‘Egregious deficiencies’ in security measures, claims Twitter whistleblower

Twitter’s former head of security has accused the company of “extreme, egregious deficiencies” in its handling of user information and spam bots in a damaging whistleblower complaint. Peiter Zatko, a veteran hacker and security expert known by name “Mudge”, says the company has deceived users, board members as well as the federal government about the strength of company’s security measures. Zatko was hired by the Twitter co founder and then CEO Jack Dorsey in 20202, to strengthen the company’s security after it was hacked targeting 130 high profile Twitter accounts, including Elon Musk, Bill Gates and Barack Obama.

The most serious charges in the complaint by Zatko include allegations that the company had violated terms of 11 year old settlement with Federal Trade Commission, falsely claiming that Twitter had a solid security plan. “Twitter is grossly negligent in several areas of information security,” Zatko mentioned in an analysis written in February that was included in his complaint. “If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.”

Zatko filed the complaint, which was first reported by The Washington Post and CNN on Tuesday morning, to the Securities and Exchange Commission (SEC), Department of Justice and the Federal Trade Commission (FTC). A version of this complaint has been sent to many congressional committees.

A specific issue raised by Zatko is the access of Twitter’s thousands of employees to the company’s core software is highly faulty and there is major security lapse in the hardware used by employees as well. The complaint alleges that “about 30 per cent of laptops in the company automatically blocked updates that included security fixes”. Furthermore, the whistleblower document alleges “the company prioritized user growth over reducing spam, though unwanted content made the user experience worse. Executives stood to win individual bonuses of as much as $10 million tied to increases in daily users, the complaint asserts, and nothing explicitly for cutting spam”, mentions The Washington Post. Chief executive Parag Agrawal was wrong and lying when in May he tweeted the company was “strongly incentivized to detect and remove as much spam as we possibly can,” the complaint alleges.

Sharing the reason for his decision to go public with insider details, Zatko said, “I felt ethically bound. This is not a light step to take.” Under SEC rules related to whistleblowers, Zatko is entitled to legal protection against any retaliation, along with potential monetary rewards.