A whistleblower disclosure that illustrates the negligent cybersecurity policies at the company adds an explosive twist to Twitter’s (NYSE: TWTR) ongoing saga against regulatory bodies and Tesla CEO Elon Musk.
Former Twitter Head of Security Peiter Zatko–known as “Mudge” in the hacking world–revealed damning information on the platform’s security practices that could threaten the safety of the stakeholders, the country’s security, and democracy.
“Your whole conception of the world is made by what you are seeing, consuming online. And if you don’t have an understanding of what’s real and what’s not, yeah, I think this is pretty scary,” Zatko said in an interview with CNN.
In his disclosure, sent last month to a number of US government agencies and congressional committees, including the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice, the whistleblower depicts the tech firm as a mismanaged company with lax data access restrictions and led by management that covers up the vulnerabilities to the board of directors.
Some of the allegations that have been written on the disclosure–a copy of which has been made available to CNN and The Washington Post–includes having almost half of Twitter’s employees have access to a trove of sensitive data, misleading the regulators and the board about the data it deletes when a user cancels an account, and lying to Musk about its resources to comprehend the calculable presence of bots on its platform.
Zatko is being represented by Whistleblower Aid founder John Tye. The organization also represented Facebook Papers whistleblower Frances Haugen.
“We are in touch with the law enforcement agencies. They’re taking it seriously,” Tye said.
In response, a Twitter spokesperson asserted that “security and privacy have long been company-wide priorities at Twitter” but acknowledges they “still have a lot of work ahead of [them].” The representative added that Zatko was fired in January 2022 due to “poor performance and ineffective leadership.”
“While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders,” the spokesperson relayed.
CEO Parag Agrawal reportedly sent an internal memo after the whistleblower piece hit the major headlines on Tuesday, saying “what we’ve seen so far is a false narrative.”
But the former executive believes he was removed for raising alarms about the company’s security issues, with the tension intensifying after Agrawal–with whom Zatko had contentions with based on how he would be asked to cherrypick the security information he would report to the company board–rose to the chief executive position last November 2021.
“This is not any kind of personal issue for him. He was eventually fired in January this year but he hasn’t given up on doing that job,” Tye explained.
“All Have Access”
Zatko is already a familiar face in cybersecurity stemming from his appearance before a congressional hearing on the subject in 1998.
“All my life, I’ve been about finding places where I can go and make a difference. I’ve done that through the security field. That’s my main lever,” Zatko said.
Former CEO Jack Dorsey brought Zatko in to Twitter after a massive hack in 2020 led to compromising the data of some of its prominent users, including then-presidential candidate Joe Biden and former president Barack Obama. The incident was apparently made to happen after some hackers–including teenagers–tricked Twitter employees into letting them into the firm’s systems.
This runs in the same vein with one of the claims Zatko made in his disclosure that around half of Twitter’s employees have “access to sensitive live production systems and user data,” making it more vulnerable to cyber attacks.
“So you got an airplane and every passenger and the attendant crew–all have access to the cockpit, to the controls. That’s entirely unnecessary– it might be easy. But it’s too easy–accidentally or intentionally–turn the engine off,” Zatko explained.
He then faced the same concern after the infamous January 6 Capitol Hill attack when he became concerned about the possibility that a Twitter employee who also could be a sympathizer of the insurrectionists might just try to manipulate the platform.
“[It] was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did… Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment,” Zatko narrated.
The disclosure also alleged that Twitter might have foreign spies on its workforce, citing US government evidence that said at least one of the employees was working for another country’s intelligence agency.
“Foreign intelligence agencies have the resources to identify vulnerabilities that could have… effects across the platform, across the whole internet,” Tye added.
“Appetite to fix”
The whistleblower report also highlighted Agrawal’s tendency to misrepresent Twitter’s security vulnerability to the board. Zatko alleged that the chief executive would repeatedly discourage providing full report on the platform’s security health, reportedly being instructed to present a cherry-picked oral report rather than a fully-detailed written one.
“Large tech companies need to know what the risks are. And they also need to have an appetite to go and fix it,” Zatko noted in an interview. He added that the management went behind its back to scrub a third-party consulting firm’s report on the company’s security problems.
The whistleblower also alleged that Twitter had “never been in compliance” with what the FTC asked for since 2010–“a comprehensive information security program”–following a complaint filed with the agency about mishandling of users’ private information and giving employees wide access to sensitive data.
Zatko defended his decision to blow the whistle, claiming he’s after the security of the platform.
“Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I’m still performing that mission,” he added.
In response, Twitter touts its FTC compliance record, which follows the consent order that precedes Zatko’s tenure at the company. It also added that it has a policy in place to restrict access to data control centers on employee devices with outdated software, as well as submitting to regular audit by internal security and external parties.
“Prevalence of bots”
Zatko also alleges that Twitter has not enough resources to calculate the true number of bot accounts on its platform, and apparently, is not motivated in figuring it out. According to the disclosure, the platform counts its monetizable daily active users (mDAU) or all the accounts that could be shown an advertisement on Twitter. The others that don’t, presumably because they are bots, are left in one separate bucket altogether.
In its SEC filings, Twitter reported that it estimates the average of false or spam accounts on its platform “represented fewer than 5%” of the mDAUs. However, the whistleblower report argues that this estimates is not based on the total number of users on the platform, thereby leaving a potential obscurity to the true number of spam accounts.
While the tech company has been frank about its inability to exact a number on the bot accounts, Zatko further reasoned that stretching its method to approximate a realistic estimate would still be more valuable. He argued that Twitter just doesn’t have the “appetite to properly measure the prevalence of bots” as the ‘true’ number might hurt the company’s value and image.
“The executive team, the board, the shareholders and the users all deserve an honest answer as to what it is that they are consuming as far as data and information and content… At least from my point of view, I want to invest in a company where I know what’s actually going on because I want to invest strategically in the long-term value of an organization,” he said.
Prevalence of bots has been Musk’s main contention that led him to back out of the Twitter buyout deal as well as the subsequent legal battle with the firm. Given this, Zatko’s camp asserted that the disclosure has nothing to do with the Tesla CEO’s actions and plans.
“Absolutely not [carrying water for Musk]. We’ve been following the news just like everyone else. But that has nothing to do with [Mudge’s] decisions or with the content of what was sent to US law enforcement agencies,” Tye reasoned.
When reached for comment, Musk’s legal counsel Alex Spiro said that they’ve already “issued a subpoena for Mr. Zatko,” hoping to add information on their legal battle with Twitter. The Tesla chief’s camp has initially subpoenaed Dorsey–and challenged Pagrawal to a public debate on bot data–in relation to the buyout deal.
It is worth noting, however, that Musk had hired former SEC lawyer David Mister back in December 2021 just weeks after his stint at the agency ended. The move is allegedly in violation of 18 U.S. Code § 207 that restricts former employees of the executive branch from aiding and advising companies that the government has a substantial interest in.
Musk, and Tesla, has current legal issues with the SEC pertaining the billionaire’s public discourse on material information of publicly traded stocks.
Twitter last traded at US$40.74 on the NYSE.
Information for this briefing was found via CNN. The author has no securities or affiliations related to this organization. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.