“The personal data processed by this X subcontractor includes data of a sovereign nature. An identity document is a sensitive document. This raises a number of questions…”
In late May, online influencers who produce revenue-generating content on X, the social media platform formerly known as Twitter, received notifications that they will have to pass identity verification checks by July 1. Those checks require users to take a selfie and a photograph of a government-issued ID. Failure to do this will mean they will no longer continue receiving income from the platform. According to some sources, content producers that have not yet provided the requested photos are already being locked out of their accounts.
Here’s a screenshot of the automated message sent to users with creator subscriptions and ads revenue share programs, courtesy of the user known as Censored Men:
Naturally, many users are up in arms about this new condition, particularly those with liberal (in the classic sense) sensibilities. After all, Elon Musk himself posted a tweet in July 2023 stating that his X platform would protect anonymous users, or “anons” as he called them.
This platform will protect anons for this reason particularly
— Elon Musk (@elonmusk) July 9, 2023
There is a very important lesson in all this — one that Yves flagged up in her 2021 post, If Your Business Depends on a Platform, You Don’t Have a Business:
(I)t’s all well and good to want to be the creative person and not be bogged down with having to deal with the business side of publishing (and trust me, I do not like administrativa). However, when you choose to hand off the tech and monetization activities to the suits, you are at their mercy.
Sensitive and “Sovereign” Data
Users’ concerns on Twitter/X were further magnified when they learnt that the company that would be handling the face biometrics matching is AU10TIX, an Israeli firm with deep ties to the country’s intelligence agencies. It is also a big global player in the fast-emerging digital identity industry. In a 2023 article, the company identified lack of public awareness and trust and concerns about security and privacy as major obstacles to the mass roll out of digital IDs. In response, the article said, “governments and organizations must prioritize educating the public about the benefits, security measures, and safeguards associated with digital identities.”
🔒Are digital IDs the ultimate game-changer for global identification? 🔒 Join the discussion on the current usage, challenges hindering adoption, and the promising future of #DigitalIDs. Read the full article here ➡️ https://t.co/xeXy8m2exA pic.twitter.com/lq3Shn2O6R
— AU10TIX (@AU10TIXLimited) July 23, 2023
In other words, not only will X’s premium users have to give up their biometric details and a government-issued ID number in order to be able to continue generating an income stream on the platform, the company to which they will be entrusting that sensitive data is deeply embedded within Israel’s intelligence security complex. This is particularly worrisome for users living in Arabic countries with strained relations with Israel, reports the Lebanese newspaper L’Orient Today:
The problem is that AU10TIX, the company chosen to process users’ personal data, is based just outside Tel Aviv. This could complicate access to account verification for citizens of Arab countries that have not normalized their relations with Israel. Notably, many services with close links to Israel are banned in Lebanon, as there is no peace agreement between the two countries.
For Hadi Khoury, an IT expert, the concern is understandable. “The personal data processed by this X subcontractor includes data of a sovereign nature. An identity document is a sensitive document. This raises a number of questions: is this company capable of keeping personal data secure? Is it aware of its responsibilities and its duty to notify in the event of a data leak?”
The X platform’s intentions to impose biometric verification were already evident in August last year. App researcher Nima Owji revealed that the social media platform was working on a new selfie biometrics and ID document verification process. Owji noted via screenshots that the new identity verification process would require users to take a selfie and photograph a government-issued ID. Days later, Twitter disclosed that it had added two new sections to its data collection privacy policy. Per CNN:
“Based on your consent, we may collect and use your biometric information for safety, security, and identification purposes,” the policy read.
In addition, under a new section labeled “job applications,” X said it may collect users’ employment and educational history.
The company also said it could collect “employment preferences, skills and abilities, job search activity and engagement, and so on” in order to suggest potential job openings to users, to share that information with prospective third-party employers or to further target users with advertising.
For X Premium users, the company will give an option to provide a government ID and a selfie image for verification purposes. The company may extract biometric data from both the government ID and the selfie image for matching purposes, the company told CNN in a statement.
“This will additionally helps us tie, for those that choose, an account to a real person by processing their Government issued ID,” according to the company.
Note the use of the word “choose”, as if the platform’s premium users will have any real choice in the matter. If they want to remain a premium user and continue making money through the platform, they must, as things currently stand, submit the data requested — in return for what Tech Crunch described last August as “almost no benefits.” The company insists that the verification feature will be applicable only to Premium users with creator subscriptions and ads revenue share programs, and an optional extra for all other Twitter users.
That, as I will explain a little later, is unlikely. But first…
Who or What Is Au10tix?
AU10TIX is an identity verification and risk management company that began life in 2002 as the technological division of Dutch-based parent company ICTS International CV. This is where things start getting “spooky”. ICTS was founded in 1982 by former members of the Shin Bet, Israel’s internal security agency, and airline security agents of El Al, Israel’s flagship airline. It develops products and provides consulting and personnel services in the field of aviation and general security. According to Wikipedia, that includes “operating airport checkpoints and electronic equipment, such as x-ray screening devices”, and “verifying travel documents.”
AU10TIX’s product suite includes an Identity Verification Suite, Serial Fraud Monitor and Reusable Digital ID, as well as the AU10TIX Platform, a hub unifying the company’s backend technology and frontend interfaces. Its clients include some of the biggest technology companies in the world, including Google, Uber, Airbnb, PayPal, LinkedIn, and Fiverr. X has been using its services for almost four years, well before Musk bought the platform, and is one of its ten largest clients.
AU10TIX also recently teamed up with Thomson Reuters, the self-described “world’s largest international multimedia news provider,” to provide its customers with what they call “identity verification at every level,” which includes “end-to-end identity verification, authentication, and fraud prevention services.” For customers looking for an an additional level of security, AU10TIX DOUBLECHECK “offers manual reviews by their trained personnel in sensitive situations and for verifying unclassified documents.”
AU10TIX enables its customers to verify the identity of their users by rapidly checking their ID card or driver’s license. And uploading the data couldn’t be quicker, simpler or more painless for users, as the Israeli media giant Globes soothingly reports: “All the user needs to do is scan the certificate with the phone and speak for a few seconds in front of the camera – and the verification process is complete in up to eight seconds.”
But it’s what happens to the data afterwards that worries some Twitter users. Though AU10TIX insists that it “is committed to every international standard on protecting privacy and does not pass on details to any third party,” not everyone is convinced.
Why is X forcing us to send our biometric and government id data to an Israeli company?
Monetization => ID verification => Israel (Au10tix)?
Including selfie! pic.twitter.com/QbOLBovk82
— S.L. Kanthan (@Kanthan2030) May 25, 2024
Yeah. An Israeli cyber intelligence company founded by at least one ex shin bet dude. Their whole business model is collecting everyone’s personal information and biometrics and airport scans and shit. Not sketchy at all…
— Ian Carroll (@Cancelcloco) May 31, 2024
Israel’s Industrial Industrial Complex
The paranoia is probably warranted given: a) the sensitivity of the data being requested; b) the terms and conditions on offer (see highlighted small print above); and c) the deep connections between AU10TIX’s parent company (already mentioned), AU10TIX’s senior executives and Israel’s intelligence industrial complex. From the Lebanese newspaper L’Orient de Jour (English version):
Ron Atzmon, the founder of AU10TIX, spent his military service with the Shin Bet’s notorious unit 8200. With a staff numbering between 5,000 and 10,000, this unit is Israel’s main intelligence strike force, providing it with “90 percent of its intelligence material,” Yair Cohen, who headed the unit for five years, told Forbes.
More than a mere military unit, 8200 serves as an incubator for Israel’s tech industry, which accounts for 14 percent of the country’s jobs and nearly 20 percent of its GDP. Waze, Wix, Viber and NSO, which produced the infamous Pegasus spyware, have one thing in common: their founders include former members of the unit.
“The problem is the porosity between the Israeli tech and the defense world,” said (Hadi Khoury, an IT expert). Israel has reached this level of technological sophistication thanks to this porosity and the financial support that links defense to technology start-ups. It’s part of their defense strategy in order to build supremacy.”
Israeli media are denying the allegations that Atzman or AU10TIX’s current CEO, Dan Yerushalmi, have connections with unit 8200. According to the Globes article, Atzmon is an Israel Navy veteran, while Yerushalmi was an adjutant in the IDF Communications Corps. In a 2018 article, the Times of Israel claimed that “only six of the 35 companies (in Israel’s cyber security industry) had founders from the fabled Unit 8200, the Israeli equivalent of the NSA”. But it didn’t say which ones.
What is beyond doubt are the strong ties Yerushalmi has with Check Point Software Technologies (CPST), Israel’s fourth largest company, having previously served as its Risk Officer and Chief Customer Officer. CPST is a Tel Aviv-based US-Israeli cybersecurity company whose customers include governments and large corporations, including some of Israel’s biggest arms companies. Both the founder of CPST, Gil Shwed, and its vice president, Dorit Dor, served in Unit 8200.
One Thing We Can Count On: Mission Creep
As for the X/Twitter users whose livelihood, or part of it, depends on X/Twitter, they now face a stark choice: hand over data of a highly sensitive nature to AU10TIX or risk losing a chunk of their daily bread. Presumably, most of them will choose the former — after all, what is potentially at stake is not just money but also all the hordes of followers they have built up over the years, and followers = influence. Next, the same stark choice will be presented to blue-tick subscribers who do not have creator subscriptions or ads revenue share programs. And then lastly, everyone else.
Mission creep is one of the few guarantees of these digital identity initiatives. We’ve already seen this play out with the vaccine passports that were initially marketed as purely optional but quickly became necessary for just about everything, from being able to travel to accessing basic public services and places, to even holding onto your job. We will soon see the same occur with the digital identity wallet programs rapidly rolling out across the West (and just about everywhere else) as well as with online platforms. If you want to use social media platforms in the future, even as they rapidly degrade, you will have to give up your biometrics, ID number and any other personal data they request.
With regard to Twitter/X, we know this to be true because Elon Musk’s himself has already said as much — at the 2023 edition of the World Government Summit, just months after completing his purchase of Twitter:
I have this long-term ambition. It’s something called X.com from way back in the day which is kind of like an everything app. It is maximally useful. It does payments, it provides financial services, it provides information flow, really anything digital… It also provides secure communications, you know, be as useful as possible, as entertaining as possible, and also to be a source of truth.
To find out what is going on, what is really go on, you should be able to go on X and find out. So, it is a source of truth and a maximally useful… system. And Twitter is essentially an accelerant to that maximally useful “everything” app…
I think trying to have as many organisations and people… verified as being those organisations and people is important. And to have the organisational affiliation clearly identified so that if you want to find out if… an account is actually from a member of parliament or journalist or if, let’s say, a Twitter handle actually belongs to the Disney corporation or something like that, you can go on Twitter and it’s sort like an identity layer of the Internet. You can confirm that that is actually the case. Once you’ve got these interlocking identities, it’s very hard to be deceptive.
But “deceptive” is precisely the adjective one might use to describe Elon Musk’s behaviour since taking over Twitter. He has duped millions of Twitter users into thinking of him as a champion of freedom of speech, as well as other equally important freedoms and rights, yet what he really wants is to create his own “super app” that will give him access to unprecedented volumes of user data.
Musk’s plans have drawn inevitable comparisons, including from Musk himself, with the We Chat super app in China, which has a staggering 1.3 billion monthly users and can be used for a myriad of daily activities, from reading the news to chatting with friends, to hailing rides, to paying bills and taxes. But as Tech Crunch noted in 2022, while “a super app might bring convenience to users as they hardly need to leave the platform — which in turn helps drive revenues for the company — …the model can stifle competition and rule out user choices.”
Musk’s plans for X are likely to be unattainable anyway, largely due to the fierce competition he would face from other tech giants that “already have a stronghold in their sectors and control over user data.” Meanwhile, a backlash of sorts has begun brewing on the platform Musk wants to use as an accelerant for his “everything” app, particularly among libertarian users for whom Musk is — or at least was until recently — a hero. After days of silence, the tech mogul finally tweeted: “I will investigate this.”
This response — whether genuine or not — appears to have set off jitters in Israel. The Israeli tech news site Calcalistech warns that Musk’s refusal to reject outright the allegations against AU10TIX “only strengthens them and raises the fear that Musk will act to satisfy the anti-Israel users and stop the engagement with AU10TIX.” Such an outcome could have “devastating potential not only for the company but for all Israeli companies that deal with cyber protection and information security issues, as it will make them all suspicious and may ignite an extensive campaign to stop contracting with them on the part of large technology companies.”
