Twitter’s former top security official has alleged that company executives endangered national security through “egregious deficiencies” in privacy and security and systematically misled users, members of its board, investors, and government officials about those vulnerabilities.
The former official, Peiter “Mudge” Zatko, is a famous hacker and one of the nation’s top cybersecurity experts. He served as Twitter’s security lead from Nov. 2020 to Jan. 2022, when he was fired by CEO Parag Agrawal after Zatko began documenting what he says were repeated security violations, and as he worked with the company’s compliance officer on a formal investigation based on his claims.In July Zatko disclosed his information to U.S. regulatory authorities, invoking federal whistleblower safeguards. They were then shared with Congress members.
In 84 pages of disclosures and supporting documents, which TIME reviewed, Zatko accuses the $33 billion social-media platform’s top executives of violating the Federal Trade Commission Act and Securities and Exchange Commission regulations by misleading users, investors and board members about critical data security and privacy issues. This led to numerous security breaches and exploitation by criminal actors as well as infiltration from foreign governments., Zatko alleges.
These documents shed light on the years-old security problems at Twitter that Zatko claims have made it vulnerable to abuse, and possibly even complete collapse. Notably, it is clear that these problems have been allowed to fester in the absence of Zatko, Agrawal being the highest ranking executive responsible for security matters. “If these problems are not corrected, regulators, media, and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics,” Zatko wrote in a Feb. 2022 document cited in the disclosure.
LEARN MORE Elon Musk: What does the disclosure of Twitter’s Whistleblower Bots mean?
This disclosure comes just weeks ahead of the first court date in a dispute about the pending sale to Elon Musk. He is seeking to renegotiate an agreement for the purchase of the company. Musk alleges that Twitter misled investors and him about how many spam bots and fake accounts make up the company’s user base. Internal company emails were provided as part the disclosures., Zatko began documenting Twitter’s alleged wrongdoings months before Musk publicly announced his desire to buy the company. Musk will be tried in Delaware on October 17th to see if he must continue with the initial agreement to acquire Twitter.
Zatko accuses Twitter executives of “lying about bots” to Musk, Shareholders and users of Twitter allege that there are far more spam accounts on the platform than they reveal and executives feel compelled to properly count them in order not to lose their bonuses.
A Twitter spokesperson said the company had not seen Zatko’s allegations in full, but rejected a description of his main allegations. “Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago,” a Twitter spokesperson told TIME. “While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.“
Zatko’s disclosures allege the social media company’s executives committed securities law violations by making “material misrepresentations and omissions” in SEC filings, and asked him to mislead the board by minimizing security vulnerabilities. Zatko also says Twitter is beset by fundamental architectural flaws that allow too many employees “God mode” access to its systems, making the platform vulnerable to hackers and to influence by foreign intelligence agencies. His disclosures allege that Twitter executives hired two people whom he believes were Indian government agents and put them in positions with “direct unsupervised access” to internal Twitter data and information. This was just one example of Twitter’s “negligence and even complicity with respect to efforts by foreign governments to infiltrate, control, exploit, surveil and/or censor” the platform, its staff and its operations, Zatko alleges.
A source close to the company says that Zatko’s claims around the time of his exit were “investigated and found to be sensationalistic and lacking merit.” “Mudge stands by everything in his disclosure, and his career of effective and ethical leadership speaks for itself. The focus should be on the facts laid out in the disclosure, not ad hominem attacks against the whistleblower,” says John Tye, of Whistleblower Aid which is representing Zatko.
Zatko’s disclosures, which were first reported by the Washington PostTIME got the information from a congressional source. The documents were sent to U.S. Securities and Exchange Commission and Bureau of Consumer Protection at Federal Trade Commission. A redacted version of this document was also shared with Congress. House Energy and Commerce Committee are currently reviewing these documents. They were made public weeks after landmark legislation on data privacy was passed and an FTC effort launched to examine data privacy protections. The Senate Judiciary Committee has also indicated it intends to investigate Zatko’s allegations, and the Senate Intelligence Committee is looking to set up a meeting with him, according to CNN. The disclosures suggest that “Twitter is disorganized and careless” and highlight the “total lack of institutional and practical controls they have,” a senior Democratic staffer tells TIME. “They show how the potential for abuse is there…and it will inform the work we’re doing on this legislation.”
Who is Peiter ‘Mudge’ Zatko?
Zatko’s whistleblower disclosures allege Twitter executives committed securities law violations by making “material misrepresentations and omissions” in SEC filings, and asked him to mislead the board by minimizing security vulnerabilities
Known by the hacker pseudonym “Mudge,” Zatko, 51, has for three decades been one of the best-known figures in the world of network security. His weaknesses have been exposed by both major tech companies as well as the federal government. In the early days of the Internet’s existence, he exposed vulnerability and was a leader in hacker groups L0pht, the Cult of the Dead Cow and Google. He also served time at the Department of Defense. Zatko also gave testimony in Congress, was brought in to provide advice for the Presidents of the United States, Congressmen, and intelligence agencies.
“He remains one of the best security minds on the planet today,” Kevin O’Brien, co-founder and CEO of cybersecurity firm GreatHorn, said of Zatko after Twitter hired him.
After a Twitter hack in 2020 that led to the accounts of users including Elon Musk and Joe Biden being compromised, Twitter co-founder and then-CEO Jack Dorsey gave Zatko a broad mandate as the social-media company’s “head of security.” Zatko ultimately supervised hundreds of staffers and had a mission to evaluate Twitter’s security problems, present them to company leaders, and come up with a strategy to fix them, according to his disclosures.
His time on Twitter became increasingly fraught. Here are some of Zatko’s most serious allegations against his former employer:
Claim: Twitter intentionally undercounts spambots
Twitter and Musk are locked in a legal battle over spam bots. Musk says that Twitter has far more automated spam accounts than it has claimed over the years. Because of this, Musk is not able to approve a deal worth $44 billion to acquire the company.
In allegations that will bolster Musk’s argument, Zatko’s disclosures allege that Twitter has been “lying” to Musk about bots, and that the total percentage of spam bots on Twitter is substantially higher than the maximum of 5% that Twitter claims. Zatko says that Twitter arrives at its official percentage of bots on the platform by sampling only from a subset of accounts known as “monetizable daily active users,” or mDAUs. Twitter created this subset to provide advertisers with an indication of the number of real people viewing their ads. However, it already excludes bots. Zatko claims that his attempts at finding out how much of Twitter accounts are bots was met with resistance from within the company.
“In early 2021, as a new executive, Mudge asked the head of Site Integrity (responsible for addressing platform manipulation including spam and botnets) what the underlying spam bot numbers were,” Zatko’s disclosure states. “Their response was ‘we don’t really know.’”
Zatko further argues that Twitter executives “are not incentivized to accurately detect or report total spam bots on the platform,” because he says that their potentially lucrative bonuses are “tied” to growing the number of mDAUs. He suggests that if the real percentage of spam bots were to become known, it would “hurt the image and valuation of the company.” And he alleges in the complaint that he once witnessed a Twitter executive telling members of the company’s board of directors that Twitter had “intentionally and knowingly deprioritized platform health” in favor of growing mDAU.
Requests for comments on mDAU were not answered by a representative of Twitter.
Claim: Twitter has a ‘severe lack of security basics’
Zatko alleges that Twitter is “decades behind” competitors like Google and Facebook in its internal security protocols and that during his tenure, a serious security breach was occurring at Twitter virtually every week. He argues that this was partly because far too many employees have access to internal systems that they shouldn’t, which makes the platform vulnerable to basic phishing schemes. The scam which took more than $100,000 from Bitcoin users resulted in the hacking of Joe Biden’s and Barack Obama’s accounts. The hack was masterminded by a teenager who posed as a member of the IT department in order to gain employees’ credentials, which then allowed him access to those accounts. He was charged with all the charges and was arrested..
On Jan. 6, Zatko says, he was watching the Capitol insurrection unfold online and asked a Twitter higher-up to curtail employees’ access to internal systems. He discovered that too many employees were able to access the internal systems without restriction. Zatko claims that one rogue engineer could have compromised the platform and sow disinformation and misinformation. The violence could have been escalated by a few fake tweets, purporting that they were from President Trump’s account.
A source close to the company said that employees must have a “business justification” to access internal systems and data platforms.
Zatko also says that Twitter’s data centers were a mess, running on outdated operating systems and improperly backed up. In the spring of 2021, Zatko says, the company narrowly avoided a catastrophic failure that could have knocked out all of the company’s data centers and permanently shut down the entire platform. Zatko claims that Twitter engineers were working around the clock fixing the problems and the matter never went public. An inquiry from Zatko for comments on the incident did not receive a response. (The site experienced widespread outages in April 2021.
Claim: Twitter misled government and investors
Zatko alleges that an awareness of these security shortcomings is “fundamental to any proper valuation of Twitter’s business”—and that hiding these problems from investors and the board is “significantly misleading.” He further alleges that Twitter knowingly misled the government in other ways, including in its SEC filings in response to Musk’s bid to buy the company. In those filings, for instance, Twitter declares that it does not knowingly violate IP rights—but Zatko claims that Twitter never obtained the proper legal rights to the training material used to build Twitter’s core algorithmic models, and that executives misled regulators in multiple countries about owning those rights. Zatko also asserts that internal security measures Twitter promised to develop in the wake of the 2011 FTC mandate had yet to be rolled out, and that executives misled Twitter’s board about their progress in creating them. Zatko states that he was chastised by an executive for telling the board of this fact.
A source close to the company says that Zatko did not understand the company’s agreements with the FTC and made “inaccurate claims” about Twitter’s compliance with regulatory obligations.
Claim: Twitter granted foreign agents access to data
Zatko says the company’s security lapses didn’t only harm individual users. They were of geopolitical and national security importance, he claims. Twitter was “complicit in threats to democratic governance,” he writes.
One of Zatko’s allegations is that the company hired two people that he believes were Indian government agents. Because of Twitter’s flawed internal security systems, Zatko says, the purported agents had “direct unsupervised access” to internal information. Zatko claims he filed separate disclosures detailing these and other incidents with the Counterintelligence and Export Controls Section of the Department of Justice and Senate Select Committee on Intelligence.
Sources close to Twitter claim that they have no information about government agents at Twitter.
Zatko alleges that Agrawal—a few months before his promotion to CEO—advocated for Twitter’s expansion into Russia, even if it meant abiding by the country’s censorship and surveillance demands. Zatko claims that Twitter was informed by the U.S. government in 2022 about at least one American intelligence agent employee. Twitter did not respond to his request.
An ex-Twitter employee was found guilty earlier this month of spying on Saudi dissidents, and giving personal information to the Saudi government.
Claim: Jack Dorsey was silent for ‘days or weeks’ at a time
Zatko tweetedIn support of Dorsey in 2021, he now claims that Twitter’s co-founder and former CEO suffered from a “drastic loss of focus” in 2021. He says Dorsey attended meetings sporadically, and that rumors spread within Twitter about him remaining silent for “days or weeks.” (Dorsey is a proponent of silent vipassana meditation.)
While Dorsey, who stepped down as Twitter CEO in November and is also CEO of payment platform Block, had initially given Zatko a wide mandate, Zatko says in the whistleblower disclosure that he felt unmoored: He was receiving “little to no actual support for his task of fundamentally changing the risky behaviors of over 8,000 employees, and the entire corporate culture,” the disclosure says.
On several occasions, Zatko alleges, he was instructed to suppress the extent of Twitter’s problems in front of the board. And he says that after he solicited an independent study that highlighted Twitter’s extensive security lapses and failure to combat disinformation, senior executives “became concerned about the impact on Twitter’s reputation were the findings to become publicly known” and had the parts most damaging to the company removed.
Claim: Parag agrawal encouraged Zatko t lie to investors
Zatko claims that Agrawal’s relationship with him was fraught from the start, particularly since Agrawal was the highest ranking executive responsible for security matters before Zatko joined. Tensions rapidly escalated after Dorsey’s replacement by Agrawal. Zatko claims that Agrawal threatened to take advantage of the first board meeting during his tenure in order to lessen the seriousness of security concerns. He wrote to Agrawal on Dec. 15, arguing that there were “numerous, and some significant, misrepresentations” in his materials for an upcoming presentation.
Agrawal, however, said that he ignored Zatko and that the documents were then presented to Agrawal at the Risk Committee’s high-ranking meeting the following day. In a Jan. 4, 2022 email to Agrawal, Zatko called the documents “at worst fraudulent,” and wrote: “I was hired to achieve certain goals and to fix problems here at Twitter. In order to do that, we need to recognize the actual state of affairs at the company.”
“Zatko had every opportunity to either prevent that information from being shared or correct any inaccuracies during the meeting,” a source close to the company says. “On many occasions, Zatko was the source of inaccurate information.”
A few days after Zatko’s email, Agrawal wrote back to Zatko, saying that the company had launched an internal investigation into his allegations. Zatko asked for a detailed document to support his claims. Agrawal began to compile it. He was fired less than 2 weeks after he had filed the report. Publicly, Agrawal wrote that the decision stemmed from “an assessment of how the organization was being led and the impact on top priority work.”
Here are more must-read stories from TIME