When Peiter Zatko, the famous hacker better known as Mudge, got the job of Twitter security chief in November 2020, internet archivist Jason Scott tweeted“You have my full support for leaving after setting the place on fire.”
Zatko may have done just that, if not quite in that order. Several months after being fired by CEO Parag Agrawal, Zatko denounced the company, telling the Securities and Exchange Commission (SEC) that Twitter basically did nothing to improve its terrible security — the reason for hiring Zatko in the first place — and that the company has a pattern of lying or misleading the government, investors and Elon Musk.
Twitter didn’t address Zatko’s specific allegations in a statement to Recode, but generally said they weren’t accurate and that Zatko was a disgruntled former employee whose timing is “opportunistic.”
“Mr. Zatko was terminated from his senior position at Twitter in January 2022 for ineffective leadership and poor performance,” a Twitter spokesperson said. “What we have seen so far is a false narrative about Twitter and our privacy and data security practices which is riddled with inconsistencies and inaccuracies and lacks important context.”
Musk’s claims may draw the most attention, given the eccentric billionaire’s notoriety and the lingering controversy on his attempt to buy (and then not buy) Twitter. They are placed relatively high in the SEC complaint that was disclosed to the Washington Post and CNN Tuesday, and some of Zatko’s claims directly address accusations Musk made to try to get out of his $44 billion deal. Musk said fake accounts, or spam bots, make up a much larger share of Twitter’s user base than the company claims, and therefore Twitter isn’t worth what it originally agreed to pay for. that. Twitter does not agree, saying Musk is trying to find a reason to pull out of the deal. The company sued Musk to force him to acquire the company. This trial is scheduled for October 17.
But those claims might be the least of Twitter’s leak-related worries. Zatko describes Twitter as a company that lacks the motivation and ability to protect itself and its users from security breaches, while deceiving investors and government agencies.
Here are some of the claims Twitter should be more worried about than what Agrawal tweets about bot accounts.
The allegation that Twitter misled the Federal Trade Commission
Zatko alleges that Twitter violated a 2011 FTC Consent Order requiring the company to implement certain security protocols. Zatko says Twitter has never been in compliance with that order and likely never will be. He claims this put the company (and its users’ data) at risk from security ranges like the one in 2020 that was the impetus for hiring Zatko.
The FTC is reportedly looking into these claims, and things could get very costly for Twitter if they turn out to be true – just look at the unprecedented information from Facebook. $5 billion payout for violating an FTC consent order. It would also make Twitter a repeat offender; the company recently agreed to pay $150 million to request information about users for security purposes and then use it to target advertisements to them. The FTC won’t look kindly on this.
The claim that agents of foreign governments worked for Twitter and had access to user information – and Twitter knew it
One of Zatko’s most alarming revelations is that Twitter employed Indian government agents, meaning they would have had wide access to the data because the company failed to take basic steps to limit that access. for many employees. The complaint says Twitter executives knew too many employees had access to too many things and that Indian government agents worked for the company, but did nothing in response. It also says the US government told Twitter that at least one of its employees worked for a foreign intelligence agency, which is not named in the complaint.
If true, it wouldn’t be the first time Twitter has been infiltrated by people working for a foreign government, perhaps to gather information on dissidents or rivals. A Saudi national was recently sentenced of infiltrate Twitter to spy on users who were critical of the Saudi government, for which he was paid by an adviser to Crown Prince Mohammed bin Salman. Another former Twitter employee accused of spying for Saudi Arabia fled the country before he could be arrested.
The accusation that Jack Dorsey checked out and was replaced by the worst CEO ever
This may come as no surprise to anyone who has watched the company’s founder and his then-CEO laconic appearances before Congress for the past few years, but Zatko says Dorsey was mostly absent from Twitter while Zatko worked there. Dorsey “experienced a drastic loss of focus in 2021,” the complaint states, attending few meetings and barely participating in those he attended. Zatko says it made it difficult for him to do his job and he had no support in the “Herculean effort” that was fixing Twitter. Dorsey was would have working from a private island in French Polynesia when the decision was made to ban President Trump from the platform. He resigned from Twitter at the end of 2021.
Agrawal is now the CEO of Twitter, and apparently the object of Zatko’s ire. The complaint repeatedly and frequently accuses Agrawal of failing to improve Twitter’s security and privacy, of trying to hide Twitter’s problems from investors and the board, and of not giving Zatko the support and resources that Zatko felt he needed to do the job he was hired to do. Although Dorsey was the CEO for most of Zatko’s Twitter tenure, he gets away with it easily in the report. This may not protect him from the fallout of this leak.
The allegation that Twitter failed to follow basic security practices for a long time
Throughout the complaint, Zatko claims the company has refused to implement certain basic security measures, even counting some of the most powerful and important people in the world among its users. This led, according to Zatko, to security breaches, including the one that led to his hiring: a teenager was able to to access to some of the platform’s most prominent accounts and then using them to tweet bitcoin scams, ultimately stealing $120,000 worth of cryptocurrency from the victims. This hacker gained access by tricking Twitter employees into giving up their passwords, showing how apparently lax Twitter was when it came to limiting and controlling access to high-level accounts.
Unsurprisingly, this claim has so far captured the bulk of the attention of members of Congress, most if not all of whom are Twitter users themselves. According at the Washington Post, some lawmakers have already met with Zatko or plan to do so in the near future. Expect Zatko to testify before committees, much like Facebook whistleblower Frances Haugen following his disclosures (both Zatko and Haugen used Whistleblower Aid, a nonprofit legal aid company, to facilitate and represent their complaints). What is unclear is what lawmakers can do beyond sending angry letters or holding committee hearings, as Congress has done. lack pass federal privacy laws. The SEC and FTC, on the other hand, may already be preparing their cases against Twitter for allegedly misleading shareholders and consumers.
As for Musk, he responded to the news with several tweets, including a from an illustration of Jiminy Cricket, who sings “Give a Little Whistle” in Pinocchio; a screenshot of the Washington Post article it says Twitter had internal spam and bot numbers that it didn’t share with investors; and several tweets with a lonely emoji, including one monocle face and one crying and laughing face.
Musk’s lawyer told the Washington Post that Zatko has already been subpoenaed for the Musk-Twitter lawsuit.
Musk’s joy could be premature. If he loses his battle and is forced to buy Twitter, he won’t just get a company that’s already worth much less than the price he agreed to pay for it. He’ll also get a company that, if Zatko’s claims are true, is plagued with internal and external issues that someone will need to address – and respond to.