Twitter’s former security chief says company lied about bots and safety

Alex Castro / The Verge

According to testimony from the company's former head of security, Peiter "Mudge" Zatko, the company hid negligent security practices, misled federal regulators about its safety, and failed to properly estimate the number of bot on its platform. There are huge consequences to the allegations, including federal fines and the unraveling of Musk's bid to buy the social networking site.

Zatko claims that he was retaliated against for refusing to stay quiet about the company's vulnerabilities. He filed a complaint with the SEC last month, accusing the company of deceiving shareholders and violating an agreement it made with the FTC. CNN and The Washington Post obtained his complaints and made them public this morning.

In an interview with CNN, Zatko said that he joined the company in 2020 after the company was hit by a massive hack in which accounts belonging to figures like Barack Obama and Bill Gates were compromised. Zatko joined the platform because he thought it was a critical resource for the world, but he became dissatisfied with the CEO's refusal to address the company's security issues.

Zatko told The Washington Post that he was still fulfilling his obligation to Jack and to the users of the platform after becoming a whistle blower. Jack brought me in for the purpose of improving the place.

Many damning reports and accusations are contained in Zatko's disclosures to the SEC.

• Indiscriminate access. A significant part of Twitter’s vulnerability is that too many employees have access to critical systems, claims Zatko in his complaint. It states that around half of Twitter’s 7,000 or so full-time employees have access to users’ sensitive personal data (like phone numbers) and internal software (to alter how the service works), and that this access is not closely monitored. He also alleges that thousands of laptops contain complete copies of Twitter’s source code.
• Misleading the FTC. In 2010, Twitter settled charges with the FTC that it failed to protect consumers’ personal information — a significant and early example of government regulators reining in Big Tech. Zatko’s complaint claims Twitter has repeatedly made “false and misleading statements” to users and the FTC, violating this agreement.
• Ignoring bots. Twitter has repeatedly claimed that less than 5 percent of its monthly daily active users are bots, fake accounts, or spam. Zatko’s complaint says Twitter’s method of measuring this figure is misleading, and that executives are incentivized (with bonuses of up to $10 million) to boost user counts rather than remove spam bots.
• Government agents. Twitter is a key tool for sharing news and organizing protest, making it a ripe target for governments looking to crack down on dissent. Zatko’s complaint states that he believes the Indian government forced Twitter to hire a government agent, who then had access to privileged user data.
• Failure to delete. The complaint states that Twitter has, in the past, failed to delete users’ data when requested, because such records are spread too widely among internal systems to be properly tracked. A current employee told The Washington Post that the company just completed a project, known as Project Eraser, to ensure proper deletion of user data.

The former chief of security was accused of sensationalizing and presenting information by the company. The person told CNN.

“Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago. While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”

The company will be affected by Zatko's allegations. According to sources cited by The Washington Post, if Zatko's accusations are proven to be correct, the FTC would likely impose significant fines on the social networking site.

The struggle between Musk and the social network will be affected by the complaint. Musk is currently trying to extricate himself from a $44 billion agreement to buy the company, justifying the decision with an accusation thatTwitter is lying about the true number of bot andspam accounts on the platform. Musk's arguments have previously been criticized as unwarranted.