When Peiter Zatko, the famous hacker better known as Mudge, got the job as Twitter’s chief of security in November 2020, Internet archivist Jason Scott tweeted“you have my full support for walking away after the place is set on fire.”
Zatko may have done just that, if not quite in that order. A few months after he was laid off by CEO Parag Agrawal, Zatko blew the clock on the company, telling the Securities and Exchange Commission (SEC) that Twitter was essentially doing nothing to improve its terrible security — the reason for hiring Zatko in the first place — and that it company has a pattern of lying to or misleading the government, investors and Elon Musk.
Twitter did not address Zatko’s specific allegations in a statement to Recode, but said in general that they were incorrect and that Zatko was a disgruntled former employee whose timing is “opportunistic.”
“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” a Twitter spokesperson said. area of privacy and data security, which is fraught with inconsistencies and inaccuracies and in which there is no significant context.”
Musk’s claims may be getting the most attention given the high profile of the eccentric billionaire and the ongoing controversy over his bid to buy (then not buy) Twitter. They rank relatively high in the SEC complaint sent to the Washington Post and CNN on Tuesday, and some of the claims Zatko is making are directly consistent with the allegations Musk has made to try to get out of his $44 billion deal. Musk has said that fake accounts, or spam bots, make up a much larger portion of Twitter’s user base than the company claimed, which is why Twitter isn’t worth what he originally wanted to pay for them. Twitter do not agree with, says Musk is trying to find a reason to get out of the deal. The company sued Musk to force him to take over the company. That process is scheduled to start on October 17.
But those claims are arguably the least of Twitter’s concerns related to the leak. Zatko portrays Twitter as a company that lacks the motivation and ability to protect its users and itself from security breaches, while misleading investors and government agencies alike.
Here are some of the allegations that Twitter should be more concerned than what Agrawal tweets about bot accounts.
The claim that Twitter cheated on the Federal Trade Commission
Zatko claims that Twitter has a . has violated 2011 FTC Consent Order requiring the company to implement certain security protocols. Zatko says Twitter has never and probably never will. He claims that the company (and its users’ data) is at risk for security strands like the one in 2020 that sparked Zatko’s hiring.
The FTC is reportedly investigating those claims, and things could get very expensive for Twitter if they turn out to be true — just look at Facebook’s unprecedented $5 billion payout for violating an FTC consent warrant. It would also turn Twitter into a repeat offender; the company recently agreed to pay $150 million to request user information for security purposes and then use it to target ads to them. The FTC won’t take kindly to that.
The claim that foreign government agents worked for Twitter and had access to user information — and Twitter knew it
One of Zatko’s more disturbing revelations is that Twitter employed Indian government agents, meaning they would have had a lot of access to data because the company hadn’t put in place basic measures to restrict that access for many employees. The complaint says Twitter executives knew too many employees were accessing too much and Indian government officials were working for the company but didn’t respond to it. It also says the US government told Twitter that at least one of its employees was working on behalf of a foreign intelligence agency, which is not named in the complaint.
If true, it wouldn’t be the first time Twitter has been infiltrated by people working for a foreign government, possibly to gather information about dissidents or rivals. Was a Saudi Arabian citizen recently convicted from infiltrate on Twitter to spy on users critical of the Saudi Arabian government, for which he was paid by an adviser to Crown Prince Mohammed bin Salman. Another former Twitter employee accused of spying for Saudi Arabia fled the country before he could be arrested.
The accusation that Jack Dorsey checked out and was replaced by the worst CEO ever
This may not come as a surprise to anyone who has seen the company founder and his then CEO laconic apparitions for Congress in recent years, but Zatko says Dorsey was mostly absent from Twitter while Zatko worked there. Dorsey “experienced a drastic loss of focus in 2021,” the complaint says, attending few meetings and hardly participating in the meetings he did attend. Zatko says this made it difficult for him to do his job and that he had no support in the “herculean effort” Twitter was fixing. Dorsey was Reportedly working from a private island in French Polynesia when the decision was made to ban President Trump from the platform. He retired from Twitter at the end of 2021.
Agrawal is now the CEO of Twitter and seemingly the object of Zatko’s wrath. The complaint repeatedly and often accuses Agrawal of failing to improve Twitter’s security and privacy, trying to hide Twitter’s problems from investors and the board of directors, and failing to provide Zatko with the support and resources Zatko needed to do the job. do what he was hired to do. Although Dorsey was the CEO for most of Zatko’s Twitter term, in the report he gets off easy. That may not protect him from any consequences of this leak.
The claim that Twitter has not followed basic security practices for a long time
Throughout the complaint, Zatko says the company refused to implement some basic security measures, even though it counted some of the most powerful and important people in the world among its users. This has led to security breaches, Zatko argues, including the one that led to his hiring: A teenager was able to access some of the most high-profile accounts on the platform and then use them to tweet bitcoin scams, eventually stealing $120,000 worth of money. of victims’ cryptocurrency. That hacker gained access by tricking Twitter employees into giving up their passwords, demonstrating how lax Twitter apparently was about restricting and controlling access to high-profile accounts.
Unsurprisingly, this claim has so far attracted the bulk of attention from members of Congress, most if not all of whom are Twitter users themselves. According to to the Washington Post, some lawmakers have already met or plan to meet with Zatko in the near future. Expect Zatko to testify before committees, just as Facebook whistleblower Frances Haugen did after her revelations (Zatko and Haugen both used Whistleblower Aid, a nonprofit legal aid company, to facilitate their complaints and represent them). What isn’t clear is what lawmakers can do besides sending angry letters or holding committee hearings, since Congress hasn’t passed federal privacy laws. The SEC and FTC, on the other hand, may already be preparing their case against Twitter for allegedly misleading shareholders and consumers.
As for Musk, he has responded to the news with several tweets, including: a from an illustration of Jiminy Cricket, singing “Give a Little Whistle” in Pinocchio; a screenshot of the Washington Post article that said Twitter had internal spam and bot numbers it didn’t share with investors; and several tweets with a lonely emoji, including a monocle face and a crying smiling face.
Musk’s lawyer told the Washington Post that Zatko has already been subpoenaed in the Musk-Twitter trial.
Musk’s glee may be premature. If he loses his battle and is forced to buy Twitter, he’s not just getting a company that’s already worth it much less than the price he was willing to pay. He will also have a company that, if Zatko’s claims are true, will be full of internal and external problems that someone will have to solve – and account for.