Twitter has major security problems that pose a threat to its own users’ personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by SME and The Washington Post.
The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.
The whistleblower, who has agreed to be publicly identified, is Peiter “Mudge” Zatko, who was previously the company’s head of security, reporting directly to the CEO. Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk’s attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk’s claims).
Twitter fired Zatko
TWTR (Twitter) was suspended in January by the company for what it claims is poor performance. Zatko says that his public whistleblowing began after he attempted Twitter to alert him about security breaches.
(TWTR)’s board and to help Twitter
(TWTR), fix technical flaws and non-compliance to an older privacy agreement with Federal Trade Commission. Whistleblower Aid represents Zatko. This is the same organization that represented Frances Haugen (Facebook whistleblower).
John Tye, founder of Whistleblower Aid and Zatko’s lawyer, told SME that Zatko has not been in contact with Musk, and said Zatko began the whistleblower process before there was any indication of Musk’s involvement with Twitter.
After this article was initially published, Alex Spiro, an attorney for Musk, told SME, “We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”
SME asked Twitter to comment on 50 different questions about the disclosure.
SME was informed by a Twitter spokesperson that privacy and security were longtime priority areas. Twitter said that they provide clear tools that allow users to manage privacy, ad targeting, and data sharing. They also stated that Twitter has developed internal workflows that ensure that users understand that their accounts will be deleted and deactivated when they are cancelled. Twitter refused to confirm whether or not it completes this process in most instances.
“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” the Twitter spokesperson said. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Some of Zatko’s most damning claims spring from his apparently tense relationship with Parag Agrawal, the company’s former chief technology officer who was made CEO after Jack Dorsey stepped down last November. According to the disclosure, Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter’s security problems to the company’s board of directors. The company’s executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company’s security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko’s back to have a third-party consulting firm’s report scrubbed to hide the true extent of the company’s problems.
This disclosure generally is more favorable to Dorsey who hired Zatko, and Zatko believe he wanted to fix the problems in the company. But it does depict him as extremely disengaged in his final months leading Twitter – so much so that some senior staff even considered the possibility he was sick.
SME reached out to Dorsey in an attempt to get his comments. A person familiar with Zatko’s tenure at Twitter told SME the company investigated several claims he brought forward around the time he was fired, and ultimately found them unpersuasive; the person added that Zatko at times lacked understanding of Twitter’s FTC obligations.
Zatko believes his firing was in retaliation for his sounding the alarm about the company’s security problems.
The scathing disclosure, which totals around 200 pages, including supporting exhibits – was sent last month to a number of US government agencies and congressional committees, including the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice. It has not been disclosed that the disclosure exists or what its details are. SME was able to obtain a copy from the Capitol Hill senior Democratic aide. FTC, DOJ, and the SEC declined to comment. However, the Senate Intelligence Committee received a copy and has set a meeting with Rachel Cohen (a spokesperson for the committee).
Sen. Dick Durbin, who chairs the Senate Judiciary Committee and also received the report, vowed to investigate “and take further steps as needed to get to the bottom of these alarming allegations.”
Sen. Chuck Grassley, the same panel’s top Republican and an avid Twitter user, also expressed deep concerns about the allegations in a statement to SME.
“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” Grassley said. “The claims I’ve received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further.”
According to Sen. Richard Blumenthal, who wrote to the FTC on Tuesday, which was obtained by SME., the FTC should conduct an investigation and place fines on Twitter executives that are found guilty of security breaches.
The letter by Blumenthal — who chairs the Senate subcommittee on consumer protection — highlights the pressure Twitter now faces from Washington as a result of the disclosure.
“If the Commission does not vigorously oversee and enforce its orders, they will not be taken seriously and these dangerous breaches will continue,” Blumenthal wrote.
In 1998, Zatko was first in national spotlight when he participated in the first congressional hearings about cybersecurity.
“All my life, I’ve been about finding places where I can go and make a difference. I’ve done that through the security field. That’s my main lever,” he told SME in an interview earlier this month.
SME’s 22-year-old whistleblower on Twitter was a twitter user. This is what he said
The events leading to his decision to become a whistleblower began before he worked at Twitter, with a devastating hack in 2020 in which the Twitter accounts of some of the world’s most famous people, including then-presidential candidate Joe Biden, former President Barack Obama, Kim Kardashian and Musk, were compromised. Twitter stated to SME that it had started to separate customer support access in response to this incident.
After the attack, Dorsey recruited Zatko, a well-known “ethical hacker” turned cybersecurity insider and executive who previously held senior roles at Google, Stripe and the US Department of Defense, and who told SME that he’d been offered a senior, day-one cyber position in the Biden administration.
What Zatko says he found was a company with extraordinarily poor security practices, including giving thousands of the company’s employees — amounting to roughly half the company’s workforce — access to some of the platform’s critical controls. His disclosure describes his overall findings as “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.”
After the January 6 insurrection, Zatko was concerned about the possibility someone within Twitter who sympathized with the insurrectionists could try to manipulate the company’s platform, according to his disclosure. He sought to clamp down on internal access that allows Twitter engineers to make changes to the platform, known as the “production environment.”
But, the disclosure says, Zatko soon learned “it was impossible to protect the production environment. All engineers were able to access the environment. There was no logging of who went into the environment or what they did…. Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.” Twitter also lacked the ability to hold workers accountable for information security lapses because it has little control or visibility into employees’ individual work computers, Zatko claims, citing internal cybersecurity reports estimating that 4 in 10 devices do not meet basic security standards.
Twitter’s flimsy server infrastructure is a separate yet equally serious vulnerability, the disclosure claims. About half of the company’s 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors, according to the letter to regulators and a February email Zatko wrote to Patrick Pichette, a Twitter board member, that is included in the disclosure.
The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko’s disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.
Twitter did not respond to questions about the risk of data center outages, but told SME that people on Twitter’s engineering and product teams are authorized to access the production environment if they have a specific business justification for doing so. Twitter’s employees use devices overseen by other IT and security teams with the power to prevent a device from connecting to sensitive internal systems if it is running outdated software, Twitter added.
The company also said it uses automated checks to ensure laptops running outdated software cannot access the production environment, and that employees may only make changes to Twitter’s live product after the code meets certain record-keeping and review requirements.
Twitter has internal security tools that are tested by the company regularly, and every two years by external auditors, according to the person familiar with Zatko’s tenure at the company. The person added that some of Zatko’s statistics surrounding device security lacked credibility and were derived by a small team that did not properly account for Twitter’s existing security procedures.
But Twitter’s security concerns had come to light prior to 2020. In 2010, the FTC filed a complaint against Twitter for its mishandling of users’ private information and the issue of too many employees having access to Twitter’s central controls. The complaint resulted in an FTC consent order finalized the following year in which Twitter vowed to clean up its act, including by creating and maintaining “a comprehensive information security program.”
Zatko alleges that despite the company’s claims to the contrary, it had “never been in compliance” with what the FTC demanded more than 10 years ago. As a result of its alleged failures to address vulnerabilities raised by the FTC as well as other deficiencies, he says, Twitter suffers an “anomalously high rate of security incidents,” approximately one per week serious enough to require disclosure to government agencies. “Based on my professional experience, peer companies do not have this magnitude or volume of incidents,” Zatko wrote in a February letter to Twitter’s board after he was fired by Twitter in January.
The stakes of Zatko’s disclosure are enormous. It could lead to billions of dollars in new fines for Twitter if it’s found to have violated its legal obligations, according to Jon Leibowitz, who was chair of the FTC at the time of Twitter’s original 2011 consent order.
The agency now has another opportunity to show the tech industry it is serious about holding platforms accountable, Leibowitz added, after officials opted not to name top Facebook execs including Mark Zuckerberg and Sheryl Sandberg in the FTC’s $5 billion privacy settlement with that company in 2019.
“One of the big disappointments in the Facebook order violation case was that the FTC let executives off the hook; they should’ve been named,” Leibowitz told SME in an interview. “And if there’s a violation here — and that’s a big if — then I think the FTC should very seriously consider not just fining the corporation but also putting the executives responsible under order.”
Twitter stated to SME that its FTC compliance record is clear. It cited third-party audits submitted by the agency in accordance with the 2011 consent order, which showed Zatko had not participated. Twitter stated that its privacy policies are in full compliance and it was open with regulators regarding any problems in its system.
Zatko’s allegations are based in part on a failure to grasp how Twitter’s existing programs and processes work to fulfill Twitter’s FTC obligations, the person familiar with his tenure told SME, saying that misunderstanding has prompted him to make inaccurate claims about the company’s level of compliance.
Twitter’s vulnerability to the exploitation of foreign governments in ways that threaten US national security is extraordinary, according to the disclosure.
The whistleblower report says the US government provided specific evidence to Twitter shortly before Zatko’s firing that at least one of its employees, perhaps more, were working for another government’s intelligence service. Although the report doesn’t say if Twitter had already received this tip, it does state that Twitter may have acted upon it.
Last year, prior to Russia’s invasion of Ukraine, Agrawal — then Twitter’s chief technology officer — proposed to Zatko that Twitter comply with Russian demands that could result in broad-based censorship or surveillance of the platform, Zatko alleges.
The disclosure does not provide details of Agrawal’s suggestion. However, Russia passed last summer a law requiring tech platforms to set up local offices or risk bans. This was according to western security experts, an attempt to increase Russia’s leverage over US-based tech companies.
While Agrawal’s suggestion was ultimately discarded, it was still an alarming sign of how far Twitter was willing to go in pursuit of growth, according to Zatko.
“The fact that Twitter’s current CEO even suggested Twitter become complicit with the Putin regime is cause for concern about Twitter’s effects on U.S. national security,” Zatko’s disclosure says.
Zatko’s report is becoming public just two weeks after a former Twitter manager was convicted of spying for Saudi Arabia.
Zatko is making serious allegations about Saudi Arabia in his Twitter post. His report could further inflame bipartisan concerns in Washington about foreign adversaries and the cybersecurity threats they pose to Americans, ranging from the theft of US citizens’ data to manipulating US voters or stealing technology and trade secrets.
Twitter declined to answer specific questions regarding its supposed foreign intelligence vulnerabilities.
Zatko’s disclosure comes at a particularly fortuitous moment for Musk, who is engaged in a legal battle with Twitter over his attempt to back out of buying the company. Musk claims that Twitter lied about how many spambots it has on its platform. This issue should have allowed him to terminate the agreement.
While the binding acquisition agreement that Musk signed with Twitter in April did not include any bot-related exemptions, the billionaire claims that the number of bots on the platform affect the user experience and that having more bots than previously known could therefore impact the company’s long-term value. After Musk moved to terminate the purchase, Twitter responded with a lawsuit alleging that he is using bots as a pretext to get out of a deal over which he now has buyers’ remorse following the recent market downturn, and asking a court to force him to close the deal. In October, the Delaware Chancery Court will hear the case.
Social media businesses need to know how many potential customers are viewing an advertisement. However, figures regarding how many users a particular service has or how many people view an ad are not reliable. This is due to manipulations and errors.
Twitter is the only social media company that reports user numbers to advertisers and investors using what it calls monetizable daily users (mDAUs). Twitter’s competitors simply report active users. Twitter did this until 2019. But that meant Twitter’s figures were subject to significant swings in certain situations, including takedowns of major bot networks. So Twitter switched to mDAUs, which it says counts all users that could be shown an advertisement on Twitter – leaving all accounts that for some reason can’t, for instance because they’re known to be bots, in a separate bucket, according to Zatko’s disclosure.
According to the company, less than 5% are spam or fake accounts. A person who is familiar with the subject confirmed that conclusion to SME last week. They also pointed out other disclosures from investors that the number relies upon significant judgment that might not reflect the reality. But Zatko’s disclosure argues that by reporting bots only as a percentage of mDAU, rather than as a percentage of the total number of accounts on the platform, Twitter obscures the true scale of fake and spam accounts on the service, a move Zatko alleges is deliberately misleading.
Zatko says he began asking about the prevalence of bot accounts on Twitter in early 2021, and was told by Twitter’s head of site integrity that the company didn’t know how many total bots are on its platform. He alleges that he came away from conversations with the integrity team with the understanding that the company “had no appetite to properly measure the prevalence of bots,” in part because if the true number became public, it could harm the company’s value and image.
Experts on inauthentic behavior online say it can be difficult to quantify “bots” because there isn’t a widely agreed upon definition of the term, and because bad actors constantly change their tactics. Many bots are harmless, such as automated news account robots. Twitter provides an opt-in option that allows such accounts to label themselves transparently as “automated” and offers a way to do this. Twitter told SME that the claim it doesn’t know how many bots are on its platform lacks context, reiterating that not all bots are bad and adding that to focus on the total number of bots on Twitter would include those the company may have already identified and taken action against. Twitter also stated it doesn’t believe it can capture every spam account. That is why its reported figure of less than 5%, which is an estimate by Twitter, was included in the financial filings.
SME was told by Zatko that he believes it would be worthwhile to attempt to determine the number of bot accounts, spamming or other potentially dangerous automated accounts. “The executive team, the board, the shareholders and the users all deserve an honest answer as to what it is that they are consuming as far as data and information and content [on the platform … At least from my point of view, I want to invest in a company where I know what’s actually going on because I want to invest strategically in the long-term value of an organization,” he said.
Twitter states that they allow bots to use its platform. However, its guidelines prohibit any type of spamming or manipulation. But, as with all social media platforms’ rules, the challenge often lies in enforcing its policies.
The company claims it frequently challenges, suspends or removes accounts involved in spam and platform manipulation. Typically, they have removed more than one million spam account per day. Twitter claimed that there are not enough bots to make the platform useful. As context for its daily bot removal figure, Twitter did not answer any questions on the total number or average daily account additions to the platform.
But in casting doubt on Twitter’s ability to estimate the true number of fake and spam accounts, Zatko’s allegations could provide ammunition to Musk’s central claim that the figure is much higher than Twitter has publicly reported.
Zatko claims that by making his public statements, he feels he’s doing what he was hired for, which he considers crucial to democracy. “Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I’m still performing that mission,” he said.