According to testimony from the company’s former head of security, the legendary hacker-turned-cybersecurity-expert Peiter “Mudge” Zatko, Twitter has concealed negligent security practices, misled federal regulators about its safety, and failed to properly estimate the number of bots on its platform. The explosive allegations have the potential to have far-reaching consequences, including federal fines and the demise of Tesla CEO Elon Musk’s bid to acquire Twitter.
Twitter fired Zatko in January, claiming it was in retaliation for his refusal to keep quiet about the company’s vulnerabilities. He filed a complaint with the Securities and Exchange Commission (SEC) last month, accusing Twitter of deceiving shareholders and violating a security agreement it made with the Federal Trade Commission (FTC). CNN and The Washington Post obtained his complaints, which totaled more than 200 pages, and published them in redacted form this morning.
In an interview with CNN, Zatko stated that he joined Twitter in 2020 at the request of then-CEO Jack Dorsey, shortly after the company was hit by a massive hack that compromised accounts belonging to figures such as Barack Obama, Bill Gates, and Kanye West. Zatko claims he joined Twitter because he believes it is a “critical resource” for the world, but he was disillusioned by CEO Parag Agrawal’s refusal to address the company’s numerous security flaws.
“This would never be my first step, but I believe I am still fulfilling my obligation to Jack and to platform users,” Zatko said of his decision to become a whistleblower. “I want to complete the task that Jack assigned to me, which is to improve the place.”
According to Zatko’s complaint, a significant part of Twitter’s vulnerability is that too many employees have access to critical systems. It claims that roughly half of Twitter’s 7,000 or so full-time employees have access to sensitive personal data (such as phone numbers) and internal software (to change how the service operates), and that this access is not closely monitored. He also claims that thousands of laptops contain full copies of Twitter’s source code.
Twitter agreed to settle FTC charges that it failed to protect consumers’ personal information in 2010 — a significant and early example of government regulators reining in Big Tech. According to Zatko’s complaint, Twitter has made “false and misleading statements” to users and the FTC on numerous occasions, in violation of this agreement.
Twitter has repeatedly stated that bots, fake accounts, and spam account for less than 5% of its monthly daily active users. According to Zatko’s complaint, Twitter’s method of calculating this figure is deceptive, and executives are incentivized (with bonuses of up to $10 million) to increase user counts rather than remove spam bots.
Twitter is an important tool for spreading news and organizing protests, making it an easy target for governments looking to suppress dissent. According to Zatko’s complaint, the Indian government compelled Twitter to hire a government agent, who then had “access to vast amounts of Twitter sensitive data.”
According to the complaint, Twitter has previously failed to delete users’ data when requested because such records are spread too thinly across internal systems to be properly tracked. According to a current employee, the company recently completed a project known as Project Eraser to ensure proper deletion of user data.
The allegations made by Zatko are explosive and will have a significant impact on the company. According to sources cited by The Washington Post, the FTC is currently reviewing the complaint and would likely levy significant fines against Twitter if Zatko’s accusations are proven to be true.
The complaint will also have an impact on Musk’s ongoing feud with Twitter. Musk is currently attempting to back out of a $44 billion deal to buy the company, citing allegations that Twitter is lying about the true number of bot and spam accounts on the platform. “We have already issued a subpoena for Mr. Zatko,” said Alex Spiro, Musk’s lawyer, in a statement, “and we found his exit and that of other key employees curious in light of what we have been finding.”
Although it is unclear whether Zatko’s complaint will affect Musk’s legal argument, it will undoubtedly strengthen public perception of his case, which is based on the claim that Twitter undercounts its bots.