way that Twitter has setup this "reviewData" field for advertiser credit cards, there is a big JSON dump on the Twitter infrastructure, w/ advertiser name/contact info/ and *most importantly* the "first six digits of the credit card AND the last 4 digits"🥶
Read 6 tweets
Aug 5, 2022
Reminder: @WhiteHouse has done nearly nothing to hold Yandex accountable for their Putin War propaganda via Yandex News, no comment about the massive Yandex Appmetrica SDK data collection straight to Moscow.

But leaders within women's hockey (PWHPA) fought back against Yandex🧵
ICYMI in April 2022 the PWHPA decided to *not* move forward w/ a partnership w/ the PHF due to the connections to Yandex Chair John Boynton, "It’s believed Boynton will be an issue when it comes to attracting major sponsors moving forward." 🧐🌩️⚖️👏🏻👏🏻👏🏻

thehockeynews.com/news/report-pw…
And the vote from PWHPA (Women's pro hockey) in April 2022 to stop all discussions with PHF due to the PHF connections by-proxy to Putin allies, was *unanimous* -- one organization stood up effectively to Yandex here in the U.S....

But @whitehouse ??
Read 7 tweets
Jul 31, 2022
Google's "automatic ads" w/ the new "Anchor / Vignette Ads" = full-screen between-page-loading interstitial @ support.google.com/adsense/answer… @ "Auto ads will then scan your site and automatically place ads where they’re likely to perform well and potentially generate more revenue."👀 Auto ads offer a simple and...
This is going to be a complex product to audit how it performs / users are impacted, and while I'm a big fan of "easy deployments" - I can only imagine what would happen if this process for "auto ads will then scan your site and automatically place ads" went a little wrong.😅🥵
Being a technical auditor requires you to constantly receive partial information and then back into what could have happened during a client experience -- and oftentimes information about a problem can be as murky as "ghost in a machine ate my homework" = auditing "auto ads" = 😅
Read 9 tweets
Jul 31, 2022
One of the saddest parts about understanding how politicians use their email lists, is that if you signup for *official* newsletters from members of Congress, the updates are very informative, some bs but tons of policy. Campaign email updates have ~zero policy, all bs & $$ asks.
And it's *illegal* for the official Congressional / elected officials office to promote the campaign email newsletter/accounts, but it's totally legal (IANAL) for the campaign to promote the official office website / newsletters -- yet it's super rare for campaigns to do this.
Why don't current elected officials encourage people on their *political email list* to signup for updates from their official congressional/office newsletters? Why can't political campaigns figure out that many people on an email list want *mostly policy* updates w/o money asks?
Read 8 tweets
May 23, 2022
Sometimes you find something so disturbing during an audit, you've gotta check/recheck because you assume that *something* must be broken in the test.

But I'm confident now.

The new @DuckDuckGo browsers for iOS/Android don't block Microsoft data flows, for LinkedIn or Bing.🧵
DuckDuckGo has browser extensions & their own browsers for iOS / Android @ duckduckgo.com/app

iOS @ apps.apple.com/us/app/duckduc…

Android @ play.google.com/store/apps/det…

Both versions of the DDG browser claims to use tools which
"automatically blocks hidden third-party trackers" 👀 DuckDuckGo promise @ "Privacy, simplified"Escape Website Tracking — Tracker Radar automatically bloc• Escape Website Tracking - Tracker Radar automatically bl
If you download the current version of the DuckDuckGo browser for iOS/Android, & if you hope this browser actually stops data transfers to super common advertising subsidiaries owned by a company like Microsoft... well too bad, the browser has a secret allow data flow list 👀🤡
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(