Prevent transgender harassment #3
Comments
|
Yeah I can definitely see how this tool could easily backfire and be used for harassing trans people Also, it’d be nice to add something hidden to the bio instead of the trans flag |
|
And honestly, I think this will probably be used MORE by transphobes to harass transgender people than to unmask transphobes. Big part of the transphobes already have their real name out anyway or just create fake accounts, while lots of transgender people I follow and am friends with just keep their account and change their usernames. And this having already more than 100 stars, it might be too late to avoid this. While I do like to imagine that most of these stars have not downloaded this yet, they can always download a previous commit. While having a protection would be better than nothing, I’d assume the best thing would be just privating this as a whole to avoid harassment. One techy transphobe would be enough to remove the protection and redistribute this among all other transphobes. |
|
Mind that this service relies upon a database that contains the data from the Wayback Machine (easy to access, and censorable by users upon request) and the Twitter Stream Grab (harder to access, unclear if it would be redacted). This repo alone is useless, so the question should be about public access to the database and the general problem of the Internet Archive maintaining a Twitter history. |
|
Thank you for raising this issue here. A few notes:
There is also a private exclusion list that removes ID-screen name pairs from the public results (although of course the excluded info is usually still also available through Twitter search and the Internet Archive's Twitter Stream Grab, which I have no control over). I will respond privately to all requests for exclusions. |
|
@hyperfekt As far as I know, nothing has ever been redacted from the Twitter Stream Grab (although redactions regularly happen for the Wayback Machine), and the way it's packaged and distributed would make specific redactions practically impossible. |
|
One other thing to note is that (as @hyperfekt points out above), the availability of the code in this repository isn't very useful on its own—it takes a lot of computing time to build the index from the Twitter Stream Grab and Wayback Machine, and the scraping code isn't available here. Access to the web service can be restricted (or turned off entirely), and without it the browser extension is useless. |
|
Just to let you know, this whole project is so bad that I had to look up how to report repositories on GitHub. I refuse to call it a tool, because it's nothing but a weapon. |
|
@UwUnyaa In what sense is an index of public screen names from public archives (which are in most cases still discoverable through Twitter's public interface) a "weapon"? |
|
I've just restricted access to the web service, which means that the Chrome extension will no longer add previous screen names to Twitter pages for now. If you had access to the service before the public launch last month, feel free to contact me. Please note that all of the data indexed by the service is very public. If you feel that information provided by the service is a threat to your safety, you should be aware that there are several other ways for people to find that info (in most cases extremely easily, via a single Twitter search), and that there are steps that you should be taking to identify (and possibly limit) your exposure. I'm happy to discuss those steps, or to put you into contact with someone else who can help. I'll post an update here before opening the service to the public again, and in the meantime please see the README for information on requesting exclusions. |
|
@travisbrown Making this kind of OSINT easier is just a bad idea, especially with the current state of affairs. |
|
If it's already public and people are able to get around it by making a new account or something, I don't see the issue. The corporations already have access to all the data. It's already possible for people who are intent on doxxing/harrassing, making it easier for regular people vs institutions just seems clearly helpful. |
@UwUnyaa I disagree, and I know many other people who do as well. I've seen dozens of cases where this tool has been used to identify astroturfing, disinformation, scams, etc., to trace connections of current US political candidates to QAnon, and even a couple of cases where it's resulted in offline consequences for right-wing extremists (losing jobs, having harmful online activity known to their local communities). I know that there's potential for misuse, but given the full situation it's not clear (to me, or to many others I've spoken with over the past months) that that outweighs the value of the tool being publicly available. |
Well, it being public doesn't mean one will know how to do it. This thing makes it terribly easy to do it, anyone would be able to use this for harassing. And creating a new account is not something most people want, specially if you already have lots of followers that you would end up losing or if you already have your account for a long time. Still, now that this tool exists, the only option for lots of people may very well be creating a new account. The exclusion thing will definitely help, but now that it's public that doing this can be easy one techy transphobe can just create an unrestricted alternative. Twitter themselves should probably change how they deal with accounts uuids. Probably making them private, being only something to deal with suspensions and bans and stuff, not something public that everyone can see. |
|
@LuNeder They already harass plenty, you can block. The question seems to be about deadnames primarily, which seems to me like something worth making a new account for when the data is public, or tolerating that some people will know. Everyone of those followers a trans person had before switching names would know about their previous identity, as well as any software that could see it. The data exists. That's just what happens when you share your information with people and build an identity that you then want to change. Do we really want twitter to be in control of all our data and put it all behind closed doors? And yes like you said, the software to do this already exists so it's more a question of how we respond to twitter's policies. Whatever, it'll happen how it happens. |
Just because it can be used for good, it doesn't means it won't be used for bad. This kind of tool shouldn't be public. Make it available for only a handful of trustworthy journalists then. This is not a job for random internet users.
Well it does. Going on a json of the size of twitter itself is not something anyone will do, but using a simple browser extension that will immediately give them all previous names of someone with no obstacles is something anyone can do |
|
Trustworthy journalists? And how does that work? Who decides who's trustworthy? If you want your data to be private you should understand that the internet is a giant melting pot of data and it can either be available to all or available to some. |
Yeah they already harass plenty, why not make it worse right?
Not really. People who want to stay anonymous for any other reason, such as abusive family, will be affected.
As I said, some people have had an account for a long time or have lots of followers. Creating a new account will make you lose old tweets and lots of followers as well. And the data was never easily publicly accessible until now. Even I, a person who would be completely able to access this data manually if I wanted, did not know that it was possible. This tool will make it a thing for everyone.
Usually they won't go harassing you or making this information public tho.
Once again, until now you were able to change it. Username changes exist for a reason. If anyone can easily see your old username then there's no reason for them to even exist.
I don't get how a private random UUID would be controlling your data, and how making things you don't want to be public private would be a bad thing. |
|
Whatever. Just delaying the inevitable seems like to me. Making it harder for people with less resources and easier for people with more resources. |
@LuNeder To take a different example: early in the escalation of the Russian invasion of Ukraine in February there were a number of "OSINT" accounts that quickly gained large audiences (100k+ followers) and then turned out either to be scams or to be used for disinformation. Several of them were former NFT or novelty accounts that were bought or repurposed because they had established followings (and were presumably less likely to get suspended because they had histories). This kind of thing is extremely common on Twitter, and if you have a list of former screen names on the profile page, it's often really easy to identify.
The Twitter Stream Grab isn't the only way to find the information indexed by this service (and it's not even that difficult to work with if you know particular date ranges to target). It's also possible to construct queries with the Twitter advanced search interface that are extremely effective at surfacing old screen names. This tool doesn't have anything to do with that method, which was well known before it was launched, and which will continue to be used by attackers. |
@Howlsyawn I'm sorry but I don't think this tone is helpful here. I agree that it would be good for people to be more aware of threats to their security or privacy, but I don't think framing the issue in terms of blame or guilt is productive. |
|
I didn't blame them. The problem is that the systems we have are not really under our control anyways. I said that helping them would not involve giving them more safety rails to delay the inevitable. It would entail giving them digital literacy and pressuring the companies that actually control the data to give us more control as users. And as a neurodivergent person I can't read tone the same as you so I'm sorry if it came out as condescending. I'm just stating what I think is true. |
|
This tool has a purpose, but I think it's irresponsible to make it so easy to use, with guides on how to pull the data into spreadsheets with wildcard matching, when doxxing forums like Kiwifarms exist. I feel the more appropriate option here would be to pull the API for now, and require application for researchers and journalists to use it, or even handing this project off to a non-profit org that can handle access to the tool. I think one person having control of this tool is unwise and unsafe. |
|
+1 to "show recent name changes only" e.g. those made in the past 2 months, that should address the scammy buy account with loads of followers and rename situation. |
|
@lizthegrey That sounds reasonable. It wouldn't support many use cases (e.g. projects like finding deleted tweets by January 6 participants), but the full histories could be provided to authenticated (invited) users. |
|
FWIW, there is evidence that fash have a similar service that they've been using for several months now. Not sure how much its been shared within their circles or if a similar process has been used to make it |
|
As someone who has both used this for antifascist uses and have concerns about deadnames, I think there's a lot of room for compromise that allows for both. But we do need to be thinking a lot about where that needs to fall. The dox clearinghouses and stalker dens have similar tools, but due to how stigmatized it is, my understanding is they aren't easy to find if you aren't very plugged in to the right. If the database search is the issue, that's long been out of the coop. The problem with that, though, is it's not just the extreme right that uses it -- a whole lot of places known for investigative journalism just showed they're only wanting to run hit pieces on trans people. But let's ignore trans people (outside of those of us this is relevant to) for a second. Let's imagine someone, with a somewhat unique name at least in their area, signed up as @<F_name><L_name> in 2021 but after a few days changed it to @new_username. They live in Texas, and, assuming anonymity, tweeted about taking abortion pills but now needs to go to the hospital to deal with the aftermath. They, as many non-technical users do, added their location to the app, as Town, Texas. This isn't unique to here, and maybe you don't have this granularity, I've only done single term searches and it's down atm. but: Even if you yourself only give results or wildcards for names, I could, with a script someone handed me and no other technical knowledge, use other things to compile a list of everyone with Texas and a town in the location who tweeted about abortion, and use this to sift for what look like legal names. At $10_000 a head thanks to the bounty law, that's a great way to make a quick buck. There was good justification for this before those, but it gets really spicy after. and that's not even touching issues elsewhere with similar risk. You could do that with Twitter advanced search, but you'd hit rate limits. Internet Archive queries are pretty consistently slow, at least for me. those tools are frustrating, and with that comes at least filtering for high determination instead of any rando. On the gripping hand, maybe this is a good example to leverage into Twitter actually giving better protections against this that DON'T involve begging all your followers to follow a new account after you come out, or having to beg everyone to make new accounts if they're going to tweet about their abortions |
|
All of that said, if you have concerns about you personally being targeted directly, the people doing the targeting know all the moving pieces here. The best you can do is pressure Twitter to remove your info, or move accounts which, ime, is never a thing you can actually fully keep your following from, or your reputation. and that's the part of this whole thing that sucks the most. I think it's important for antifascist work, and also checking for infiltration, but I also think the ease of use is a little too high. if someone is going to use this tool, they at least should need to read a bit to be able to -- journos and antifascists are pretty good at that when they need to be. I'm in no position to write docs for that so it's just a suggestion, there's other ways to add frustration, but it needs friction imo |
I agree that the browser extension was a mistaken experiment in its current form, and I take responsibility for that mistake. If it's reinstated for general use, it will be in a more limited form that's designed to support a narrower set of use cases (probably only showing recent screen name changes, as discussed above). |
|
I'm aiming to roll out the plan above this weekend. To summarize: screen name changes from the last 60 days will be visible to all users, with the full index only being available to trusted users (currently only supporting authentication through GitHub, but I might add Google before deploying it). |
|
The service is now publicly available, but unauthorized users will only be shown screen names that were observed in the past week. I'll bump that up to 60 days on Monday unless someone raises serious concerns. 60 days should be enough for partial support of one of the main use cases for the service (identifying scams and disinformation). The full index is also now available to a small trusted group who can sign in via GitHub. The service only uses GitHub for authentication, doesn't require any non-public or write access to the user's GitHub account, will never request any kind of password, and only the user's GitHub ID is stored on the servers. The service does not currently log requests in a way that would allow me to link individual queries to specific authorized users, but I reserve the right to implement such logging in the future if there's any suggestion of abuse. |
|
Thank you! |
|
never mentioned blame or guilt |
Would be cool to add a flag that if the bio contains the transgender flag or pronouns, the script fails. While people will be able to look at the script and edit out this feature, it will help prevent non-technical trolls / lazy bullies from surfacing dead names.
The text was updated successfully, but these errors were encountered: