When Peiter Zatko, the famous hacker best known as Mudge, got the job heading up Twitter’s security in November 2020, internet archivist Jason Scott tweeted, “you have my full support to walk away after setting the place on fire.”
Zatko may have done just that, if not quite in that order. Several months after he was fired by CEO Parag Agrawal, Zatko blew the whistle on the company, telling the Securities and Exchange Commission (SEC) that Twitter did basically nothing to improve its terrible security — the reason for Zatko’s hiring in the first place — and that the company has a pattern of lying to or misleading the government, investors, and Elon Musk.
Twitter did not address Zatko’s specific allegations in a statement to Recode, but said generally that they weren’t accurate and that Zatko was a disgruntled former employee whose timing is “opportunistic.”
“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” a spokesperson for Twitter said. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.”
The Musk claims might get the most attention, given the eccentric billionaire’s high profile and the continuing controversy over his attempt to buy (and then not buy) Twitter. They’re placed relatively high in the SEC complaint that was leaked to the Washington Post and CNN on Tuesday, and some of the claims Zatko makes deal directly with the accusations Musk has made to try to get out of his $44 billion deal. Musk has said that fake accounts, or spam bots, are a much larger slice of Twitter’s user base than the company claimed, and therefore Twitter isn’t worth what he originally agreed to pay for it. Twitter disagrees, saying Musk is trying to find a reason to get out of the deal. The company sued Musk to force him to acquire the company. That trial is scheduled to begin October 17.
But those claims might be the least of Twitter’s worries connected to the leak. Zatko portrays Twitter as a company that lacks the motivation and ability to protect its users and itself from security breaches, while misleading investors and government agencies alike.
Here are some of the allegations that Twitter should be more worried about than what Agrawal tweets about bot accounts.
The allegation that Twitter deceived the Federal Trade Commission
Zatko alleges that Twitter violated a 2011 FTC consent order requiring the company to implement certain security protocols. Zatko says Twitter has never been in compliance with that order and likely never will be. He claims that has put the company (and the data of its users) at risk of security beaches like the one in 2020 that was the impetus for Zatko’s hiring.
The FTC is reportedly looking into those claims, and things could get very expensive for Twitter if they’re found to be true — just look at Facebook’s unprecedented $5 billion payout for violating an FTC consent order. It would also make Twitter a repeat offender; the company recently agreed to pay $150 million for asking for users’ information for security purposes and then using it to target ads to them. The FTC will not look kindly on that.
The claim that foreign government agents worked for Twitter and had access to user information — and Twitter knew it
One of Zatko’s more alarming revelations is that Twitter employed agents of the Indian government, meaning they would have had a great deal of access to data because the company hadn’t taken basic measures to limit that access for many employees. The complaint says that Twitter executives knew that too many employees had access to too much and that Indian government agents worked for the company, but did nothing in response. It also says the US government told Twitter that at least one of its employees was working on behalf of a foreign intelligence agency, which isn’t named in the complaint.
If true, it wouldn’t be the first time Twitter has been infiltrated by people working for a foreign government, possibly to collect information on dissidents or rivals. A Saudi Arabian national was recently convicted of infiltrating Twitter to spy on users who were critical of the Saudi Arabian government, for which he was paid by an adviser to crown prince Mohammed bin Salman. Another former Twitter employee who was accused of spying for Saudi Arabia fled the country before he could be arrested.
The accusation that Jack Dorsey checked out and was replaced by the worst CEO ever
This may come as no surprise to anyone who watched the company founder and its then-CEO’s laconic appearances before Congress in the last few years, but Zatko says Dorsey was mostly absent from Twitter while Zatko worked there. Dorsey “was experiencing a drastic loss of focus in 2021,” the complaint says, attending few meetings and barely participating in the ones he did come to. Zatko says this made it hard for him to do his job and that he had no support in the “herculean effort” that was fixing Twitter. Dorsey was reportedly working from a private island in French Polynesia when the decision was made to ban President Trump from the platform. He stepped down from Twitter in late 2021.
Agrawal is now Twitter’s CEO, and seemingly the object of Zatko’s ire. The complaint repeatedly and frequently blames Agrawal for failing to improve Twitter’s security and privacy, trying to hide Twitter’s problems from investors and the board of directors, and not giving Zatko the support and resources Zatko felt he needed to do the job he was hired for. Though Dorsey was the CEO for most of Zatko’s Twitter tenure, he gets off easy in the report. That may not protect him from any fallout from this leak.
The allegation that Twitter long failed to follow basic security practices
Throughout the complaint, Zatko says the company refused to implement some basic security measures, even while counting some of the most powerful and important people in the world among its users. This has led, Zatko contends, to security breaches including the one that led to his hiring: A teenager was able to gain access to some of the most high-profile accounts on the platform and then use them to tweet bitcoin scams, ultimately stealing $120,000 worth of the cryptocurrency from victims. That hacker gained access by tricking Twitter employees into giving up their passwords, showing how lax Twitter apparently was about limiting and controlling access to high-profile accounts.
Unsurprisingly, this claim has so far attracted the bulk of the attention from members of Congress, most, if not all, of which are Twitter users themselves. According to the Washington Post, some lawmakers have already met with Zatko or are planning to in the near future. Expect Zatko to testify before committees, much like Facebook whistleblower Frances Haugen did following her revelations (Zatko and Haugen both used Whistleblower Aid, a nonprofit legal assistance firm, to facilitate their complaints and represent them). What’s not clear is what legislators can do beyond sending angry letters or holding committee hearings, as Congress has failed to pass federal privacy laws. The SEC and FTC, on the other hand, may already be preparing their cases against Twitter for allegedly deceiving shareholders and consumers.
As for Musk, he has responded to the news with several tweets, including one of an illustration of Jiminy Cricket, who sings “Give a Little Whistle” in Pinocchio; a screenshot of the Washington Post article that said Twitter had internal spam and bot numbers it didn’t share with investors; and several tweets with a solitary emoji, including a monocle face and a crying laughing face.
Musk’s lawyer told the Washington Post that Zatko has already been subpoenaed for the Musk-Twitter trial.
Musk’s glee might be premature. If he loses his battle and is forced to buy Twitter, he won’t just be getting a company that’s already worth far less than the price he agreed to pay for it. He’ll also be getting a company that, if Zatko’s allegations are true, is rife with internal and external problems that someone will have to fix — and answer for.