Twitter’s former head of security, Peiter “Mudge” Zatko, has blown the whistle on the company's alleged “extreme, egregious deficiencies” in user privacy, cybersecurity and platform moderation, according to Whistleblower Aid, a nonprofit legal organization in Washington, D.C., representing Zatko.
The report was filed with the Securities and Exchange Commission, the Federal Trade Commission, the Department of Justice and Congressional committees. The Washington Post and CNN first reported on the documents after obtaining them from sources in Congress.
In the documents published by The Washington Post, Zatko alleges that company employees have “wide-ranging and poorly tracked internal access to core company software,” an issue that allowed a Florida teen to gain access to high-profile users in 2020.
Additionally, the complaints level the accusation that the company repeatedly made false and misleading statements to users and the FTC about the platform’s security, privacy and integrity.
Zatko was recruited personally by former CEO Jack Dorsey, starting at the company in November 2020. Dorsey stepped down a year later, appointing Parag Agrawal as the new CEO. Zatko was terminated in January 2022.
Twitter spokesperson Rebecca Hahn told The Washington Post that these allegations are “riddled with inaccuracies,” and claims “Mr. Zatko was fired from Twitter more than six months ago for poor performance and leadership, and he now appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders.”
Twitter’s security troubles
In July 2020, a teenager was able to get inside Twitter’s system and issue tweets from notable figures like Elon Musk, Bill Gates, Jeff Bezos, Joe Biden and Barack Obama, encouraging followers to send Bitcoin to a wallet, according to The New York Times.
To gain access, a 17-year-old from Tampa tricked employees into providing their login information, and some had high-level access to the site, per Wired. This attack was especially shocking given their past promises of upgrading security and user personal information.
In 2010, the FTC compelled Twitter to establish an independently audited information security program following other high-profile breaches, saying that “serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers had designated private, and the ability to send out phony tweets from any account.”
Zatko, in his report to the FTC, alleges that Twitter violated the terms of this settlement, and made false claims about the security plan in place, according to The Washington Post. He has also accused the company of misleading its directors and users, specifically when quantifying the number of fake and spam accounts on the platform.
The report states that “deliberate ignorance was the norm amongst the executive leadership team.” Zatko’s team cited an internal source, who indicated that “if accurate measurements ever became public, it would harm the image and valuation of the company.”
Who is ‘Mudge’?
Dorsey brought Zatko onboard after the incident in 2020, where he was made responsible for a wide array of departments such as information security, content moderation and privacy, per CNN.
Zatko had previously worked in senior roles at Google, Stripe and the U.S. Department of Defense. He was formerly the head of the cyber security mission at the Defense Advanced Research Projects Agency.
In the 1990s he was one of the leaders of a hacking group called the Cult of the Dead Cow alongside Beto O’Rourke, pulling the infamous stunt of handing out CDs that had the tools to hack Windows, in an effort to get Microsoft to improve its security, per Reuters.
Renee Rush, who worked with Zatko at DARPA and came out of retirement to join him at Twitter, told The Washington Post “He goes between worlds, and he has a vision he can execute. That’s a unicorn.”
Potential consequences
Jon Leibowitz, former chair of the FTC during Twitter’s 2011 charges, said the company could be liable for large penalties, “billions of dollars in new fines for Twitter if it’s found to have violated its legal obligations,” per CNN.
Leibowitz added that he thinks “the FTC should very seriously consider not just fining the corporation but also putting the executives responsible under order.” He admits that a violation might be far-fetched.
CNN also reports that some Twitter sources have said Zatko’s allegations are inaccurate due to misunderstandings around the company’s FTC obligations and the company’s level of compliance.
In an interview with The Washington Post, Zatko said “I joined Twitter because it’s a critical resource to the world,” and he believes it's his ethical responsibility to bring this information to light. “I want to finish the job Jack brought me in for, which is to improve the place.”