Twitter’s source code leak could represent ‘major crisis’
Things just don’t seem to be going so well for Twitter these days.
Since Elon Musk bought the company in October 2022 for $44 billion, both the social media platform and its new owner have been plagued by controversy and chaos.
Following his acquisition, the self-described ‘free speech absolutist’ embarked upon major reforms of the site, which have proven rather unpopular. In a bid to cut costs, Musk laid off half of Twitter’s 7,500 employees. A further 25% have since resigned.
In the latest twist in the tale, Twitter has discovered that some of its source code has been leaked via the Microsoft-owned software development platform GitHub, and is now on the hunt to find the culprit.
Julian Moore, director and associate general counsel at Twitter, filed a subpoena to GitHub on behalf of the company on Friday, March 24, at the US District Court for the Northern District of California.
As per his remit for monitoring and addressing infringement of copyrights owned by Twitter, Moore submitted a DMCA (Digital Millennium Copyright Act) notice to GitHub on that same day, using the defendant's online DMCA notification form.
He also demanded that GitHub reveal the identity of the user who published the source code on its service. It is thought that the code could have been public for several months.
GitHub user 'FreeSpeechEnthusiast'
The code appears to have been leaked by a GitHub user going by the username ‘ FreeSpeechEnthusiast’, an apparent nod to—or parody of—Musk’s proclamations. The account was created at the beginning of this year and Twitter’s source code was the only post made by the account to date.
Moore wrote on the DMCA notification form: “Please preserve and provide copies of any related upload / download / access history (and any contact info, IP addresses, or other session info related to same), and any associated logs related to this repo or any forks thereof, before removing all the infringing content from Github.”
GitHub, which is used as a code repository by software developers, complied with Twitter’s request and posted the request on its site.
The company said in a statement sent to WIPR: “GitHub does not generally comment on decisions to remove content. However, in the interest of transparency, we share every DMCA takedown request publicly.”
'Major crisis'
Employee mobility is always a risk factor to a company’s trade secrets, but when there is a haemorrhaging of the workforce on the scale seen at Twitter—not to mention the likelihood of disgruntled staff—those risks will only be intensified.
Trade secret expert James Pooley believes the leak could represent a “major crisis” for the social media platform and suggests that the drastic loss of staff could be a factor.
“For a software-based company like Twitter, publication of any significant part of its source code represents a major crisis,” he tells WIPR.
“That said, it’s difficult to discern the impact when we don’t yet know what portions of the code were posted, what significance they have to the functioning or security of the platform, and how long they were available on GitHub.”
He adds: “We don’t know who might have grabbed a copy of the code during the months that it was there. In any event, the theft implies some level of failure of the company’s information security programme.
“How was it that someone was able to get access to exfiltrate the information? Why was it not discovered sooner? A reasonable assumption is that the rapid contraction in Twitter’s workforce, with so many experienced people being made redundant or resigning, caused the company’s security controls to degrade.
“One can only hope that, in addition to its effort to find the culprit, Twitter also focuses on assessing the cause of this breach and shoring up its procedures and oversight.”
There may be broader implications, too, according to Pooley.
“Although a partial or temporary disclosure of confidential information will not necessarily destroy its status as a trade secret, an extreme breakdown like this could support an argument that Twitter has lost trade secret protection for some or all of its source code because it has failed to engage in ‘reasonable steps’ to protect it, as required under TRIPS Article 39 and related national laws.”
An act of revenge?
Paolo Beconcini, a consultant at Squire Patton Boggs in Los Angeles, also believes that a former employee could have leaked secrets, “in this case maybe out of revenge”.
“If this turns out to be the case, it will prove that Twitter may need tighter internal processes to reduce leaking of trade secrets,” he tells WIPR.
“Assuming it was a former employee who leaked the source code, Twitter will have to verify why that person was in possession of this secret. Did he/she have clearance? If not, how could he/she have had access to it? All these are the classic issues that affect all companies keeping trade secrets.”
“So,” he adds, “aside from punishing the bad guy, Twitter will have to do some internal due diligence and review its safety measures regarding preservation of trade secrets.”
On the other hand, Beconcini suggests that Twitter could have been hacked. “That would also show Twitter’s vulnerabilities,” he says.
“The thing with trade secrets is that, once it is out, it is difficult to stop its leakage. The person who possesses it can keep leaking it even after he is discovered if he finds accomplices willing to keep going. Therefore, the main lesson for the future is to reduce that risk.”
He adds that other issues regarding privacy and data will emerge when determining GitHub’s obligation in providing such data to Twitter.
Open to scrutiny
The leak follows Musk’s recent announcement that he would make some of Twitter’s code public—namely, the code it uses to recommend tweets publicly—by the end of this month (March) to enable it to be reviewed and scrutinised.
Other Musk initiatives include experimenting with new features such as long-from tweets, introducing paid-for accounts, and reinstating banned users. But the service has suffered an increasing number of outages, as well as a mass exodus of advertisers, according to CNN.
Meanwhile, Musk announced this month on Twitter that “This platform is growing fast!” and that it had “exceeded 8 billion user-minutes per day…of the most influential, smartest people on Earth”.
The next day, he also declared via the platform that any queries received by Twitter’s press office email “now auto responds” with a ‘poo’ emoji. WIPR was able to verify this.
Twitter’s subpoena demands that GitHub present all identifying information relating to FreeSpeechEnthusiast to the office of Quinn Emanuel, Twitter’s counsel, by April 3, 2023 at 10am.
WIPR has contacted counsel for Twitter, without immediate response.
Today’s top stories
European Commission proposes radical new FRAND royalty process for essential tech patents
Adidas makes ‘highly unusual’ U-turn on opposition to Black Lives Matter TM
