In December 2015, the Seattle Privacy Coalition Twitter account (@seattleprivacy) received a disturbing notice from Twitter:
As a precaution, we are alerting you that your Twitter account is one of a small group of accounts that may have been targeted by state-sponsored actors. We believe that these actors (possibly associated with a government) may have been trying to obtain information such as email addresses, IP addresses, and/or phone numbers.
Within days, more than 50 such targets identified themselves publicly via social media. Journalists around the world covered the story. (See a partial list.)
Many or most of the attack targets were involved in privacy advocacy or information security research. As a consequence, some targets (including three board members of Seattle Privacy) were present at the Chaos Communication Congress, the great hacker convention in Hamburg, Germany, in late December. We met and discussed how to respond to the mysterious and alarming notification. Our individual efforts to learn more about the who/what/when/why behind the attacks had gone nowhere, so we decided to take collective action.
Today we unveil a collectively created website, https://state-sponsored-actors.net, where we share what we’ve learned and call on Twitter (and anybody else with relevant knowledge or insight) to provide more information about what happened. This open call to Twitter currently has about 25 signers, all of them attack targets.
These are the questions we want answered:
Nature of the attacks
- When did the attacks happen — directly prior to the first alerts in December 2015, or during a longer period previously?
- Are the attacks continuing?
- What were the attackers interested in? The alert email message speaks of phone numbers, IP addresses, and email. Was there anything else?
- How were the attacks detected?
- Were these automated brute-force attacks, or customized attacks with a human behind them, or something else?
- Did the attackers gain administrative or other direct access to Twitter’s servers?
- Why does Twitter suspect that the attacks came from state-sponsored actors?
- How does Twitter define a state-sponsored actor?
- Has Twitter identified any specific state as the source of the attacks?
- Have the attacks come from actors with ties to the US government?
- Are all of the attacks coming from the same actor(s)?
- What else does Twitter know about the attacks?
Reasons for targeting
- What is the common element, if any, among the targeted accounts?
- Were accounts attacked because of not using Tor / because of using Tor / despite using Tor?
- Are Twitter’s alerts sent by humans or by machines responding to irregular activity?
- Why did Twitter start sending the alerts now?
- Other companies have started sending out similar emails, e.g., Facebook, Google, and Yahoo. Is this a concerted effort? What is the background or the aim of the notifications?
- Why are there different kinds of notifications (email vs. popup)?
- What is the purpose of Twitter’s recommendation to use Tor, when many of the targeted accounts already use Tor?
- Why isn’t Twitter telling us more?
- Is Twitter’s silence the result of a gag order?
- Has Twitter received warrants, subpoenas, or National Security Letters in connection with the attacks?
The new site is available in English, German, French, and Italian, with more to come, as befits reaction to a government-backed assault against a world-wide communication service and the people using it.
As privacy activists who lawfully petitioned our various governments to protect our essential human rights, we now find ourselves the object of government overreach. Many of us became acquainted for the first time through our collective harm and our search for answers. Where no conspiracy existed before, the actions of an unknown government have created one.
Let the reckoning begin.