Former Twitter security chief blows whistle on lax practices

Peiter Zatko has accused the company of ‘deliberate ignorance’ regarding the site’s spam accounts allowing Indian government agent to work at Twitter.

The Twitter logo displayed on a phone
Twitter's former security chief has filed a complaint with several government agencies claiming that the company has misled regulators about the platform's security [File: Dado Ruvic/Reuters]

Twitter’s former security chief Peiter Zatko has accused the social media giant of misleading government regulators about cybersecurity practices and prioritising growth over cracking down on spam accounts.

Zatko filed an 84-page complaint last month with several government agencies, alleging that Twitter had falsely claimed to have a strong security plan and that half of the company’s servers relied on software that was outdated and vulnerable to hackers.

The whistleblower document alleged Twitter prioritised user growth over reducing spam. Executives stood to win individual bonuses of as much as $10m tied to increases in daily users, as per the complaint, and nothing explicitly for cutting spam.

Whistleblower Aid, which represents Zatko, said he stands by everything in his disclosure. It also confirmed the authenticity of the disclosure as published on the Washington Post website. The Washington Post and CNN were the first to publish the story.

“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” Twitter said in a statement.

Zatko, also known as “Mudge” is a well-known cybersecurity expert who first joined Twitter in 2020 after the company suffered a substantial security breach that damaged its reputation. He was fired in January.


Among the more disturbing allegations are claims by Zatko that the Indian government pushed Twitter to put a government agent on the company’s payroll. Zatko claims that Twitter did so, and that the agent would have had access to sensitive user data.

The Indian government, helmed by the far-right Hindu nationalist Narendra Modi, has been criticised for cracking down on dissent and perceived political rivals in recent years.

A 2011 FTC complaint noted that Twitter’s systems were full of highly sensitive data that could allow a hostile government to find precise geo-location data for a specific user or group and target them for violence or arrest. Earlier this month, a former Twitter employee was found guilty after a trial in California of passing along sensitive Twitter user data to royal family members in Saudi Arabia in exchange for bribes.

The complaint said Twitter was also heavily reliant on funding from Chinese entities and that there were concerns within Twitter that the company was providing information to those entities that would enable them to learn the identity and gain access to sensitive information of Chinese users who secretly use Twitter, which is officially banned in China.

The revelations came as Twitter is entangled in a lawsuit with Elon Musk, the CEO of Tesla who announced in July that he was terminating a previous agreement to acquire Twitter for $44bn. Zatko’s lawyers have said that he began the process of making his concerns public before Musk had expressed interest in buying the company.

Musk alleged that Twitter had failed to provide proof that bots did not make up a sizable portion of Twitter users. Twitter denied those claims and has launched a lawsuit to force Musk to go through with the deal. The trial is set to move forward on October 17.

Twitter’s stock value decreased by about 4 percent on Tuesday, and lawyers representing Zatko, who was fired by Twitter earlier this year for what the company called “ineffective leadership and poor performance” have confirmed that he stands by his allegations.

Alex Spiro, a lawyer representing Musk in his lawsuit with Twitter, has said that Musk’s legal team have subpoenaed Zatko. Musk hinted at the revelation on Tuesday, taking to Twitter to post a meme captioned “Give a little whistle.”

The whistleblower’s assertions that Twitter displayed “deliberate ignorance” by counting millions of spam accounts as legitimate users on the site could serve as a potential boon to Musk’s claims that the value of the site was artificially inflated by high numbers of spam accounts.

Zatko filed the complaint last month with the US Securities and Exchange Commission (SEC) and the Department of Justice (DOJ), as well as the Federal Trade Commission (FTC), according to the Washington Post.

The complaint was also sent to congressional committees and the US Senate Intelligence Committee has said they are taking the allegations seriously.

Senator Dick Durbin the top Democrat on the Senate Judiciary Committee said in a statement Tuesday that the allegations “may show dangerous data privacy and security risks for Twitter users around the world” if they are accurate.

The committee’s top Republican, Chuck Grassley, also had concerns

“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure, and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” he said in a tweet Tuesday.

Source: Al Jazeera and news agencies