Are Twitter’s ‘Locked Accounts’ a Ransom Racket?

Friday, 1 September 2017
Bob Leggitt

"If this was a bug, as Twitter claimed, we should have seen a reduction in account locking complaints. But the number of complaints about account lockings actually increased."


Locked

A while back, I wrote a post called Zero Guy, which looked at a seemingly growing phenomenon of Twitter users unfollowing their entire friend list. I’d assumed this was a deliberate action. But as I discovered in the course of the past week, it may not be the account holders who are unfollowing literally all of their friends. It may in fact be Twitter. There's a suggestion that this might all be part of a ransom racket which has heavily damaged the accounts and public image of some users who won’t ‘pay up’...

And the ransom?... Yes, you’ve guessed. The cyber world’s perennial prize of prizes – the mobile phone number…


WHAT IS A LOCKED TWITTER ACCOUNT?


Protected Twitter accounts are sometimes referred to as “locked”, so there can be some confusion as to the meaning of the word. But officially, a locked Twitter account is an account whose user has been deliberately locked out, by Twitter. Not because they don’t have the correct login info, but because Twitter has decided, for its own reasons, that they should not have access.

Remember, this is not a suspension, and that suggests users with locked accounts have NOT actually been proven to have broken any rules. It’s a weird state of play. The accusation from Twitter is non-committal and vague. Not even a full accusation. The actual content remains online. But the person who posted that content cannot access it. Cannot delete it. Cannot, in fact, perform any activity within the account at all, including taking down or changing a profile pic, amending the bio… It all sits there in a state of flux, online, but beyond its owner’s reach. No longer controlled by the copyright holder, but controlled, instead, by Twitter.

Among the blanket reasons cited by Twitter for the “locking” of accounts, you'll find:
“Your account appears to have exhibited automated behavior that violates the Twitter Rules”
And...
"We've locked your account because we've detected some unusual activity"
What does that mean? Few, if any users seem to know. Maybe that's the whole idea.


But wait… It’s absolutely fine, because the user can easily regain access to their account. All they need to do is… You know what comes next. Even if you were born yesterday you’ll know what comes next… Enter their mobile phone number.

Awww, how cute. Twitter is just gagging to bug you with texts and mine your phone data.

But hang on, doesn’t Twitter cite security when badgering for your phone number? Surely with Twitter, providing a phone number has more to do with “safeguarding your account”?… Nope. Check the small print in the Privacy Policy and you’ll see what it’s really all about…
“If you provide us with your phone number, you agree to receive text messages to that number from us.”
As I say, they’re just gagging to text you and mine your phone data. They’ll use whatever pressure tactics they see fit to prize that number out of users…


PREVALENCE


Okay, so it may already look as if the locked account concept is merely a means of holding users to ransom for mobile phone data – guilty or innocent. But let’s give Twitter the benefit of the doubt for a moment. Maybe the algorithm locking accounts is doing its best to target real violators, and is, in a very small number of cases, simply failing to recognise when an account is genuine?…

Hmmm. Been there before. Locked accounts first hit the news in 2015, when Tech Crunch reported on an explosion in the phenomenon. At the time, Twitter claimed the problem was a bug, which they were fixing. Sounds fair enough. In instances where there’s a technical oversight, and genuine users are getting caught up in a trap designed to target bots, one would expect the algorithm to be improved, reducing the incidence of complaints. We should have seen a fairly rapid and then more steady reduction in account locking complaints over the two and a half year interim.

But between 2015 and 2017, the number of tweets complaining about being locked out of Twitter for apparent use of automation, unusual/suspicous activity, etc, did not diminish. It noticeably increased. What does this suggest? Well, a cynic might say it suggests that far from being keen to correct a ‘flawed’ system, Twitter has in fact re-engineered the trap to catch more genuine users. To hold more real users to ransom.


WHAT IS TWITTER ACTUALLY DOING HERE?


In denying real users access to their accounts, Twitter is effectively seizing those users’ content. Content which Twitter’s own Terms of Service state the site does not own…
“You retain your rights to any Content you submit, post or display on or through the Services. What’s yours is yours — you own your Content (and your photos and videos are part of the Content).”
Er, not if Twitter has seized control of that content, I don’t. If I can’t access my account to remove content from the Internet, Twitter has taken ownership of that content. Another line in the ToS states…
“Twitter respects the intellectual property rights of others”
Seizing control of those property rights is not what I’d call respect.

AUTO-UNFOLLOW & RESTRICTED STATUS


Additionally, there is an auto-unfollow process and account visibility restriction connected with at least some of the locks. This will almost inevitably be damaging for the account if the issue takes any time to resolve. I don't know the proportion of cases with which auto-unfollowing is associated, but it happened to me, it's clear from comments on Twitter that it's happened to others, and I've also seen accounts that have unfollowed me showing zero friend totals along with Restricted status.

At first I thought the Restricted status was because the user had unfollowed all their friends. I'm more inclined to suspect, now, that all accounts I've seen in this condition had been locked, and both the restriction and the unfollowing were the work of Twitter. Indeed, as I mentioned in Zero Guy, some accounts I observed with zero friends, quickly refollowed. Again, that fits in with my own experience of being locked. Shortly after access was restored, my friend list reverted to its previous state.

The irony is that Twitter had used its own automated bot to misidentify my behaviour, and then unfollow my follow list, whilst accusing ME of probably, maybe, possibly using automation. It’s hard to see any rational reason for Twitter unfollowing users' follow lists, other than to panic people into handing over a phone number. It obviously doesn’t benefit the people who are automatically unfollowed. They want followers. So is this just a pressure tactic to prompt immediate payment of the ransom?

TIME FRAME FOR RESOLUTION


It took three and a half days, and two separate multi-step support tickets, to get my account unlocked without paying Twitter’s ransom of a phone number. I’m going to tell you how the process works in due course, but to stay with the thread, by the time I regained access to MY OWN work, I’d lost 115 of 1055 followers. Over 10%. They didn’t know what Twitter had done to my account, and would have thought that I unfollowed them. Understandably, they “unfollowed me back”.

Some of the lost followers I considered to be valuable people, who had interacted with my content. In short, Twitter has trashed my account, and wasted many hours of work I put into building that follower total, for no other reason than that I did not, on demand, pay the site’s ransom of a mobile phone number. Twitter acknowledged locking my account “by mistake”. No compensation for the wasted hours, though, obviously.

But Twitter already knew my account was not automated. It’s over two years old, and contains only original content. I’ve never sent an auto DM or posted a tweet through a third party app. Every follow I’ve ever actioned has been singular, manual, and checked with my own eyes. I’ve rarely followed more than 20 people in a day. I look at, and manage my timeline, muting or turning off retweets when necessary. I check out profile pages before following accounts back. I’ve had conversations with people. I’ve blocked people. Bots simply do not exhibit behaviour like that. And it’s not like Twitter is unaware of the above. It’s a data company. It logs every little wisp of user behaviour…

So if Twitter’s account-locking algorithm can form the opinion that my account is “automated” in the face of all these contradictions, it is plainly not designed to differentiate between bots and genuine users. What it’s designed to do, I would suggest, is harvest mobile phone numbers.


WHAT LED TO THE LOCKING OF MY ACCOUNT?


It appears to me that I logged in ‘too quickly’ after logging out of another of my accounts, within the same browser. It was exactly the same scenario as in a previous instance, except that on the first occasion that this happened to me, it was with a different Twitter account. A brand new one. No activity, no followers. I hadn’t done a thing except log out of an old account, and immediately log into the new one. The new account locked instantly upon login, cited automated behaviour, and demanded a phone number.

This earlier instance was interesting, because even though there was zero activity within the account itself to prove that I was not a bot, Twitter still unlocked the account without a phone number after I went through the Support charade.

The lock algorithm is, I suspect, sniffing for instances of a matching digital fingerprint being used across more than one account in quick succession - possibly using session cookies. If you access more than one Twitter account from the same computer (and very particularly the same browser), I’d suggest you’re at fairly high risk of being hit with a lock. There may be many other triggers, though.


GUILTY UNTIL PROVEN INNOCENT


In fairness, sniffing for rapid account switching is a good way to identify potential spammers. But the operative word is ‘potential’. The problem lies in the fact that users are being punished without trial, on suspicion alone. All users should at least be given the opportunity to prove they’re real BEFORE Twitter begins to inflict damage on what that user has worked to build.

And no user should ever lose control of content they own, for any reason. If Twitter has established that a serious rule break has taken place, it should take the account and all its content offline. If Twitter hasn’t established that the rules have been broken, the account should remain untouched. To comply with copyright law, any Twitter account whose content is still publicly accessible, MUST also be accessible to the copyright owner. Denying a means of copyright control is against the DMCA. A breach of copyright law.


IS A PHONE NUMBER THE BEST WAY TO VERIFY THAT A USER IS NOT USING AUTOMATION?


Obviously not. All automation is implemented by humans. A human can thus enter a phone number into a website, verify that phone number, and still proceed to run a fully-automated Twitter account.

This is not the case with something like Google’s image-based CAPTCHA. A multi-stage CAPTCHA check, served at a point where use of automation is suspected, is an incredibly reliable way to incapacitate bots. If you really want to stop bots from using your website, a sophisticated CAPTCHA is the way to do it.

Except, of course, Twitter doesn't want to stop bots from using its website. It SUPPORTS the use of automated processes. Let’s look, in summary, at what Twitter is actually saying. Words are mine; sentiments are Twitter’s…

“We condone the use of automation. We use automation ourselves. We authorise apps that enable automation. But we locked you out of your account because we think you MIGHT have used automation. Despite the fact that a multi-step CAPTCHA process is the best and most obvious way to incapacitate automation, we instead demand your phone number (which actually WON’T stop you using automation) as a means of solving this problem… A problem which may not exist, because we’re not sure you ARE using automation, and which isn’t a problem anyway, because we support and authorise the use of automation.

By the way, until you pay our ransom of a mobile phone number, we have seized control of your content, which we do not own, and have no right to seize. We have also automatically unfollowed the accounts you took the time to follow, creating the impression that YOU deliberately unfollowed them, and alienating you in the process. Oh, and wasting a lot of your time. Have a nice day.”



GETTING THE ACCOUNT UNLOCKED WITHOUT PROVIDING A PHONE NUMBER


Provided you’re not in breach of Twitter's rules, it’s likely Twitter will restore access to your account without the provision of a phone number. The problem is, it will take some time, and some effort, and if all your follows have been automatically undone, as the clock ticks, you’ll be haemorrhaging reciprocal followers. Your image is being tarnished too, obviously.

If you can deal with that, start by going to this page…

https://support.twitter.com/forms/signin

Fill it in, and do the CAPTCHA. Yes, when Twitter really cares whether or not you’re a bot, it uses a Google CAPTCHA, funnily enough. Here’s some advice, and a documentation of the rest of the appeal process…

You don’t have to enter your real name. I entered “Not required” into the Full Name field, and the appeal was still processed.

Don’t waste too many words venting your anger in the message. They’re dealing with thousands and thousands of these appeals, and this part of the appeal process does not appear to be read by a human. It seems to be merely the first stage of hoop-jumping – little more than a means to force you to confirm your email address - again.

Copy your message into the clipboard before sending the support ticket. You’ll need it again in a few minutes. If you were locked for "automation", your message should express that you have not used automated processes, and that you either can’t or won’t provide a phone number. I also told Twitter to stop trying to mine phone data, but I’m guessing the appeal still works if you don’t do that.

After you’ve submitted the support ticket, check your email. You should find an automated message from Twitter (yep, that good old automation again, and from a company so opposed to the use of automation. Or are they in favour?… Oh who knows? They certainly don’t). Anyway, you’re now in a position to send the REAL support ticket. Paste the message you copied from the support form, into a reply to Twitter’s email, and send it back.

Incidentally, you must reply to the auto mail, and not create a new email, because Twitter uses identifying features and coding to single out the people who’ve jumped through the correct hoops. If you try emailing Twitter Support without any preliminary ticket reference, your communication will just get binned and you’ll be told the address is unmonitored.

Now wait. Provided your account is genuine, and you’re not running some kind of pornbot network, you should receive confirmation at some point in the next few days, that it’s been unlocked. It’s a standard email – just bullshit, basically. I’ve had three of them exactly the same. One for the first account to be locked, and two for the second. Why two for the second? Twitter said they’d unlocked the account, but neglected to actually do so, which meant I had to submit a second support ticket.


WHAT’S THE LONG-TERM ANSWER TO THIS?


Unfortunately, the most realistic long-term solution is to stop using Twitter. I know that can be easier said than done, but you have to think very seriously about investing time in something which can so carelessly destroy that investment, in Twitter’s words, “by mistake”.

Whilst there are alternatives, I doubt I’ll stop using Twitter outright. But these experiences do have a negative impact on one’s willingness to invest significant time in building a profile. You’re a legitimate user. You’ve dedicated a portion of your life to building something you feel has value and is good. You’re never going to get that time back. So when a cyber power randomly takes away what you’ve created in the name of data mining, and then, when you won’t or can’t accede to the ransom, hands that creation back to you in a heavily damaged state, you’re going to learn a lesson. Don’t trust.

Do not trust.

This post was originally published on Twirpz.