Skip to main content

Consent Isn’t the Only Consideration: NY Comic Con Attendees Disagree that Hijacking Twitter Accounts Makes the Event “100x cooler! For realz.”

Written by Jake Romero

The comic book industry is no stranger to displays of heroic anger and berserker rage, but over the weekend New York Comic Con (NYCC) was on the receiving end of considerable fan fury after it began ghostwriting effusive tweets about NYCC and posting on the Twitter pages of NYCC attendees in a way that made it appear as though the attendee was the author of the tweet.

During the event registration process, NYCC attendees were given the option of linking RFID badges to their Twitter account through the event’s mobile application interface.  During the application registration process, attendees were asked to authorize NYCC to access their Twitter accounts.  At this point, attendees arguably consented to having NYCC impersonate the attendee when posting about NYCC on the attendee’s Twitter feed.

The NYCC website page explaining the ID badge technology and the site’s registration page did not mention that NYCC would be posting to attendee Twitter pages on the attendee’s behalf.  Rather, the registration process is explained as a method for giving the attendee access to enhanced social media content, while helping NYCC protect against fraudulent credentials.  The activation terms provided that NYCC could use the information collected through the badge “for internal purposes” and to contact the user about future events.  After a user registered his or her badge and elected to link a Twitter account, the user was presented with an opt-in notice (a screenshot of which can be seen here), specifying that following authorization, the application would be able to, among other things, “post Tweets for you”.  This type of warning is not uncommon.  For example, any website that allows users to click to share news articles or stories on their Twitter pages requires this type of access.

In spite of the opt-in warning, the wide-spread surprise among attendees suggests that the opt-in language did not draw a clear distinction between posting tweets for a user and posting tweets as a user.  Moreover, the failure to mention this practice when explaining the registration process could have led attendees to conclude that even if they were agreeing to provide this type of access, NYCC would not be taking the unusual step of pretending to be the attendee when it published tweets on the user’s page.

NYCC’s initial response was a brief tweet telling attendees not to “fret” over the ghostwritten posts and informing attendees that the “opt-in feature” had been disabled.  However, after anger continued to spread, NYCC issued a longer statement apologizing for any “perceived overstep.”

This type of disconnect between online service providers and users is becoming increasingly common as advances in technology permit mobile device and social media data to be accessed and used in new ways.  Earlier this year, for example, Jay-Z and Samsung stepped into a public relations debacle when the “JAY Z Magna Carta” mobile application required that the user, in exchange for receiving a free music download, authorize the application to have extensive access to phone data and social media accounts. The response from NYCC attendees also underscores the lesson learned by Google earlier this month, that consent provided by users who do not fully understand what they are consenting to may not be consent at all.

As your online business finds new and innovative ways to deliver products and services to your users, it is important to take a step back and consider whether additional communications in different formats, such as just-in-time notifications, are necessary to ensure that the only surprise your customers have is how great your products and services are.   Or, to put it another way, “with great power comes great responsibility.”

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.