According to testimony from the company’s former head of security, the renowned hacker-turned-cybersecurity-expert Peiter “Mudge” Zatko, Twitter has concealed careless security practices, misled federal regulators about its safety, and failed to accurately estimate the number of bots on its platform. Huge repercussions, including federal fines and the potential collapse of Elon Musk’s ambition to acquire Twitter, might result from the startling charges.
In January, Twitter dismissed Zatko, and he alleges that this was punishment for his refusal to keep quiet about the company’s security flaws. He filed a lawsuit with the Securities and Exchange Commission (SEC) last month accusing Twitter of misleading shareholders and breaking a security standards agreement it has with the Federal Trade Commission (FTC). More than 200 pages of his complaints were collected and released in redacted form this morning by CNN and The Washington Post.
In a CNN interview, Zatko said that he joined Twitter in 2020 at the request of the company’s then-CEO Jack Dorsey, just after the company had been attacked by a significant hack that exposed the accounts of celebrities like Barack Obama, Bill Gates, and Kanye West. Zatko claims he joined Twitter because he thinks the social media site is a “vital resource” for the entire globe, but he soon lost hope when CEO Parag Agrawal refused to address the company’s numerous security flaws.
The Washington Post quoted Zatko as saying, “This would never be my first step, but I believe I am still fulfilling my duty to Jack and to users of the site.” Zatko made the decision to come forward as a whistleblower. I want to complete the improvement project that Jack hired me to do.
There are many damning allegations and claims in Zatko’s filings to the SEC, but these are some of the most important:
Unrestricted access. The fact that too many employees have access to crucial systems, according to Zatko’s allegation, makes Twitter vulnerable in a big way. It claims that not much oversight exists about the access that almost half of Twitter’s 7,000 or more full-time employees have to users’ private information, including phone numbers, and internal software that may be used to change how the service functions. Additionally, he asserts that the source code for Twitter is present in full on thousands of laptops.
Deceiving the FTC. An important and pioneering instance of government authorities controlling Big Tech is the 2010 settlement between Twitter and the FTC over allegations that it failed to secure users’ personal information. In accordance with Zatko’s complaint, Twitter has regularly made “false and deceptive assertions” to users and the FTC.
Avoiding bots. Less than 5% of Twitter’s monthly daily active users, according to repeated claims made by the social media platform, are bots, phony accounts, or spam. According to Zatko’s complaint, Twitter’s method of calculating this number is inaccurate, and executives are given incentives (bonuses of up to $10 million) to increase user counts rather than get rid of spam bots.
Government officials. Twitter is a crucial platform for disseminating information and planning demonstrations, making it a prime target for governments attempting to suppress dissent. According to Zatko’s lawsuit, he thinks the Indian government pressured Twitter into employing a government agent who then had “access to large amounts of Twitter sensitive data.”
Deletion error. According to the complaint, Twitter has in the past ignored requests to remove user data because the records are dispersed too broadly among internal systems to be properly tracked. The corporation just finished a project, called Project Eraser, to assure thorough destruction of user data, a current employee told The Washington Post.
Twitter has charged its former head of security with sensationalizing and selectively disclosing facts in response to Zatko’s complaint. A representative informed CNN:
Mr. Zatko was fired from his senior executive position at Twitter more than six months ago due to subpar performance and weak leadership. We haven’t had access to the exact allegations in question, but from what we’ve seen so far, the narrative about our privacy and data security policies is rife with contradictions and falsehoods, and it lacks crucial context. The accusations made by Mr. Zatko and his opportunistic timing seem to be intended to garner attention and harm Twitter, its users, and its stockholders. At Twitter, security and privacy have long been top concerns, but there is still plenty to be done.
The charges made by Zatko are shocking and will have a big impact on the business. According to sources quoted by The Washington Post, the FTC is examining the complaint and, if Zatko’s allegations are confirmed, would probably impose hefty fines on Twitter.
The lawsuit will also have an impact on Twitter and Tesla CEO Elon Musk’s continuing conflict. With the claim that Twitter is lying about the actual number of bot and spam accounts on the platform, Musk is currently attempting to back out of a $44 billion deal to acquire the business. Although it is unclear how Zatko’s lawsuit would affect Musk’s legal defense, it will undoubtedly improve the public’s opinion of his claim that Twitter is undercounting its bots.
