Former Twitter executive and hacker-turned-cybersecurity-expert Peiter “Mudge” Zatko filed a complaint with the Securities and Exchange Commission (SEC) alleging Twitter deceived shareholders and lied to the Federal Trade Commission (FTC) about its security standards.
Allegations include Twitter hid negligent security practices, misled regulators about its safety, and failed to estimate the number of bots on its platform properly. That last one may grab the attention of anyone who’s paid close attention to the ongoing legal spat between Elon Musk and Twitter.
Zatko told CNN in an interview that he joined Twitter in 2020 at the bequest of Jack Dorsey, the company’s CEO at the time. This happened right after the massive Twitter hack that compromised accounts belonging to public figures and companies, such as Barack Obama, Bill Gates, Jeff Bezos, Apple, Uber, and more. In the interview, Zatko said he joined Twitter because he feels it’s a “critical resource” for the world, but he became disillusioned after Twitter’s current CEO Parag Agrawal refused to tackle the company’s security issues.
Speaking to The Washington Post (via The Verge), Zatko said his decision to turn whistleblower came from a desire to “finish the job Jack brought me in for” and to fulfill his obligations to Twitter users.
Highlights from Zatko’s SEC disclosures
Zatko’s complaint to the SEC includes several reports and accusations, but The Verge highlighted some of the biggest allegations:
- Indiscriminate access: Zatko claims too many Twitter employees have access to critical systems and users’ sensitive personal data. Zatko puts the number at around half of the company’s 7,000 full-time employees. Moreover, Zatko says thousands of laptops contain complete copies of Twitter’s source code.
- Lying to the FTC: Zatko alleges that Twitter repeatedly made “false and misleading statements” to users and the FTC, violating an agreement from its 2010 settlement with the FTC over a failure to protect consumers’ personal information.
- Bot problems: Zatko said the method Twitter uses to measure the number of bots, fake accounts, or spam on the platform is misleading and that the company incentivizes executives with bonuses of up to $10 million USD (about $13 million CAD) to boost user counts rather than remove spam bots.
- Government agent: Zatko alleged that the Indian government forced Twitter to hire a government agent who then had “access to vast amounts of Twitter sensitive data.”
- Failure to delete date: Finally, Zatko’s complaint states Twitter previously failed to delete users’ data after deletion was requested due to records being so widely spread across internal systems that it couldn’t be properly tracked. However, it’s worth noting a current employee told The Washington Post that the company recently completed ‘Project Eraser’ to ensure proper deletion of user data.
Zatko’s allegations are explosive and could have significant impacts on Twitter. The Washington Post noted the FTC is currently reviewing the complaint and if proved true, could result in significant fines against Twitter.
Similarly, The Verge notes the complaint will likely impact the ongoing court battle between Elon Musk and Twitter. Musk is trying to get out of an agreement to purchase Twitter on the basis that the company lied about the number of bots and spam accounts on the platform. It remains unclear if Zatko’s allegations will impact Musk’s legal argument considering he signed an agreement to buy Twitter, and the agreement doesn’t include an out for “oh no, there are too many bots!” Instead, Zatko’s claims will likely impact public perception of Musk’s legal case.
Twitter, unsurprisingly, wasn’t a fan of the allegations and claimed they were “riddled with inconsistencies and inaccuracies” in a statement to CNN:
“Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago. While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”