A former Twitter security chief has alleged the company misled regulators about its cybersecurity defenses, privacy protections and ability to detect and root out fake accounts, pitcher complaint claims alert filed with US officials.
The revelation could create serious legal and financial problems for the social media platform, which is currently trying to force Tesla CEO Elon Musk to complete his $44 billion bid to buy the company.
Peiter Zatko, Twitter’s chief security officer until his firing earlier this year, filed complaints last month with the US Securities and Exchange Commission, Federal Trade Commission and Justice Department. The nonprofit Whistleblower Aid, which works with Zatko, confirmed the authenticity of a redacted copy of the complaint posted online by The Washington Post.
“It was a last resort for him,” John Tye, the group’s co-founder and chief disclosure officer, said in an interview Tuesday. He said Zatko had exhausted all attempts to resolve his issues at the company before he was fired in January.
One of Zatko’s most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had stricter measures in place to protect the security and privacy of its users. Zatko also accuses the company of deception involving its handling of “spam” or fake accounts, an allegation that is central to the Musk case. attempt to withdraw from the Twitter takeover.
Shares of Twitter Inc. slid 5.6% on Tuesday.
Better known by his hacker name “Mudge”, Zatko is a highly respected cybersecurity expert who first rose to prominence in the 1990s and later held senior positions at the Pentagon’s Defense Advanced Research Agency and to Google.
He joined Twitter at the behest of then-CEO Jack Dorsey in late 2020, the same year the company suffered an embarrassing security breach involving hackers who broke into the Twitter accounts of world leaders. , celebrities and tech moguls, including Musk, in an attempt to scam their subscribers in bitcoin.
Twitter said in a prepared statement Tuesday that Zatko was fired for “ineffective leadership and poor performance” and said “the allegations and opportunistic timing appear designed to draw attention to and harm Twitter, its customers and its customers.” shareholders”. The company called its complaint a “false narrative” that is “tricked with inconsistencies and inaccuracies and lacks significant context.”
Zatko’s attorneys, Debra Katz and Alexis Ronickher, said Twitter’s claim about his poor performance was false and he repeatedly raised concerns about “totally inadequate information security systems” with senior executives and the board of directors of Twitter. The lawyers said that in late 2021, after the board received “whitewashed” information about these security issues, Zatko escalated his concerns, “clashed” with CEO Parag Agrawal and the board member Omid Kordestani and was fired two weeks later.
The 84-page complaint describes a broken corporate culture at Twitter that lacked effective leadership and where Zatko said top leaders practiced “willful ignorance” of pressing issues. His description of Dorsey’s leadership style is particularly scathing, saying the Twitter founder was “extremely disengaged” in the final months of his tenure as CEO to the point that he wouldn’t even speak in meetings about the complex issues facing him. the company faces.
Zatko said he heard colleagues say Dorsey would be silent for “days or weeks.” Dorsey announced he was stepping down as CEO of Twitter in November 2021.
The disclosure says Twitter has not offered any monetary incentives to improve the security and integrity of the platform, although the company last year offered $10 million in bonuses to senior executives who could generate revenue. short-term user growth.
Among Zatko’s accusations of cybersecurity malpractice: software and security updates were disabled on more than a third of employee computers – unduly exposing them to malware – and it was common for people install “any software they wanted on their work systems”. Such failures are generally considered deadly sins in cybersecurity.
Whistleblower Aid said it was legally prohibited from sharing Zatko’s statement. The same group worked with former Facebook employee Frances Haugen, who testified in Congress last year after leaking internal documents and accusing the social media giant of choosing profit over safety.
“I wouldn’t say he’s happy to have to be a whistleblower, but he’s adamant in his decision,” Tye said. “And committed to getting to the bottom of it.”
A spokeswoman for the US Senate Intelligence Committee, Rachel Cohen, said the committee had received Zatko’s complaint and was working to schedule a meeting “to discuss the allegations in more detail.” We take this matter seriously.
Sen. Dick Durbin, a Democrat from Illinois, said in a prepared statement that if the claims are accurate, “they may show dangerous privacy and data security risks for Twitter users around the world.”
Among the most alarming complaints is Zatko’s allegation that Twitter knowingly allowed the Indian government to place its agents on the company’s payroll where they had “direct and unsupervised access to corporate systems and data.” enterprise users.
A 2011 FTC complaint noted that Twitter’s systems were full of highly sensitive data that could allow a hostile government to find precise location data for specific users and target them for violence or arrest. Earlier this month, a former Twitter employee was found guilty after a trial in California to transmit sensitive data of Twitter users to members of the royal family of Saudi Arabia in exchange for bribes.
The complaint said that Twitter was also heavily dependent on funding from Chinese entities and that Twitter was concerned that the company was providing information to these entities that would allow them to learn the identities and sensitive information of Chinese users who covertly use Twitter. which is officially banned in China.
Zatko also describes Twitter executives’ willful ignorance of counting the millions of accounts that are automated “spam bots” or have no value to advertisers because there is no one behind them.
Alex Spiro, an attorney representing Musk in his effort to walk away from his deal to acquire Twitter, said the attorneys issued a subpoena for Zatko. “We found his release and that of other key employees curious in light of what we found,” Spiro wrote in an email Tuesday. Spiro said Zatko and Musk have not been in contact at any time this year.
Tye said “he’s never met Elon Musk. Doesn’t know Elon Musk. They know people in common. When asked if mutual friends might have shared information about Twitter bot issues with Musk , Tye said Zatko “has not communicated with any other parties about his disclosures” since the complaints were filed in July.
AP business writer Tom Krisher contributed to this report.