Restricting the Twitter API will have implications across Twitter, the broader Internet, and society, experts say. Is there a cybersecurity silver lining, or will threat actors pay to play?

5 Min Read
twitter against cracked background
Source: Peter Tsai via Alamy Stock Photo

Twitter's new policies surrounding its application programming interface (API) have just gone into effect — and they will have broad implications for social media bots, both good (RSS integrations, say) and evil (political influencer campaigns), researchers note.

On Feb. 2, the Twitter dev team announced that the site would no longer provide free access to its API, starting on Feb. 9. After some negative publicity, Elon Musk personally provided an amendment — that Twitter would continue to service "a light, write-only API for bots providing good content that is free."

APIs are what enable different computer programs to communicate with one another. Just as your computer provides an interface so that you can easily interact with its many complex functions, an API provides an interface for two software programs to interact with one another. Twitter's API is necessary for any enterprises, academics, or bot developers whose applications rely on the social platform.

The choice between a limited or subscription model threatens to push away smaller, more cash-strapped developers and academics who have used the free access to create useful bots, applications, and research.

On the other hand, bad bots have also ravished Twitter since the beginning. They're regularly used by hackers to spread scams and by evil regimes to spread fake news, to say nothing of their smaller-scale negative impacts in influencer culture, marketing, and general trolling.

Is a paid API the answer to Twitter's influence campaign and bot-driven ills? Some experts think the new move is just smoke and mirrors.

Twitter's Bad-Bot Problem

In May 2018, the National Bureau of Economic Research (NBER) in Cambridge, Mass., published a working paper on the role of social media bots in shaping public opinion. The study focused on Twitter, and its bots' impacts on two 2016 elections: the US presidential race, and the UK vote to leave the European Union. The data indicated that "the aggressive use of Twitter bots, coupled with the fragmentation of social media and the role of sentiment, could contribute to the vote outcomes."

They found that in the UK, the greater volume of automated pro-"leave" tweets may have "translated into 1.76 percentage points of actual pro-'leave' vote share." And in the US, "3.23 percentage points of the actual vote could be rationalized with the influence of bots."

Three crucial swing states in that election — Pennsylvania, Wisconsin, and Michigan — with enough collective electoral votes to swing the result the other way — were won by less than a percentage point.

Bots don’t always have to sway world history — sometimes, they're just a useful tool for hackers looking to commit cybercrime at scale. Cybercriminals have been observed using Twitter bots to distribute spam and malicious links, and to amplify their content and profiles.

"Bots are an amazingly huge problem," David Maynor, director of the Cybrary Threat Intelligence Team, explains to Dark Reading. "If Twitter were the real world, you would see random inanimate objects trolling people, and the victims would spend hours or days trying to prove a random object wrong. Bots also give astroturfed efforts a real feel of legitimacy."

Astroturfing is the practice of presenting choreographed marketing in such a way as to make it appear to come from the general public (hiding sponsorship information, for instance, or presenting "reviews" as objective third-party assessments).

Is Twitter Hiding Its True Motives?

Some speculate that Twitter's real motives for putting its API behind a paywall have nothing to do with security. After all, is a basic subscription plan going to stand in the way of a cybercrime group, or even a lone scammer? Certainly not the government of Russia, one of the largest operators of social media influence campaigns.

In fact, notes Ted Miracco, CEO at Approov, "there are numerous mobile app security platforms and cloud based solutions that could easily eliminate the bot traffic overnight, and Elon Musk is well aware of these technologies."

Indeed, there are a number of strategies and tools for social media sites (and website owners and admins of all kinds) to use to snuff out botnets. For one thing, bots tend to follow specific behavioral patterns, like posting in regular intervals and only in limited ways. And after identifying even just a few suspect accounts, clever specialized tools can help reveal entire networks of connected bots.

Maynor noted that in addition to sussing out malicious automated tweets, naming and shaming might be important: "This isn't popular, but to fight bots and information operations you have to tie accounts to real-world people and organizations."

He adds, "This raises issues about privacy and misuse of data, but remember: they are already mining every bit of data they can get. Tying accounts to real-world identities won’t affect the platforms' data harvesting, but instead will stomp bots and [astroturfing]."

Why go so far as to remove free access to the API, before exhausting other available cybersecurity measures?

The reason is an open secret — an elephant in the room — in Silicon Valley, Miracco argues. Simply put, social media companies like their bots, according to Miracco.

The premise is this: Twitter makes money by selling ads. Bots look like users, to advertisers, so they bring in revenue all the same. More bots, more money.

In January, Musk threatened to back out of his Twitter buyout on the grounds that a large portion of the company’s stated users were, in fact, secretly bots. Perhaps his mood changed, however, after transitioning from an interested party to the outright owner. Miracco guesses that "revealing the problem now will result in a precipitous fall in traffic, so there needs to be some found revenue along the path to reduced traffic in order for the company to stay relevant, hence the API paywall."

He puts it in plain terms: "the paywall is dressed up to stop bots, but is really only to drive revenue."

The paywall just took effect. Time will tell whether it really does put a dent in Twitter's bot problem, or if it merely lines Musk's pockets.

Twitter did not immediately respond to a request for comment from Dark Reading.

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights