When Peiter Zatko, the notorious hacker better known as Mudge, got the job as Twitter’s head of security in November 2020, Internet Archivist Jason Scott he tweeted“you have my full support for leaving after burning the place down.”
Zatko may have done just that, if not in that order. Several months after being fired by CEO Parag Agrawal, Zatko told the Securities and Exchange Commission (SEC) that Twitter did essentially nothing to improve its terrible security, the reason Zatko was hired in the first place. , and that the company has a pattern of lying or misleading the government, investors and Elon Musk.
Twitter did not address Zatko’s specific allegations in a statement to Recode, but said generally that they were inaccurate and that Zatko was a disgruntled former employee whose timing is “opportunistic.”
“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” a Twitter spokesperson said. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security that is full of inconsistencies and inaccuracies and lacks important context.”
Musk’s claims could draw more attention, given the eccentric billionaire’s high profile and ongoing controversy over his attempt to buy (and then not buy) Twitter. They’re listed relatively high in the SEC’s complaint that was leaked to the Washington Post and CNN on Tuesday, and some of the claims Zatko makes directly address allegations Musk has made to try to get out of his $44 billion deal. Musk has said that fake accounts, or spam bots, are a much larger part of Twitter’s user base than the company claimed, and therefore Twitter is not worth what it initially agreed to pay . Twitter disagrees, saying Musk is trying to find a reason to get out of the deal. The company sued Musk to force him to acquire the company. The trial is scheduled to begin on October 17.
But those claims might be the least of Twitter’s worries about the leak. Zatko portrays Twitter as a company that lacks the motivation and ability to protect its users and protect itself from security breaches, while misleading investors and government agencies.
Here are some of the allegations that Twitter should be more concerned about than what Agrawal is tweeting about bot accounts.
The accusation that Twitter misled the Federal Trade Commission
Zatko alleges that Twitter violated a 2011 FTC consent order that required the company to implement certain security protocols. Zatko says Twitter has never complied with that order and probably never will. It claims it has put the company (and its users’ data) at risk of security breaches like the one in 2020 that was the impetus for Zatko’s hiring.
The FTC is investigating these claims and things could be very expensive for Twitter if they are found to be true; just look at Facebook’s unprecedented $5 billion payment for violating an FTC consent order. It would also make Twitter a repeat offender; the company recently agreed to pay $150 million to ask for user information for security purposes and then use it to target ads to them. The FTC will not take kindly to this.
The claim that foreign government agents were working for Twitter and had access to user information, and Twitter knew it
One of Zatko’s most alarming revelations is that Twitter hired Indian government agents, meaning they would have had a lot of access to data because the company hadn’t taken basic steps to limit that access to many employees. The complaint says Twitter executives knew too many employees had access to too much and that Indian government agents were working for the company, but did nothing in response. It also says the US government told Twitter that at least one of its employees was working on behalf of a foreign intelligence agency, which is not listed in the complaint.
If true, it wouldn’t be the first time Twitter has been infiltrated by people working for a foreign government, possibly to gather information about dissidents or rivals. A Saudi citizen was recently convicted of infiltrating Twitter to spy on users who were critical of the Saudi government, for which he was paid by an adviser to Crown Prince Mohammed bin Salman. Another former Twitter employee who was accused of spying by Saudi Arabia fled the country before he could be arrested.
The accusation that Jack Dorsey verified and was replaced by the worst CEO in history
This may come as no surprise to anyone who has seen the company’s founder and then-CEO’s laconic appearances before Congress in recent years, but Zatko says Dorsey was largely absent from Twitter while Zatko worked there. Dorsey “was experiencing a drastic loss of focus in 2021,” the complaint says, attending few meetings and barely participating in the ones he did come to. Zatko says that this made it difficult for him to do his job and that he had no support in the “herculean effort” that was fixing Twitter. Dorsey was apparently working from a private island in French Polynesia when the decision was made to ban President Trump from the platform. He left Twitter at the end of 2021.
Agrawal is now the CEO of Twitter and apparently the object of Zatko’s wrath. The complaint repeatedly and frequently accuses Agrawal of failing to improve Twitter’s security and privacy, trying to hide Twitter’s problems from investors and the board of directors, and failing to give Zatko the support and resources Zatko believed he needed to do the job for which he was hired. Although Dorsey was the CEO for most of Zatko’s tenure at Twitter, the report is easily brushed aside. This may not protect you from any consequences of such a leak.
The accusation that Twitter has long failed to follow basic security practices
Throughout the complaint, Zatko says the company refused to implement some basic security measures, even though it counted among its users some of the most powerful and important people in the world. That has led, Zatko says, to security breaches, including the one that led to his hiring: A teenager was able to gain access to some of the platform’s most prominent accounts and then use them to tweet bitcoin scams and eventually stole $120,000. cryptocurrency value of the victims. This hacker gained access by tricking Twitter employees into giving up their passwords, showing how lax Twitter apparently was in limiting and controlling access to high-profile accounts.
Unsurprisingly, this claim has gotten most of the attention from members of Congress so far, most, if not all, from Twitter users themselves. According to the Washington Post, some lawmakers have already met with Zatko or plan to in the near future. Expect Zatko to testify before committees, as Facebook whistleblower Frances Haugen did after her revelations (Zatko and Haugen used Whistleblower Aid, a nonprofit legal aid firm, to facilitate their complaints and represent -the bear). What’s unclear is what lawmakers can do beyond sending angry letters or holding committee hearings, since Congress hasn’t passed federal privacy laws. The SEC and FTC, on the other hand, may already be preparing their cases against Twitter for allegedly misleading shareholders and consumers.
As for Musk, he has responded to the news with several tweets, among others one of an illustration of Jiminy Cricket, singing “Give a Little Whistle”. Pinocchio; a screenshot from the Washington Post article that said Twitter had internal spam and bot numbers it didn’t share with investors; and several tweets with a lone emoji, including a monocle face already crying laughing face.
Musk’s lawyer told the Washington Post that Zatko has already been subpoenaed for the Musk-Twitter trial.
Musk’s joy may be premature. If he loses the battle and is forced to buy Twitter, he will not only get a company that is already worth far less than the price he agreed to pay for it. You’ll also get a company that, if Zatko’s allegations are true, is riddled with internal and external problems that someone will have to fix and answer for.