Twitter’s former security chief claimed the company misled regulators about its poor cybersecurity protections and its negligence in trying to root out fake accounts that spread misinformation, according to a whistleblower complaint filed with U.S. officials.
The revelation could create serious legal and financial problems for the social media platform, which is currently trying to force Tesla CEO Elon Musk to follow through on his $44 billion offer to buy the company. Several members of Congress on Tuesday called on regulators to investigate the claims.
Peter Zatko, who served as Twitter’s security chief until he was fired earlier this year, filed complaints last month with the US Securities and Exchange Commission, the Federal Trade Commission and the Justice Department. Whistleblower Aid, a legal nonprofit that works with Zatko, confirmed the authenticity of a redacted copy of the complaint posted online by the Washington Post.
“It was a last resort for him,” John Tye, the group’s co-founder and director of disclosures, said in an interview Tuesday. He said Zatko had exhausted all attempts to resolve his problems within the company before he was fired in January.
Among Zatko’s most serious allegations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had taken stronger measures to protect the security and privacy of its users. Zatko also accuses the company of fraud related to the handling of “spam” or fake accounts, an allegation that underlies Musk. attempt to abandon the Twitter takeover.
Shares of Twitter Inc. on Tuesday. fell by more than 7%.
Better known by his hacker name “Mudge,” Zatko is a highly respected cybersecurity expert who first rose to prominence in the 1990s and later held senior positions at the Pentagon’s Defense Advanced Research Projects Agency and Google.
He joined Twitter at the urging of then-CEO Jack Dorsey in late 2020, the same year the company suffered a nasty security breach involving hackers who compromised the Twitter accounts of world leaders, celebrities and tech moguls, including Musk. in an attempt scamming their subscribers for bitcoins.
Twitter said in a prepared statement Tuesday that Zatko was fired for “ineffective leadership and poor performance” and said “the allegations and opportune timing appear designed to attract attention and harm Twitter, its customers and shareholders.” The company called his complaint a “false narrative” that is “riddled with inconsistencies and inaccuracies and lacks important context.”
Zatko’s attorneys, Debra Katz and Alexis Ronnikher, said Twitter’s allegation of his poor performance is false and that he has repeatedly raised concerns about “grossly inadequate information security systems” to Twitter’s senior executives and board of directors. The lawyers said that in late 2021, after the board received “whitewashed” information about those security concerns, Zatko escalated his concerns, “conflicted” with CEO Parag Agrawal and board member Omid Kardestani and was fired two weeks later.
The 84-page complaint describes Twitter’s broken corporate culture, which lacks effective leadership and where, according to Zatko, senior executives practiced “willful disregard” for pressing issues. His description of Dorsey’s leadership style is particularly scathing; he described the Twitter founder as “extremely disengaged” in the final months of his tenure as CEO, to the point where he didn’t even speak up during meetings about the complex issues facing the company.
Zatko said he heard from colleagues that Dorsey would be silent for “days or weeks.” Dorsey announced that he will step down as CEO of Twitter in November 2021.
The disclosure said Twitter offered no cash incentives to improve the security and integrity of the platform, although last year the company offered $10 million in bonuses to top executives who could create short-term user growth.
Among Zatko’s allegations of cybersecurity abuses were that software and security updates were disabled on more than a third of employees’ computers — leaving them excessively exposed to malware — and that people often installed “any software they wanted on their work systems.” Such mistakes are generally considered cardinal sins in cybersecurity.
Whistleblower Aid said it was legally unable to release Zatko’s statement. The same group worked with former Facebook employee Frances Haugen, who testified before Congress last year after internal documents leaked and accused the social media giant of choosing profits over security.
“I wouldn’t say he’s happy about becoming a whistleblower, but he’s firm in his decision,” Tai said. “And trying to figure it out.”
US Senate Intelligence Committee spokeswoman Rachel Cohen said the committee had received Zatko’s complaint and was working to arrange a meeting “to discuss the allegations in more detail. We take this issue seriously.”
Sen. Dick Durbin, D-Illinois, said in a prepared statement that if the allegations are true, “they could reveal dangerous data privacy and security risks for Twitter users around the world.”
Among the most troubling complaints is Zatko’s claim that Twitter knowingly allowed the Indian government to place its agents on the company’s payroll, where they had “direct, unsupervised access to company systems and user data.”
A 2011 FTC complaint noted that Twitter’s systems were full of highly sensitive data that could allow a hostile government to track down specific users’ precise location data and target them for violence or arrest. Earlier this month, a former Twitter employee was found guilty after a trial in California of handing over sensitive data of Twitter users to members of the royal family in Saudi Arabia in exchange for bribes.
The complaint said that Twitter also depends heavily on funding from Chinese organizations and that Twitter has concerns that the company is providing those organizations with information that allows them to learn the identifying and confidential information of Chinese users who secretly use Twitter, which is officially prohibited in China.
Zatko also describes a willful disregard by Twitter executives for counting the millions of accounts that are automated “spambots” or otherwise of no value to advertisers because no one is behind them. Zatko cited a “damning” external report from 2021 that found Twitter’s tools for combating bots were neither automated nor sophisticated enough, instead relying on people who “were not adequately staffed or resourced to address the problem of misinformation and misinformation”.
Alex Spiro, a lawyer representing Musk in his attempts to back out of the deal to buy Twitter, said lawyers have issued a subpoena for Zatko. “We found that his exit and the exit of other key employees were of interest in light of what we found,” Spiro wrote in an email Tuesday. Spiro said Zatko and Musk have not been in contact this year.
Tai said that “he has never met Elon Musk. Does not know Elon Musk. They know common people.” Asked whether mutual friends might have shared information about the Twitter bot problems with Musk, Tye said Zatko “hasn’t shared his disclosures with anyone else” since filing the complaint in July.
AP writers Tom Krisher and Marcy Gordon contributed to this report.