Twitter has hidden negligent security practices, misled federal regulators about its security and misjudged the number of bots on its platform, according to testimony from the company’s former head of security, the legendary hacker turned cybersecurity expert Peiter “Mudge.” Zatko. The explosive allegations could have huge ramifications, including federal fines and the possible unraveling of Elon Musk’s bid to buy Twitter.
Zatko was fired by Twitter in January, claiming it was in retaliation for his refusal to remain silent about the company’s vulnerabilities. Last month, he filed a complaint with the Securities and Exchange Commission (SEC) accusing Twitter of misleading shareholders and violating an agreement it signed with the Federal Trade Commission (FTC) to enforce certain security standards. His complaints, totaling more than 200 pages, were obtained by: CNN and The Washington Post and published this morning in edited form.
In an interview with CNNZatko said he joined Twitter in 2020 at the request of then-CEO Jack Dorsey, right after the company was hit by a massive hack that compromised accounts of figures like Barack Obama, Bill Gates and Kanye West. Zatko says he joined Twitter because he believes the platform is a “critical resource” to the world, but he became disillusioned with CEO Parag Agrawal’s refusal to address the company’s many security concerns.
“This would never be my first step, but I believe I still live up to my obligation to Jack and to the users of the platform,” Zatko said. The Washington Post about his decision to become a whistleblower. “I want to finish the job Jack hired me to do, which is to improve the place.”
Zatko’s disclosures to the SEC contain many damning reports and allegations, but these are some of the most significant:
- random access. An important part of Twitter’s vulnerability is that too many employees have access to critical systems, Zatko said in his complaint. It states that about half of Twitter’s roughly 7,000 full-time employees have access to users’ sensitive personal data (such as phone numbers) and internal software (to change how the service works), and that access is not closely monitored. He also claims that thousands of laptops contain full copies of Twitter’s source code.
- Mislead the FTC. In 2010, Twitter settled costs with the FTC that it failed to protect consumers’ personal information — an important and early example of government regulators reining in Big Tech. Zatko’s complaint alleges that Twitter has repeatedly made “false and misleading statements” to users and the FTC, and has violated this agreement.
- Ignore bots. Twitter has repeatedly claimed that less than 5 percent of its monthly daily active users are bots, fake accounts, or spam. Zatko’s complaint says that Twitter’s method of measuring this figure is misleading, and that executives are incentivized (with bonuses of up to $10 million) to increase the number of users rather than remove spam bots.
- Government agents. Twitter is an important tool for sharing news and organizing protest, making it a ripe target for governments looking to tackle dissent. Zatko’s complaint states that he believes the Indian government forced Twitter to hire a government agent, who then “had access to massive amounts of sensitive Twitter data”.
- Can’t delete. The complaint alleges that Twitter has in the past failed to delete users’ data when requested, because such data is too widely distributed across internal systems to be properly tracked. A current employee told The Washington Post that the company has just completed a project known as Project Eraser to ensure that user data is properly deleted.
In response to Zatko’s complaint, Twitter has accused its former head of security of sensationalizing and selectively presenting information. A spokesperson told CNN:
Mr. Zatko was fired from his senior executive role at Twitter more than six months ago due to poor performance and ineffective leadership. While we have not had access to the specific allegations referenced, what we have seen so far is a story about our privacy and data security practices that are fraught with inconsistencies and inaccuracies, and lacking important context Mr. Zatko’s accusations and opportunistic timing appear to be designed to draw attention and harm Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter, and we still have a lot of work ahead of us.”
Zatko’s allegations are explosive and will have a significant effect on the company. The FTC is currently investigating the complaint, according to sources quoted by The Washington Postand would likely impose significant fines on Twitter if Zatko’s allegations turn out to be true.
The complaint will also affect the ongoing battle between Tesla CEO Elon Musk and Twitter. Musk is currently trying to free himself from a $44 billion deal to buy the company, justifying the decision with an accusation that Twitter is lying about the true number of bot and spam accounts on the platform. While it’s not clear whether Zatko’s complaint affects Musk’s legal argument, it will certainly bolster public perception of his case, which is based on the accusation that Twitter is undercounting its bots.
