No, we do not police the social media activity of our students, a New York university said last week, and yes, we have a sense of humour – remember the banana we taped to the wall in the student union and then posted on Instagram?

That was part of a Twitter stream posted by the State University of New York (SUNY) College at Geneseo, defending itself after a student’s parody account of the college – originally called @SUNYGenseeo, switched to NOT SUNY Geneseo, and now renamed geneseo’s #1 fan – was hijacked.

The account’s rightful owner is 20-year-old SUNY student Isaiah Kelly. As first reported by Business Insider, last week, Kelly had to use his personal Twitter account to vent about having been shut out of the parody account, which he uses to poke fun at the school’s social media presence, news and messages to students.

But it was neither the school nor hackers who took over the account and forced through an unrequested change to the associated email address, thus locking Kelly out. It was, in fact, Twitter, having royally screwed up when enforcing its own policy about impersonation accounts.

Twitter’s policy says that it may suspend an account that…

…portray[s] another entity in a misleading or deceptive manner.

According to the policy, Twitter doesn’t remove accounts that clearly state that they’re not affiliated with or connected to any similarly-named individuals or brands. Nor does it remove parody, newsfeed, commentary, or fan accounts.

You can see how the @SUNYGenseeo may have looked, at first glance, to be an impersonation account. True, if you took the time to read the messages, it would be pretty clear that a state college likely wouldn’t tweet about keeping its asbestos-contaminated library open while it handed out surgical masks for students or that, following a blackout, it would joke about having forgotten to pay the power bill.

But according to SUNY, some of the accounts’ tweets were, in fact, being confused with official communications from the college. While the college didn’t take down the account…

…it did mess with it once Twitter suspended the account and turned it over to a college administrator. Specifically, the school changed the account’s profile images to grey and removed tweets that were being confused with official communications. SUNY Geneseo’s official communications team said that the account crossed the line between parody and impersonation in a number of ways:

  1. It used the college’s actual name and trademark design without alteration.
  2. It added but later removed “NOT” from the account name.
  3. It changed its appearance several times to mimic changes the College made to the real Geneseo Twitter account in attempts to differentiate the real one from the parody.

Did Twitter break the law?

What’s got everybody in an uproar over the incident isn’t whether or not the account crossed the line, however. It’s that Twitter’s own policy says an account will be removed, not that it will be taken over, its content adulterated, and that control will be given to somebody else.

Doing so is, apparently, unprecedented. It’s also got observers suggesting that Twitter violated the Computer Fraud and Abuse Act (CFAA), which criminalises unauthorised access to a computer.

Kelly got his account back on Thursday. Twitter has apologised, telling media outlets that it made a mistake about turning over access of Kelly’s parody account to college officials, and that it should have instead suspended the parody count for impersonation (under Twitter’s policies).

But as of Monday morning, the internet was not appeased. It was still seething, and at least one politician was demanding that Twitter answer some questions:

I asked Twitter what it had to say about the allegation that it violated the CFAA and will update the story if I hear back. Here’s just a guess about that: Kelly used his school-issued email account to open the parody account. I’m no lawyer, but this could mean that SUNY would be the one who’d need to make a CFAA complaint – an unlikely prospect.

Twitter hasn’t said how it got wind of the account. Nor has SUNY claimed responsibility for reporting it.

Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner