Twitter’s new boss is waging war on bots. How he gets it done may offer lessons for GRC professionals.
The Twitterverse was recently abuzz with commentary about #KYH. The hashtag began trending following a cryptic tweet by Elon Musk stating that, upon taking over ownership of Twitter, he would “authenticate all real humans.” What did he mean? Presumably, he will be waging war on scammers and bots.
In GRC parlance, KYC stands for know your customer and is used to describe banks and other regulated entities’ obligations to perform due diligence on their customers to mitigate the risk of money laundering. It is also part of the broader concept of reputational due diligence that all sorts of companies perform to protect themselves from various risks, ranging from fraud and corruption risk to other environmental, social and governance (ESG) risks.
In the aftermath of Musk’s tweet about authentication, many are making comments on social media beyond just Twitter. Some of these are people familiar with the concept of KYC. And while we will not attempt to figure out exactly what Musk meant by his tweet — if we knew we would not need to speculate — the impetus for authentication is a natural and obvious response to the threats arising from deception.
To defraud is to deceive
Let us remember that deception is an integral element of the legal definition of fraud. And we deal with attempted deception every day. It is not an overly bold statement today to say that anyone with a phone or a laptop these days gets spam calls from spoofed phone numbers and phishing emails from spoofed email addresses. And while these activities often target commercial and governmental organizations, deceptive behavior can also take the form of obscured or opaque ownership (e.g., shell companies).
Most have seen, or perhaps been inundated with, news that centers on such deception. For example, sanctions against Russian oligarchs in response to the continued invasion of Ukraine are clearly complicated by the widespread practice of hiding assets in various ways to avoid scrutiny or seizure.
Or perhaps we are aware of attempts to obscure the origin of goods or services, like cotton produced through the use of Uyghur Muslim forced labor in Xinjiang, China, or the blending of Russian oil at sea with oil from other sources. Those of us in the anti-corruption business have also long been aware of the frequent use of intermediaries, many of which are shell or nominee-fronted companies, to facilitate bribery of foreign government officials. And don’t ignore discussions around misinformation and gaslighting in American civil debate, which itself may have become an oxymoron.
Thus, the concept of reputational due diligence. Financial institutions, government agencies and corporations seek to assess the risk of their business partners and can benefit from using truly cutting-edge technology. The combination of robust data sources and artificial intelligence like natural language processing, among others, can help identify whether a proposed business partner, be it a vendor, raw material supplier, or customer: (a) exists, (b) is reputable (or not) and/or (c) presents risks in areas like environmental responsibility, forced labor, cybersecurity or fraud and corruption.
A less deceptive Twitter
Ironically, social media is only a data source for such diligence, used typically only to corroborate more authoritative sources or as a risk indicator. Still, if Musk’s intention is to police his site to remove its bots, as fraud and risk professionals, we can applaud his actions.