Twitter is used by pretty much everyone, including the privacy focused. But some people still appear to have trouble using Twitter in conjunction with the anonymity network Tor.
Recently, several users—including a Tor developer—have reported being locked out of their accounts whilst using Tor, and have then been asked to provide a phone number to regain access.
“Twitter's security configuration seems to be at war with Tor,” someone who goes by the handle Tempest posted onto a Tor mailing list yesterday. “Had to do multiple resets over past 24 hours, only to see a perpetual 'lock' in place recently.”
The account was locked because the “account appears to have exhibited automated behavior that violates the Twitter Rules,” likely to do with spam, according to the complaint posted by Tempest.
“Twitter does not block Tor, and many Twitter users rely on the Tor network for the important privacy and security it provides,” Twitter spokesperson Nu Wexler told Motherboard in an email. “Occasionally, signups and logins may be asked to phone verify if they exhibit spam-like behavior. This is applicable to all IPs and not just Tor IPs.”
It also might not actually be necessary to provide a phone number to regain access. The coder known as stribika recently noted they got back in after messaging Twitter Support.
This certainly isn't the first time that Tor usage has clashed with popular services. Last year, a blog post from the Tor Project pointed out that plenty of sites make it difficult for users to connect or enjoy full functionality over a Tor connection, and this reporter temporarily had his Gmail account locked down for using the anonymity network.
That situation with Google was very similar to this Twitter one: Google asked for a phone number to send a verification code to. And again in that case, the account wasn't targeted specifically because it was using Tor, but rather that the email service's security system detected what it felt was suspicious behavior.
It's a tricky problem to solve: how does Twitter separate spam-looking activity from legitimate privacy centric users?