Preston Byrne, a columnist for CoinDesk’s Opinion section, is a partner in Anderson Kill’s Technology, Media and Distributed Systems Group. He advises software, internet and fintech companies. His biweekly column, “Not Legal Advice,” is a roundup of pertinent legal topics in the crypto space. It is most definitely not legal advice.
Among the libertarians, I am something of an odd duck in that I am not a journalist, yet I have a blue check mark.
I am proud of my blue check mark. I’m not sure how I got it. Back in the day, Twitter had a form you could fill in with links to press coverage if you wanted a blue check mark. I did so. One day, months later, a lot of my friends and I in fintech and Crypto Twitter suddenly had blue check marks next to our names.
It was great.
Who was responsible for granting it to me, I do not know. I thank that person, because the day I got that blue check mark ranks right up there with the day I got married or the birth of my firstborn. (Except, I am not married and have no children; it is possible that this state of affairs relates to the inordinate amount of time I spend on Twitter.) If it is related, it was worth it. But apart from that, there are normally few if any downsides.
Few, that is, until the Great Blue Checkmark Blackout the other day. For those of you living under a rock, Twitter – or, more probably, an employee of Twitter – had his or her employee login hacked (or deliberately sold) the other day. Following this, a number of well-followed accounts – Elon Musk, Bill Gates, Barack Obama and Joe Biden, to name a few – posted a promise that if Twitter users would send bitcoin to a particular address, the users would get double that amount sent back to them in return.
Twitter immediately locked down all of the blue check marks while it responded to the incident. There was much rejoicing.
Usually, this scam is carried out by seizing control of the account of a lesser blue check who uses SMS two-factor authentication that points to an actual phone (rather than Google Voice). The lesser blue check gets SIM swapped, following which the attacker changes the user’s profile and display name to that of a famous person (e.g. Elon Musk) and then posts the “send me Bitcoin!” tweet. The famous person’s stans, seeing the “verified” badge and the display name (but not the lesser blue check’s less prominent user handle), promptly comply.
In this instance, the fact that (a) these verified accounts had millions of followers and (b) the attack appears to have pulled back the curtain on a “God Mode” moderation tool makes this a story. For those of us who have been around for a while, there’s nothing new about this scam. What makes it notable is who got hacked, not what the hackers sought to achieve.
Twitter responded by prohibiting the posting of cryptocurrency addresses.
This is most certainly not “good for Bitcoin.” Twitter is (quite properly) responding to unlawful use of its platform by preventing bad actors from exploiting the platform. But at the same time it is also preventing good actors like Balaji Srinivasan from soliciting bitcoin bounties on the platform.
Some responses from the Bitcoin community such as this from Nic Carter, called for a “user-owned internet” and decried the “sheer centralization” on display in this breach. Others, such as Muneeb Ali, said the breach “accelerated us towards a decentralized web by 5 years.”
We should be careful not to overplay our hand. To start, the decentralized-ish protocols available for social media today are either clunky (ActivityPub) or un-scalable (in the case of the chains). Also, although centralization was an issue here, it does not follow that decentralization of the platform itself is the solution, as many blockchain promoters past and present claim. (See, for example, Vitalik Buterin pitching Ethereum as an identity solution to Elon Musk; the grownups in the room will be aware that Ethereum, all-singing and all-dancing in its marketing material, doesn’t do everything its stans say it does.)
Decentralized solutions don’t operate as a PKI directory, like Keybase, and don’t have the ability to process meatspace ID, e.g., for driver licenses. Smart contracts can’t tell us much other than that someone, somewhere, was granted permission to write to that script.
Furthermore, there appears to be a much simpler fix. All Twitter, or indeed any social media company needs to do, is design client-side software that authenticates (a) that a user (b) who was verified by the service and (c) was logged into the service and (d) sent a message on the service (e) signed with a key or a device that the user presented to the service when first obtaining their verification.
Such functionality would immediately alert a reader to a possible problem with the authenticity of the message. There might be a “green check mark” for messages that are validly signed, and a “red X” for messages that are unsigned. And the appearance of any message should be placed beyond the ability of any employee or moderator to falsify.
Even this wouldn’t prevent an attacker who gained control of the device, or knowledge of the keys, from carrying out the “send Bitcoin!” scam. But it would make it considerably harder to pull off than with weak two-factor auth and apparently unlimited moderator power.
Apps like Keybase and Signal have shown that strong cryptography is increasingly accessible to ordinary internet users. Long gone are the days of PGP which, per Mike Hearn, “was so bad terrorists would rather die than use it.”
The smart move here by the crypto community is not to overreach and declare the end of the centralized web. It’s to communicate to platforms that we expect client-side digital signatures and encryption in their offerings, so we can safely use online publishing platforms to send the financial communications of the future in a secure way. The alternative is that platforms will ban cryptocurrency addresses. I know which option I prefer.
Click to view on Coindesk