A federal judge ruled Wednesday that users of X, formerly Twitter, can move forward with a class-action complaint over a security vulnerability that allegedly exposed the personal information of 200 million users.
The decision, issued by U.S. District Court Magistrate Judge Kandis Westmore in the Northern District of California, comes in a lawsuit brought last year by New York resident Stephen Gerber, and later joined by two other users of the social media platform.
"Twitter knowingly ignored dangerous inadequacies in its data security infrastructure," the users alleged, adding that the company "falsely represented that it would protect plaintiffs' and the class' personally identifiable information and protect their privacy interests."
The security flaw allegedly existed between June 2021 and January 2022, before Tesla CEO Elon Musk purchased the company.
The complaint included claims that X was negligent, and that it violated representations to protect users' privacy and data.
Gerber said in the complaint that he used a pseudonym on Twitter "in order to protect his identity so that he could express himself and his thoughts on Twitter without fear of retribution, retaliation or embarrassment."
He added that had he known that Twitter would allow personal information to be exposed "he either would not have provided his email address or other identifying information to Twitter or he otherwise would not have used Twitter at all."
X argued the case should be dismissed at an early stage of the proceedings for several reasons, including that its terms of service attempted to disclaim liability by providing: "Your access to and use of the Services or any Content are at your own risk."
Westmore rejected that argument, ruling that the disclaimer was unenforceable given the allegations that X knew of problems with its security and failed to address them. But the judge also suggested that the disclaimer could give X grounds to seek to limit any monetary damages in the matter.
The judge threw out some of the claims in the complaint -- including a claim that X beached its terms of service -- but said the plaintiffs could move forward with other claims, including allegations that X was negligent, and that it violated an implied promise to safeguard users' personal information.
"Twitter's user agreement provides how defendant would or would not use plaintiffs' user data and how plaintiffs could control their data's disclosure," Westmore wrote.
"Twitter made numerous representations regarding the security and privacy of plaintiffs' user data, including its representation that it is 'committed to protecting the information you share with us,'" Westmore continued, adding that the plaintiffs signed up for the service with the understanding that it would protect their personal information.