The aftermath of the Twitter epilepsy attack

Twitter has taken actions to prevent attacks with strobing images on people with epilepsy. Are these actions sufficient?

Twitter has taken actions to prevent attacks with strobing images on people with epilepsy.

November was National Epilepsy Awareness Month in the United States. Last November indeed saw a greater awareness of epilepsy, but most likely because of a scandalous attack: Internet trolls on Twitter used flashing animated images, and tagged the Epilepsy Foundation, to harm people by causing epileptic seizures.

How the attack worked

Epilepsy, a neurological disorder, is characterized by recurrent epileptic seizures. Every year more than 100,000 people die because of epilepsy. One of its common variants is photosensitive epilepsy, in which seizures can be triggered by flickering lights, and the attack targeted people with this form of epilepsy.

Twitter users can post not only short text messages, but also images, videos, and animated images as well. The latter comes in two flavors: GIF and animated PNG (APNG). The two file types are largely the same, differing mainly in image quality and color depth, but in this case, the attackers took advantage of APNGs’ ability to bypass Twitter’s autoplay settings.

Registered Twitter users can choose if they want GIFs and videos to start playing as soon as the media appears in their feeds. Users with epilepsy may turn off autoplay specifically to avoid animated content that could trigger a seizure, but until recently the setting did not apply to APNGs, which started playing automatically no matter what.

Abusing APNGs was the core idea of the troll attack. According to CNN’s report, more than 30 accounts posted tweets with strobing images, tagging the Epilepsy Foundation and copying its hashtags. The images were mostly APNGs, so they started playing — and strobing — automatically. And during national awareness month, more people than usual were following the Epilepsy Foundation account and hashtags. Quite a few likely had photosensitive epilepsy.

After the attack

In the month that followed, a lot happened.

  • Many major media outlets covered the attack, making 2019’s National Epilepsy Awareness Month a month of awareness indeed.
  • The Epilepsy Foundation filed a criminal complaint and requested an investigation in response to the attack. We have yet to see where the story will go, but it’s hard to disagree that the attack aimed to cause serious and widespread harm.
  • For its part, Twitter made some tweaks to the platform, trying to prevent such attacks from happening again. First and foremost, the platform banned APNGs. Second, Twitter now prevents GIFs from appearing when someone searches for “seizure.”

Is banning APNGs enough?

The steps Twitter took were certainly helpful for preventing such attacks from happening in the future, but they may not be enough. And it is actually up to Twitter to do more.

According to the Epilepsy Foundation, many people do not know that they have photosensitive epilepsy until they have a seizure. However, Twitter’s autoplay setting is active by default, which means that for users who are unaware either of their own epilepsy or of Twitter’s autoplay settings, GIFs and videos still play automatically, even if they contain strobing lights. That’s dangerous.

In addition to that, people who are not logged in to their Twitter accounts or who aren’t registered with Twitter don’t have any option at all. With autoplay on by default, if someone sends you a link to a tweet with animated images, they will play automatically.

Last year’s attack serves as yet another reminder that our physical and digital worlds are not separate. They merged long ago, and digital things affect people’s health (and not only our own biology; we’ll be covering the ecological impacts of our digital world soon as well) just as physical things have.

People with photosensitive epilepsy do not go to nightclubs, where avoiding strobing lights would be impossible. Many movies and video games display a warning about strobing lights that may cause seizures. It would be nice to have something like that on the Internet as well, but unfortunately, we’re not there yet.

Can you protect yourself?

We’re not medical consultants here at Kaspersky, so our main suggestion for people who have, or suspect they have, epilepsy is to consult a specialist. As for Twitter, here’s what you can do:

  • Disable autoplay. To do that, go to Settings and privacy in your Twitter account, select Accessibility, choose Autoplay, and select Never. You will still be able to see videos and animated GIFs, but they will start playing only after you click on them.
  • Pay attention to privacy settings. To prevent people you don’t follow from sending you direct messages with unwanted content (such as strobing GIFs) in Twitter, go to Settings and privacy, choose Privacy and Safety and untick Receive messages from anyone.
  • If you want to consider leaving Twitter for good, check out our post on how to delete your Twitter account and back up your content. Keep in mind though, that if you get rid of your Twitter account but keep reading Twitter, you’ll be subject to default settings, with autoplay on.