The European Commission slapped social networking company X with a €120 million ($140 million) fine last week for what it says was a lack of transparency with its European users.
The fine, the first ever penalty under the EU’s landmark Digital Services Act, addressed three specific violations with allocated penalties.
The first was a deceptive blue checkmark system. X touted this feature, first introduced by Musk when he bought Twitter in 2022, as a way to verify your identity on X. However, the Commission accused it of failing to actually verify users. It said:
“On X, anyone can pay to obtain the ‘verified’ status without the company meaningfully verifying who is behind the account, making it difficult for users to judge the authenticity of accounts and content they engage with.”
The company also blocked researchers from accessing its public data, the Commission complained, arguing that it undermined research into systemic risks in the EU.
Finally, the fine covers a lack of transparency around X’s advertising records. Its advertising repository doesn’t support the DSA’s standards, the Commission said, accusing it of lacking critical information such as advertising topic and content.
This makes it more difficult for researchers and the public to evaluate potential risks in online advertising according to the Commission.
Before Musk took over Twitter and renamed it to X, the company would independently verify select accounts using information including institutional email addresses to prove the owners’ identities. Today, you can get a blue checkmark that says you’re verified for $8 per month if you have an account on X that has been active for 30 days and can prove you own your phone number. X killed off the old verification system, with its authentic, notable, and active requirement, on April 1, 2023.
An explosion in imposter accounts
The tricky thing about weaker verification measures is that people can abuse them. Within days of Musk announcing the new blue checkmark verifications, someone registered a fake account for pharmaceutical company Eli Lilly and tweeted “insulin is free now”, tanking the stock over 4%.
Other impersonators verifying fake accounts at the time targeted Tesla, Trump, and Tony Blair, among others.
Weak verification measures are especially dangerous in an era where fake accounts are rife. Many people have fallen victim to fake social media accounts that scammers set up to impersonate legitimate brands’ customer support.
Musk, who threatened a court battle when the EC released its preliminary findings on the investigation last year, confirmed that X deactivated the EC’s advertising account in retaliation, but also called for the abolition of the EU.
This isn’t the social media company’s first tussle with regulators. In May 2022, before Musk bought it, Twitter settled with the FTC and DoJ for $150 million over allegations that it used peoples’ non-public security numbers for targeted advertising.
There are also other ongoing DSA-related investigations into X. The EU is probing its recommendation system. Ireland is looking into its handling of customer complaints about online content.
What comes next
X has 60 working days to address the checkmark violations and 90 days for advertising and researcher access, although given Musk’s previous commentary we wouldn’t be surprised to see him take the EU to court.
Failure to comply would trigger additional periodic penalties. The DSA allows fines up to 6% of global revenue.
Meanwhile, the core problem persists: anyone can still buy a ‘verified’ checkmark from X with extremely weak verification. So if anyone with a blue checkmark contacts you on the platform, don’t take their authenticity for granted.
We don’t just report on threats – we help protect your social media
Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.