Ride the Lightning

Former Twitter Security Chief Files a Whistleblower Complaint Alleging Poor Security

August 24, 2022

Some days, you just can’t make up the news stories of the day. On August 23^rd, the Washington Post reported (gift article) that former Twitter security chief Peiter ‘Mudge’ Zatko has alleged in a whistleblower complaint that Twitter misled regulators about its lax security and efforts to get rid of spam.

Zatko said that Twitter executives deceived federal regulators and the company’s own board of directors about “extreme, egregious deficiencies” in its defenses against hackers, as well as its limited efforts to fight spam.

Zatko portrays Twitter as a chaotic and leaderless company characterized by infighting, unable to properly protect its 238 million daily users including government agencies, heads of state and other influential public figures.

Among the most serious accusations in the complaint is that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan. Zatko’s complaint alleges he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software and that executives withheld critical facts about the number of breaches and lack of protection for user data, choosing instead to present directors with rosy charts measuring unimportant changes.

The complaint, filed last month with the Securities and Exchange Commission and the Department of Justice, as well as the FTC, says thousands of employees still had wide-ranging and poorly tracked internal access to core company software, a situation that for years had led to embarrassing hacks, including the commandeering of accounts held by such high-profile users as Elon Musk and former presidents Barack Obama and Donald Trump.

Zatko also alleges the company prioritized user growth over reducing spam, though unwanted content made the user experience worse. Executives stood to win individual bonuses of as much as $10 million tied to increases in daily users, the complaint asserts, and nothing explicitly for cutting spam.

 Chief Executive Parag Agrawal was “lying” when he tweeted in May that the company was “strongly incentivized to detect and remove as much spam as we possibly can,” the complaint alleges.

Zatko described his decision to go public as an extension of his previous work exposing flaws in specific pieces of software and broader systemic failings in cybersecurity. He was hired at Twitter by former CEO Jack Dorsey in late 2020 after a major hack of the company’s systems.

“I felt ethically bound. This is not a light step to take,” said Zatko, who was fired by Agrawal in January. He declined to discuss what happened at Twitter, except to stand by the formal complaint. Under SEC whistleblower rules, he is entitled to legal protection against retaliation, as well as potential monetary rewards.

A redacted version of the 84-page filing went to congressional committees. The Post obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill. Zatko is represented by the nonprofit law firm Whistleblower Aid. The FTC is reviewing the allegations, according to two people familiar with the preliminary inquiry. The Post interviewed more than a dozen current and former employees for this story, many of whom spoke on the condition of anonymity to discuss sensitive information.

“Security and privacy have long been top companywide priorities at Twitter,” said Twitter spokeswoman Rebecca Hahn. She said that Zatko’s allegations appeared to be “riddled with inaccuracies” and that Zatko “now appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders.” Hahn said that Twitter fired Zatko after 15 months “for poor performance and leadership.” Attorneys for Zatko confirmed he was fired but denied it was for performance or leadership.

Hahn added that Twitter has tightened up security extensively since 2020, that its security practices are within industry standards, and that it has specific rules about who can access company systems.

Regarding the allegations about spam and bots, Hahn said Twitter removes more than a million spam accounts every day, adding up to more than 300 million per year. Twitter pointed to its proxy statements noting that growing daily users is the smallest of three factors for earning cash bonuses, along with growing revenue and another financial goal.

 A person familiar with Zatko’s tenure said the company investigated Zatko’s security claims during his time there and concluded they were sensationalistic and without merit. Four people familiar with Twitter’s efforts to fight spam said the company deploys extensive manual and automated tools to both measure the extent of spam across the service and reduce it.

During his first year as Twitter’s head of security, Peiter Zatko commissioned an outside firm to examine how the company dealt with government propaganda and other misinformation and to suggest ways to do better. The firm, which sources identified as Alethea Group, produced the report identifying staff shortages and a system formed by lurching from crisis to crisis.

After terminating Peiter Zatko, Twitter asked him to spell out his concerns with the company’s security so that it could investigate. This document, attached as an exhibit to this month’s whistleblower complaint, was the result.

Zatko’s complaint says strong security should have been much more important to Twitter, which holds vast amounts of sensitive personal data about users. Twitter has the email addresses and phone numbers of many public figures, as well as dissidents who communicate over the service at great personal risk.

This month, an ex-Twitter employee was convicted of using his position at the company to spy on Saudi dissidents and government critics, passing their information to a close aide of Crown Prince Mohammed bin Salman in exchange for cash and gifts.

Zatko’s complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence. Another person familiar with the matter agreed that the employee was probably an agent.

Senate Intelligence Committee spokeswoman Rachel Cohen said the committee is trying to set up a meeting with Zatko to discuss the complaint in detail.

“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” Charles E. Grassley (R-Iowa), the top Republican on the Senate Judiciary Committee, said in a statement. His office has had discussions with Zatko about the allegations. “The claims I’ve received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further.”

The old adage? “Where there is smoke, there is fire.” Though there is much investigative work to be done, I am betting that the proverb is true here.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson