A former head of security at Twitter has filed a whistleblower complaint with U.S. officials, alleging that the company misled regulators about its cybersecurity defences and its problems with fake accounts, according to reports by The Washington Post and CNN.
Peiter Zatko, Twitter’s security chief until he was fired early this year, filed the complaint last month with the U.S. Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and the Department of Justice.
The Post, which obtained the complaint, reported that among the most serious accusations is that Twitter violated the terms of an FTC settlement by falsely claiming that it had a strong security plan.
Zatko also accuses the company of deceptions involving its handling of “spam,” or fake, accounts, an allegation that is at the core of the attempted withdrawal of a $44-billion US takeover bid for Twitter by billionaire Elon Musk.
Alex Spiro, a legal representative for Musk, told CBC News that Musk’s team has issued a subpoena for Zatko, saying: “We found his exit and that of other key employees curious in light of what we have been finding.”
Shares of Twitter Inc. slid four per cent Tuesday.
Joined company in late 2020
Zatko didn’t immediately respond to a request for comment Tuesday but told the Post he “felt ethically bound” to come forward.
Zatko, better known as Mudge, is a highly respected cybersecurity expert who first gained prominence in the 1990s and later worked in senior positions at the Pentagon’s Defense Advanced Research Agency and Google.
He joined Twitter at the urging of then-CEO Jack Dorsey in late 2020, the same year the company suffered an embarrassing security breach involving hackers who broke into the Twitter accounts of world leaders, celebrities and tech moguls, including Musk, in an attempt to scam their followers out of Bitcoin.
Twitter said in a prepared statement Tuesday that Zatko was fired for “ineffective leadership and poor performance” and that the “allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”
The company went on: “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.”
Senate intelligence committee will set up meeting
The legal non-profit Whistleblower Aid, which is representing Zatko, confirmed the authenticity of the document Tuesday, but said it is legally precluded from sharing it. The same group worked with former Facebook employee Frances Haugen, who testified to Congress last year after leaking internal documents and accusing the social media giant of choosing profit over safety.
A spokesperson for the U.S. Senate’s intelligence committee, Rachel Cohen, said the committee has received Zatko’s complaint and “is in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously.”
Sen. Dick Durbin, an Illinois Democrat, said in a prepared statement that if the claims are accurate, “they may show dangerous data privacy and security risks for Twitter users around the world.”
NEW: First time Twitter CEO <a href=”https://twitter.com/paraga?ref_src=twsrc%5Etfw”>@paraga</a> weighs in on whistleblower story. <br><br>Sending this message to staff this morning. <a href=”https://t.co/WY4TCqbA5q”>pic.twitter.com/WY4TCqbA5q</a>
Among the most alarming complaints is Zatko’s allegation that Twitter knowingly allowed the Indian government to place its agents on the company payroll where they had “direct unsupervised access to the company’s systems and user data.”
A 2011 FTC complaint noted that Twitter’s systems were full of highly sensitive data that could allow a hostile government to find precise geo-location data for a specific user or group and target them for violence or arrest. Earlier this month, a former Twitter employee was found guilty after a trial in California of passing along sensitive Twitter user data to royal family members in Saudi Arabia in exchange for bribes.
The complaint said Twitter was also heavily reliant on funding by Chinese entities and that there were concerns within Twitter that the company was providing information to those entities that would enable them to learn the identity and sensitive information of Chinese users who secretly use Twitter, which is officially banned in China.
Zatko also describes “deliberate ignorance” by Twitter executives on counting the millions of accounts that are automated “spam bots” or otherwise have no value to advertisers because there is no person behind them.