I doubt it's currently illegal, but I don't think it's impossible to make it illegal. Accessing the API enough to prove a flaw and report it is one thing. Getting 17 million PII records over the space of 60 days is orders of magnitude beyond that.
Especially given that things like GDPR and and the CCPA are drawing clear boundaries around private data and how companies can use it, it shouldn't be impossible to make laws that regulate how third parties access and use that data.
I'd also hope that Twitter faces regulatory penalties and perhaps civil liability depending on the harm done.
Especially given that things like GDPR and and the CCPA are drawing clear boundaries around private data and how companies can use it, it shouldn't be impossible to make laws that regulate how third parties access and use that data.
I'd also hope that Twitter faces regulatory penalties and perhaps civil liability depending on the harm done.