Former Twitter Head of Security Peiter “Mudge” Zatko filed a complaint last month to the US Securities and Exchange Commission, accusing the company of misleading US regulators and shareholders regarding “extreme, egregious deficiencies” in information security, user privacy and misinformation.
The complaint was also sent to the Senate Judiciary and Intelligence committees, who are also expected to conduct their own investigations.
Zatko is a well-regarded hacker who was hired last year by Twitter founder Jack Dorsey to fix platform security after a series of high profile security breaches.
Under SEC whistleblower rules, he is eligible to receive legal protection against retaliation, and payments equal to 10% to 30% of the fines collected if the information provided is helpful for a law enforcement action.
The SEC is known to be responsive to whistleblower tips, and to start investigations . Zatko is represented by the nonprofit law firm Whistleblower Aid.
A redacted version of the 84-page filing went to congressional committees.
The complaint arrives just weeks ahead of Twitter’s legal battle in Delaware with Tesla founder Elon Musk, who is trying to get out of his $44 billon contract to buy the company, accusing the company of drastically misrepresenting the number of bot (robot) and fake accounts on its platform. If proven, Mr Musk’s allegation should allow him to withdraw his take-over big without penalty. Mr. Zatko’s complaint echoes much of the allegations of Mr. Musk against Twitter. A five-day nonjury trial is set to begin in October.
Mr. Zatko’s decision to publicize his complaint is unusual for SEC whistleblowers, who usually prefer secrecy, except when it can create public and political pressure for an investigation.
“If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” said Sen. Dick Durbin (D. Ill.), the chairman of the Judiciary Committee.
“I will continue investigating this issue and take further steps as needed to get to the bottom of these alarming allegations.”
A Twitter spokeswoman said Mr. Zatko’s complaint was rife with “inconsistencies and inaccuracies and lacks important context.”
Twitter Not Secure?
Zatko’s complaint accuses Twitter of being seriously negligent regarding platform security, and says security should be much more important for a company that holds vast amounts of sensitive personal data about users. One of the most serious accusations in the complaint is that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission (FTC). According the Zatko, the company knowingly deceived US regularly by falsely claiming it maintain rigorous platform security.
In 2011, Twitter reached an agreement with the FTC to implement strict security, including limiting the number of employees with access to its key security and privacy controls. This is after a notorious security breach in 2009 during which hackers were able to gain administrative control, and reset passwords, access user data and send unauthorized tweets, including from the account of President-elect Barack Obama. The 2011 agreement with the FTC required the company to implement a 20-year order to implement a comprehensive security program, which would be subject to independent audits. According to the FTC agreement, Twitter is also prohibited from “misrepresenting the extent to which the company maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information,”
In May 2022, the FTC and Justice Department said that Twitter had violated the 2011 agreement by falsely claiming to users it was collecting their personal information for security reasons, when in reality it was using that information to sell ads to them over the past decade or so. Twitter paid $150 million in civil penalty to resolve the claims. The fine also forbids the company from misrepresenting the security of user data.
The allegations in Zatko’s complaint suggest that the security problems at Twitter are much worse than the regulators are aware, and there continue to be major deficiencies in what the company was doing to meet its legal obligations.
Twitter could face major penalties if Zatko’s allegations prove to be true.
“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” Charles E. Grassley (R-Iowa), the top Republican on the Senate Judiciary Committee, said in a statement. His office has had discussions with Zatko about the allegations. “The claims I’ve received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further”, said Senate Intelligence Committee spokeswoman Rachel Cohen.
Just this month, an ex-Twitter employee was convicted of using his company position to spy on Saudi dissidents and government critics in exchange for cash and gifts.
Zatko’s complaint also alleges that the Indian government forced Twitter to hire one of its agents, and give him access to user data at a time when there were major protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence.
Twitter Rife With Spam and Fake Accounts?
Echoing Elon Musk’, Mr Zatko’s complaint also alleges that Twitter misrepresents the actual number of users by only counting monetizable daily users, or MDAU which are accounts that are thought to view advertising , rather than all total daily users. The complaint says: “There are many millions of active accounts that are not considered ‘mDAU,’ either because they are spam bots, or because Twitter does not believe it can monetize them,”
“These millions of non-mDAU accounts are part of the median user’s experience on the platform.”
Those claims could undermine Twitter’s legal battle with Mr. Musk, whom the company is suing to enforce a $44 billion takeover deal. Mr. Musk has accused Twitter of misrepresented the number of spam or bot accounts. Twitter denies the allegation.
In his complaint, Zatko cites a “sensitive source” who said Twitter was afraid to determine that number because it “would harm the image and valuation of the company.”
“Agrawal’s Tweets (Twitter CEO) and Twitter’s previous blog posts misleadingly imply that Twitter employs proactive, sophisticated systems to measure and block spam bots,” the complaint says.
“The reality: mostly outdated, unmonitored, simple scripts plus overworked, inefficient, understaffed, and reactive human teams.”
The complaint also alleges that the company prioritized user growth over reducing spam, and Twitter executives are systematically rewarded with individual bonuses of of as much as $10 million for increasing the number of daily users. There are no monetary rewards for cutting spam.
For Zatko’s complaint to lead to an enforcement action, the SEC would need to prove that that omitted or misleading information was presented as material to shareholders, and could influence a decision to buy or sell.
A joint statement from House Energy and Commerce Committee Chair Rep. Frank Pallone Jr. (D., N.J.) and Rep. Cathy McMorris Rodgers (R., Wash.) said that the “are alarming and reaffirm the need for Congress to pass comprehensive national consumer privacy legislation to protect Americans’ online data,”
Many are calling the FTC to take a tough stand against Twitter.
“These troubling disclosures paint the picture of a company that has consistently and repeatedly prioritized profits over the safety of its users and its responsibility to the public,” Sen. Richard Blumenthal (D., Conn.) said in a letter Tuesday to FTC Chairwoman Lina Khan.
“Taken together, Zatko’s allegations, the DOJ and FTC complaints, and the repeated security incidents illustrate a company that prioritizes profit over users and has allowed a culture of impunity to reign supreme,” said Sen. Ed Markey (D., Mass.) in a letter to the FTC and Justice Department.
“I strongly urge the federal government to investigate Zatko’s claims and, if necessary, take strong and swift action against Twitter to ensure Twitter user data is properly protected.”
“If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” Sen. Dick Durbin (D., Ill.), chairman of the Judiciary Committee, said in a statement.