Ex-Twitter exec claims improper cybersecurity policies, A bombshell whistleblower disclosure acquired exclusively by CNN and The Washington Post claims that Twitter has serious security flaws that threaten the personal information of its users, firm stockholders, national security, and democracy.
The report, which was delivered to Congress and federal agencies last month, portrays a picture of a disorderly and careless work environment at a poorly managed corporation that gives too many employees unrestricted access to the platform’s most sensitive data and administrative controls. One or more present employees may be working for a foreign intelligence service, and it is claimed that some of the company’s highest executives have been trying to cover up.
Table of Contents
Twitter’s significant weaknesses.
Peter “Mudge” Zatko, the company’s former head of security who volunteered to be publicly recognized as the whistleblower, reported directly to the CEO. Zatko further claims that Twitter’s management has lied to the company’s board and government regulators about the extent of the company’s security flaws, including those that may be used for espionage, hacking, and disinformation by foreign governments.
According to the complaint, Twitter does not consistently erase user data following account cancellation, in part because the firm has lost track of the information, and it has lied to regulators about whether or not it deletes the data as it is supposed to do. The leaker also claims that Twitter’s upper management is either uninterested in learning the real number of bots on the network or lacks the means to learn the number. Despite Twitter’s denials, Elon Musk has recently made bots a focal point of his efforts to cancel a $44 billion bid to acquire the firm.
After working for Twitter (TWTR) since 2013, Zatko was let go in January due to, according to the firm, his poor performance. Zatko claims that he tried to alert Twitter’s board to the security flaws and help the company remedy years of technical inadequacies and alleged non-compliance with a previous privacy agreement with the Federal Trade Commission before going public with his whistleblowing. Similar to how they helped Frances Haugen, who blew the whistle on Facebook, Zatko is being represented by Whistleblower Aid.
According to Zatko’s attorney, John Tye, creator of Whistleblower Aid, Zatko has not been in contact with Musk and started the whistleblower procedure before there was any sign of Musk’s connection with Twitter.
According to Musk’s attorney Alex Spiro, who spoke to CNN after the first publication of this item, “We have already issued a subpoena for Mr. Zatko and we found his exit and that of other important workers odd in light of what we have been uncovering.”
CNN asked the Twitter community to weigh in on more than 50 separate questions about the revelation.
A Twitter representative stated to CNN that the protection of user data and confidentiality has always been a top objective. Twitter also stated that it has internal protocols in place to guarantee users are aware that their accounts would be deactivated and a deletion process will begin upon cancellation, and that the business gives explicit tools for users to regulate privacy, ad targeting, and data sharing. In response to a request for comment, Twitter did not confirm or deny whether or not it normally finishes the procedure.
A Twitter representative said, “Mr. Zatko was terminated from his senior executive post at Twitter in January 2022 due to weak leadership and poor performance.” “So far, we’ve seen a false narrative about Twitter and our privacy and data security standards that’s full of falsehoods and misses crucial context. Mr. Zatko’s accusations and the timing of them seem calculated to attract negative attention and cause harm to Twitter, its users, and its investors. Twitter has always placed a premium on user privacy and security, and this focus won’t be changing anytime soon.”
Some of Zatko’s most damaging allegations appear to stem from his strained relationship with Parag Agrawal, the company’s former chief technology officer and current CEO following Jack Dorsey’s departure in November. The statement states that Agrawal and his subordinates discouraged Zatko from informing Twitter’s board of directors about the company’s security issues.
Allegedly, company executives told Zatko to give an oral rather than written report of his initial findings on the company’s security condition to the board, directed him to knowingly present cherry-picked and misrepresented data to create a false perception of progress on urgent cybersecurity issues, and conspired behind his back to have a third-party consulting firm’s report scrubbed to hide the true extent of the company’s problem.
As the person who hired Zatko and, according to Zatko, wanted to see the company’s problems rectified, Dorsey benefits greatly from the disclosure. However, it does paint a picture of him being so detached from Twitter in his final months as CEO that some of his superiors worried he was ill.
Attempts to contact Dorsey by CNN have so far been unsuccessful. According to CNN, a source familiar with Zatko’s experience at Twitter said the business reviewed various concerns he brought forward around the time he was sacked and eventually deemed them unpersuasive; the source added that Zatko at times lacked comprehension of Twitter’s FTC requirements.
Zatko thinks he was let go because he raised concerns about security at the organization.
The stinging statement, which is roughly 200 pages long when accompanied by exhibits, was sent last month to the Securities and Exchange Commission, the Federal Trade Commission, and the Department of Justice, among other US government agencies and congressional committees. Neither the existence of the disclosure nor any of its specifics have been previously publicized.
Using their connections, CNN was able to secure a copy of the disclosure from a senior Democratic official on Capitol Hill. The Securities and Exchange Commission (SEC), Department of Justice (DOJ), and Federal Trade Commission (FTC) all declined to comment; however, a spokesperson for the Senate Intelligence Committee, Rachel Cohen, told us that the committee is taking the disclosure seriously and has scheduled a meeting to discuss the allegations.
In addition to receiving the report, Senate Judiciary Committee Chair Senator Dick Durbin has committed to investigate “and take further steps as needed to get to the bottom of these serious accusations.”
Sen. Chuck Grassley, the leading Republican on the same panel and a prolific Twitter user, likewise voiced serious concerns about the claims in a statement to CNN.
“Take a tech platform that collects vast amounts of user data, combine it with what appears to be terribly weak security architecture, and inject it with foreign state actors with an agenda, and you’ve got a prescription for disaster,” Grassley warned. There are severe privacy and national security implications raised by the statements I got from a Twitter whistleblower, and they need to be looked into.
Sen. Richard Blumenthal, in a letter to the FTC on Tuesday that was obtained by CNN, urged the agency to examine the claims and impose fines and individual accountability on specific Twitter officials if an investigation reveals they were responsible for security failings.
The admission has resulted in increased pressure on Twitter from Washington, as evidenced by Blumenthal’s letter (he chairs the Senate subcommittee on consumer protection).
Blumenthal argued that if the Commission did not strictly monitor and implement its orders, “these hazardous infractions will persist.”
Zatko’s efforts as a whistleblower may earn him a reward from the United States government. According to the SEC, “original, timely, and credible information that leads to a successful enforcement action” might award whistleblowers up to a 30% cut of agency fines related to the action if the penalties total more than $1 million. Since 2012, the SEC has awarded more than $1 billion to almost 300 whistleblowers.
Tye told CNN that Zatko disclosed the matter to the SEC “to help the agency enforce the rules” and to qualify for whistleblower protections under federal law. “Mudge’s decision to become a legal whistleblower was not influenced by the possibility of a reward, and in fact, he did not even know about the reward scheme when he made his decision.”
Confidential Informant
When Zatko testified at the first congressional hearings on cybersecurity in 1998, he gained widespread notoriety.
“Finding communities where I can make a positive impact has been my life’s mission. Through my work in the realm of security, I was able to accomplish this. That’s the key thing I’m using to “Earlier this month, he revealed this information in an interview with CNN.
Before he even started working at Twitter, a devastating hack in 2020 compromised the accounts of some of the most famous people in the world, including then-presidential candidate Joe Biden, former President Barack Obama, Kim Kardashian, and Musk. This is what led him to decide to become a whistleblower. CNN was told by Twitter that after the incident, the firm began separating out different departments’ access to customer service resources.
After the attack, Dorsey brought on board Zatko, a former “ethical hacker” who is now a cybersecurity insider and executive with prominent roles at Google, Stripe, and the US Department of Defense and who, according to CNN, was offered a senior, day-one cyber post in the Biden administration.
According to Zatko, he discovered a business with extremely lax security measures, such as granting thousands of employees (equivalent to almost half of the workforce) access to the platform’s crucial controls. Overall, he found “egregious failures, incompetence, intentional ignorance, and dangers to national security and democracy,” as he put it in his report.
According to Zatko’s admission, he was worried that after the January 6 uprising, someone working for Twitter who sympathized with the insurrectionists may try to control the company’s platform. He aimed to limit the “production environment” access that Twitter engineers use to implement new features.
According to the disclosure, Zatko, however, quickly became aware that “The manufacturing environment could not be shielded. The doors were open to all of the engineers. Neither the people who entered the environment nor their actions were recorded…. The location and importance of data were unknown, and all engineers had full access to the production environment.”
According to Zatko, internal cybersecurity reports estimate that 40% of Twitter’s machines do not fulfill even the most basic security criteria, but the company has no way of knowing this because it has such little control or access over employees’ individual work PCs. The disclosure states that Twitter’s shaky server infrastructure is a different but equally dangerous vulnerability.
According to the letter to regulators and an email from Zatko to Twitter board member Patrick Pichette in February, included in the disclosure, roughly half of the company’s 500,000 servers run on outdated software that does not support basic security features like encryption for stored data or regular security updates by vendors.
According to Zatko’s declaration, the corporation does not have adequate redundancies and procedures to restart or recover from data center crashes, thus even modest outages of numerous data centers at the same time might knock the entire Twitter service offline, possibly permanently.
Twitter did not answer CNN’s inquiries concerning the possibility of data center outages, but the company did confirm to the news outlet that members of the engineering and product teams do have access to the production environment provided they can demonstrate a legitimate business need for it.
Twitter also noted that additional IT and security teams monitor the devices used by employees and that any device running outdated software is blocked from accessing Twitter’s sensitive internal systems.
It was also revealed that Twitter’s live product is only modified by employees after the code has met particular record-keeping and review standards and that the business performs automatic checks to prevent laptops running outdated software from accessing the production environment.
According to the source acquainted with Zatko’s time at Twitter, the company’s internal security technologies are evaluated on a regular basis and by external auditors once every two years. According to this source, some of Zatko’s device security statistics aren’t credible because they were obtained by a tiny team that didn’t take Twitter’s existing security protocols into account.
However, Twitter’s security issues were revealed well in advance of 2020. The Federal Trade Commission (FTC) lodged a complaint against Twitter in 2010 over concerns that too many Twitter employees had access to sensitive user data. In response to the complaint, the FTC agreed to a consent decree the following year, in which Twitter agreed to implement and maintain “a robust information security programme.”
Zatko asserts that the corporation has “never been in compliance” with the FTC’s demands from over a decade ago, despite the company’s assurances to the contrary. He claims that Twitter has an “anomalously high number of security events,” with about one per week that is serious enough to demand notification to government authorities, because of its claimed failures to address vulnerabilities revealed by the FTC and other flaws.
After being let go by Twitter in January, Zatko submitted a letter to the company’s board in February, stating, “Based on my professional expertise, peer firms do not have this scale or volume of occurrences.”
Zatko’s revelation has tremendous weight. According to Jon Leibowitz, chair of the FTC during the time of Twitter’s original 2011 consent agreement, the company might face billions of dollars in fresh fines if it is found to have broken its legal duties.
Since the FTC decided not to name top Facebook execs like Mark Zuckerberg and Sheryl Sandberg in its $5 billion privacy settlement with that firm in 2019, Leibowitz said the agency now has another chance to convince the tech industry it is serious about holding platforms accountable.
“One of the main disappointments in the Facebook order violation case was that the FTC let executives off the hook; they should have been named,” Leibowitz said to CNN. And if there is a breach here (and that’s huge if), the FTC should strongly consider fining the company and reprimanding the people in charge.
CNN was informed via Twitter that the company claims that Zatko was not involved in the 2011 consent order audits that were submitted to the FTC as evidence of the company’s compliance. Twitter has also stated that it has been honest with regulators about its efforts to address any systemic issues and that it complies with all applicable privacy standards.
A source familiar with Zatko’s time at Twitter told CNN that the former employee’s false statements about the company’s compliance stem in part from his inability to understand how Twitter’s existing programs and processes work to fulfill Twitter’s FTC requirements.
Dangers from Abroad
The admission suggests that Twitter may have foreign spies working for it, making it especially susceptible to manipulation by foreign governments in ways that harm US national security.
According to the article, the US government gave Twitter information that one or more of its workers were working for another government’s intelligence service just before Zatko was fired. There’s no indication in the article of whether Twitter was already aware or whether it took any action after receiving the tip.
Twitter’s former CTO Agrawal allegedly suggested to Zatko last year, before Russia invaded Ukraine, that Twitter gives in to Russian requests that could lead to widespread censorship or surveillance of the platform.
Nothing about Agrawal’s proposal is specified in the disclosure. However, Russia approved a law this summer compelling tech platforms to build local offices in the country or face potential advertising prohibitions, a move that western security experts say was intended to give Russia additional control over US digital corporations.
Zatko claims that while Agrawal’s idea was ultimately shot down, it was nonetheless a worrying indicator of how far Twitter was willing to go in search of growth.
Concerns regarding Twitter’s impact on U.S. national security are warranted, according to Zatko’s admission, because “Twitter’s current CEO even urged Twitter to become complicit with the Putin administration.”
Just two weeks after a former Twitter manager was convicted of spying for Saudi Arabia, Zatko’s report has been made public.
Zatko’s new claims against Twitter are serious, and the Saudi case demonstrates this. His findings have the potential to further inflame partisan tensions in Washington, DC, over the threat posed by foreign adversaries in the realm of cybersecurity, from the theft of personal information to the manipulation of voters and the theft of intellectual property.
There were specific inquiries about Twitter’s suspected exposure to foreign intelligence, but Twitter did not provide answers.
Characterized by Musk
Musk is currently in a legal dispute with Twitter over his attempt to back out of buying the company, so Zatko’s disclosure couldn’t have come at a better time. Musk argues he has grounds to terminate the contract because Twitter has lied to him about the prevalence of spam bots on its network.
However, Musk claims that the number of bots on the platform affects the user experience and that having more bots than previously known could therefore impact the company’s long-term value, despite the fact that there were no exemptions related to bots in the binding acquisition agreement he signed with Twitter in April.
Twitter filed a lawsuit after Musk attempted to cancel the acquisition, claiming he is hiding behind the bogus use of bots to back out of a deal he now regrets due to the current market collapse and seeking a court to compel him to complete the transaction. In October, the trial will begin in Delaware Chancery Court.
Ad revenue for any social media company is directly proportional to the number of users, thus knowing how many people use the service is crucial. However, in the internet and media industries, numbers about the number of users a service has or the number of people who really view a certain ad on a site are notoriously unreliable due to manipulation and inaccuracy.
Twitter is the only social media company to utilize a metric it calls monetizable daily active users, or mDAUs when reporting user statistics to investors and advertisers. Twitter’s competitors, and until 2019, it too, simply tallied up all of their active users and reported them. However, this also meant that Twitter’s metrics might see large swings in response to events like the removal of large-scale bot networks.
According to Zatko’s disclosure, Twitter converted to mDAUs, which it says counts all users that may be shown an advertisement on Twitter while separating out any accounts that for some reason can’t, like those that are known to be bots.
An insider has confirmed to CNN this week that the company’s conclusion that less than 5% of its mDAUs are fraudulent or spam accounts stands, while also pointing to earlier investor filings stating the statistic relies heavily on judgment and may not fully reflect reality. In contrast, Zatko claims that Twitter is being intentionally deceptive by only reporting bots as a percentage of mDAU rather than as a percentage of the entire number of accounts on the network.
According to Zatko, he first questioned Twitter’s head of site integrity about the frequency of bot accounts in early 2021 and was informed that the firm had no idea of the entire number of bots on the platform.
He claims that after speaking with the integrity team, he concluded that the corporation “had no ambition to adequately assess the incidence of bots,” in part because making the real number public would be detrimental to the company’s worth and reputation.
The experts who study fake online behavior argue that it’s tough to put a number on “bots” because the term isn’t universally agreed upon and the methods used by cybercriminals are always evolving. Many accounts on Twitter (and the internet at large) are automated but serve a useful purpose, such as automated news reporting; Twitter provides an opt-in function that allows these accounts to clearly mark themselves as bots.
While noting that not all bots are malicious, Twitter told CNN that it doesn’t know how many bots are on its platform because doing so would include bots that the firm may have already recognized and taken action against. Twitter has stated that its less-than-5% figure, which reflects a manual estimate, is reported in its financial statements because the firm does not believe it can catch every spam account on the platform.
Zatko told CNN that he believes it would be worthwhile to try to quantify the number of spam, fake, or otherwise detrimental automated accounts on the site. “What data, information, and material the executive team, board, shareholders, and users are consuming [on the platform…] should be disclosed openly and honestly. As an investor who is looking to make a long-term bet on a company’s success, I can’t help but favor opportunities where I have a clear picture of what’s going on behind the scenes “His words.
Twitter insists that bots are welcome, but regulations ban those who spam or otherwise abuse the service. However, like with the standards of any social media platform, enforcing these guidelines can be difficult.
The company claims it routinely removes over a million spam accounts daily and challenges, suspends, and deletes users that engage in spam or attempt to manipulate the site. Twitter has stated that the sum of all bots is meaningless.
For the sake of providing some context for this daily bot deletion figure, the firm has failed to provide the overall number of accounts on the network or the average number of new accounts added to the platform every day.
Zatko’s accusations, however, could lend credence to Musk’s main claim that the number of fake and spam accounts is much higher than Twitter has publicly reported.
Zatko claims that by becoming public, he is fulfilling his role as a spokesperson for a platform that is essential to democracy. “The CEO of Twitter, Jack Dorsey, contacted me and asked me to come and help out with an important project. I committed to doing it, and in my mind, I’m still doing it “His words.