Twitter Verification 2021: Research Study
When analyzing the verbiage of the revised Verification criteria, it created far more questions than answers provided. Twitter stated that the document would provide much needed clarification on the process, and in ways, it did. Unfortunately, after my analysis I have made a determination that the new process will create far more problems than Twitter can possibly foresee, from both an Application Security and a User Experience perspective. Not to mention, various other departments will face issues.
First and foremost, Security is, has been, and always should be the priority for any organization. After analyzing the proposed Twitter Verification revisions, the current state seems dire in terms of reducing Application Security risk. The weakest link in Security is people - and the policy that Twitter has set forward [or at least proposed] is going to slam dunk bot activity into zones that the Product, Marketing, and AppSec teams will resent. For example, product and marketing will have skewed metrics, and unrealistic account creation ratios. There’s a possibility that measurable financial analytics could likely be affected as well, however I have no such proof.
Rather than review the entire policy, which you can do so here, let’s take a look at some key requirements for verification:
Companies, brands, and organizations: Accounts representing prominent organizations, and secondary affiliated accounts, including companies, brands, non-profit organizations, as well as their leaders and other prominent executives. To qualify as prominent, accounts must meet 2 of the following requirements:
- presence in public indices, including but not limited to Google Trends, public stock exchanges, Wikipedia (including multiple references to unaffiliated external sources), and databases such as Charity Navigator;
- 3 or more featured references within the 6 months prior to applying in news outlets that meet the News criteria below; or
- follower count in the top .1% of active accounts located in the same country.
Activists, organizers, and other influential individuals: Outside the professional categories defined above, people who are using Twitter effectively to bring awareness, share information, and galvanize community members around a cause, to bring about socioeconomic, political, or cultural change, or to otherwise foster community, may be verified.
Accounts of such individuals and others that do not meet the specific criteria in the categories above may be verified if they:
demonstrate consistent usage of Twitter in the six months prior to applying;
generally abide by the Twitter Rules;
do not primarily post content that harasses, shames, or insults any individual or group—especially on the basis of race, ethnicity, national origin, sexual orientation, gender identity, religious affiliation, age, disability, medical/genetic condition, status as a veteran, status as a refugee, or status as an immigrant—or content that promotes the supremacy or interests of members of any group in a manner likely to be perceived as demeaning on the basis of these categories; and
meet the following general criteria for notability – at least one from Column A and one from Column B**:
The two categories that will inevitably cause major issues for Twitter are the categories of Companies, Brands, and Organizations as well as Activists, organizers, and other influential individuals. It’s simple: Both of these categories have at least one requirement that pertains to Account Activity, and this is going to backpedal Twitter’s Application Security posture. Here’s a closer look:
Companies, Brands, and Organizations
Follower count in the top .1% of active accounts located in the same country.
Activists, organizers, and other influential individuals.
Follower count in the top .1% of active accounts located in the same country.
In the top .05% of active accounts located in the same country in terms of volume of conversation about them, based on mentions, rate of Follower growth, or other internal signals.
Widely credited for creating a hashtag movement that is capturing a large volume of conversation within a given community
The Major Application Security Issue
Requiring two major categories of prominent individuals to be within the top .1% of following acquisition in their country, or .05% in terms of the volume of metric conversion signals, what could possibly go wrong?
An Absolute Bot Nightmare - Twitter is underestimating the sheer amount of damage that bots have done on the platform. It’s not a surprise to any of us that use Twitter that bots have been used for various nefarious purposes such as Advertising, Fake Follower Campaigns, Inauthentic Actions, and Psychological Operations.
Requiring users to amass a certain level of followers or activity rating through mentions, or other actions to be Verified is one of the easiest ways to destine Twitter for the destruction of authentic user behavior.
But - how?
-Follower purchasing services-
Users that want to be verified will likely shoot to acquire this metric, first and foremost. Since the percentage is higher than the percentage of conversion signals (mentions, interactions, etc) this will likely be the first bot-type activity to occur. Buying followers is a simple process. Hundreds of services already exist, and creating a Twitter Verification criteria that depends on amassing the top .1% of the given criteria will make the problem far worse than it already is. The followers have to come from somewhere right? You bet. People will start creating more intuitive ways to bot on the platform and fake accounts will be on the rise.
-Fake Likes, Retweets, Mentions, Hashtag mentions, etc-
The other primary metric will be the .05% top signal activity qualification for Verification. Utilizing this metric as a factor that’s weighed in the Application process will undoubtedly create more bots, working against Twitter’s Security process and performing actions to help bolster the signal rating of the users attempting to acquire verification.
“Okay, John, that’s cool and all but I think you’re underestimating people. Users that want to be Verified can read, what makes you think they will start to purchase services that utilize bots?"
In reality, that’s fair. Users can read, and should know better than to do so. Unfortunately as we’ve seen in most situations, it’s not the every day average user that’s going to attempt this. The abuse will come from all of the people that cannot possibly understand why they are not being verified after amassing one million bot followers, mentions, and other inauthentic actions simply because their account doesn’t fulfill the other criteria that is set out. If there’s anything I’ve learned, it’s that the average user doesn’t care about the logistics of the criteria. They see the criteria, think it’s attainable, and start to pursue it. Many scenarios exist in which people blatantly ignore the requirements set out before them.
For example, take a look at the amount of people on Twitter that want to be Verified. Some of them are not noteworthy, yet still, they will hop on the platform and tweet something like, “hey @jack @verified please verify me, I’m a prominent ‘x’ with over ‘x’ followers” - and like clockwork, pay for a Retweet service for a couple of thousand Retweets, thinking that all of a sudden, it’s going to bypass Twitter’s hard-stop on Verification.
Take those same individuals as an example. Some of them that may have been discouraged by the lack of response to their pleas, will take a measurable metric such as followers or account activity far more seriously, and even users that were nowhere near eligible for verification will see it as a glimmer of hope of something that can be abused towards an objective that may not have been otherwise possible - even if they do not meet the required press guidelines.
“Sure, but Twitter will likely have tools that can determine behavior that isn’t legitimate right?"
Absolutely. User behavior is Twitter’s niche, it’s what they do best. The sad reality will be the threat actors inevitably becoming smarter. Twitter’s Application Security, like any other Enterprise, cannot be perfect. Threat Actors already abuse the platform with bot-like activity, and whether Twitter can make a determination on the legitimacy of a User’s reputation during the Verification process doesn’t stop the bot activity from occurring. If you need evidence, refer to the psyops bots on Twitter that are trying to misinform the public about the 2020 election.
“Well at least no one without notoriety will get Verified right, I mean, that shouldn’t be an issue”
The elephant in the room - Legitimate users doing inauthentic things. Follower for Follower websites will becoming more prominent, as well as mention for mention, like for like, etc. Twitter will have a difficult time determining the authenticity of an account’s actual activity signal prominence if legitimate users are becoming part of botnets as a means to work against the activity system. Even if it can be viewed within SIEM logs, etc, the amount of manual evaluation that will have to occur is astronomical.
User Experience, Safety and Policy
Damaged user experience may come in various forms, primarily with Enterprise Reputational damage. While I can probably speak less on behalf of User Experience and Policy, there are several things that I had observed while reading through the Verification notice:
“Three years ago, we paused our public verification program after hearing feedback that it felt arbitrary and confusing to many people.”
It’s still a confusing process though. Many aspects of this policy seem to hint towards stripping users of Verification and requiring more stringent criteria for the uncategorized.
“This policy will lay the foundation for future improvements by defining what verification means, who is eligible for verification and why some accounts might lose verification to ensure the process is more equitable."
What does Twitter mean by “some” accounts might lose Verification? Will all current accounts be evaluated against new criteria? The transparency of this statement is hazy at best. Taken for face value, one could probably assume that any account that doesn’t meet the new criteria will be unverified. If Twitter is actually legitimately intending on unverifying users that cannot meet the criteria, there will be thousands of users and organizations that suffer from this. If there’s anything that I learned from my time on Twitter, it’s that people take Verified Checkmarks seriously. In fact, people have made it well known that it’s a life mission, and I highly doubt that the users stripped of Verification will simply nod their heads in agreement and say, “that’s fair”.
Twitter cannot be held hostage by users over a checkmark, but what happens when thought leaders with big followings that do not meet the criteria are unverified? Before i’m told this is impossible, let me just affirm, there are a ton of Verified Thought Leaders on Twitter who have no press and would undoubtedly be unverified under new criteria. I don’t particularly believe their fanbases are going to quietly acknowledge it. I personally believe that unverification is going to heavily backfire on Twitter.
Understanding the Metrics of how the System Works Against Non-Categorized Users
Earlier, I discussed the problem of requiring a .1% or .05% for users not in primary categories, or for businesses/brands. What do the actual statistics look like?
[Note: These statistics may not be completely accurate, but it’s my rough estimate]
In the United States, it was stated that there are roughly 68 million active Twitter users per month. If this number is true, it will completely destroy brand/business Verification and non-categorized influencer Verification possibilities. In reality - if the number actually reflects the expectation for Verification, there’s no hope for the majority of people that deserve Verification, yet cannot meet such a high level of follower or signal prominence.
In terms of having the “highest amount of followers [within .1%] the top 68,000 of non-categorized users will be eligible for verification out of 68 million users in the United States. In addition, what does this number look like after the criteria for “Column B: Off Twitter Notability” is analyzed? The system goes from providing Verification for authentic or high interest, to preventing Verification for any user that is outside of realm of fame. No amount of press or notoriety in the world would matter in the instance that there are 68,000 people with a larger following than the individual applying for verification.
The same goes for “signal influence rating” [.05%] the top 34,000 individuals. The chances of being in the top 34,000 of users for various calculated Twitter metrics is not only unlikely, but unclear and biased towards non-categorized individuals. How is this determined? I’m not a fan of the new Transparent policy that is not transparent. I believe this yet again, leaves room for speculation and frustration across the Twitter Community.