Twitter’s former security chief Peiter “Mudge” Zatko accused the company and its board of directors of violating financial rules, of fraud, and of grossly neglecting its security obligations in a complaint to the US Securities & Exchange Commission, the Federal Trade Commission, and the US Justice Department last month.
The Washington Post obtained and published a redacted copy of the complaint, which makes numerous allegations about occurrences and practices preceding and during Zatko’s time at the company, which ran from November 16, 2020 through January 19, 2022, when he was terminated by the new CEO Parag Agrawal.
Zatko’s complaint was filed by nonprofit law firm Whistleblower Aid, which confirmed the authenticity of the Post’s republished document to The Register.
“During Mudge’s employment, he uncovered extreme, egregious deficiencies by Twitter in every area of his mandate, including … user privacy, digital and physical security, and platform integrity / content moderation,” the complaint says.
When asked to comment, Twitter denied the allegations.
“Mr Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” a Twitter spokesperson told The Register in an emailed statement.
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Zatko, a well-known ex member of the the Cult of the Dead Cow hacking group who has worked at Google, Stripe, and the US Department of Defense, has many defenders in the security community who have pushed back against Twitter’s attempt to blame its former security leader.
Zatko’s claims come at a particularly bad time. Twitter is in the midst of a legal battle with billionaire Elon Musk who made an offer to buy Twitter then tried to back out after the company’s value declined in conjunction with a broad market retreat. Musk’s justification for trying to get out of his contract to pay $44 billion for a company with a current market capitalization of $31 billion is based on his claim that Twitter underestimated its number of fake accounts and thus misrepresented its value.
The complaint alleges: Twitter made misrepresentations to the FTC about platform security, privacy, and integrity; Twitter violated SEC auditing rules for public companies; made fraudulent misrepresentations about securities violations to its Board of Directors; and exhibited “negligence and even complicity with respect to efforts by foreign governments to infiltrate, control, exploit, surveil, and/or censor the company’s platform, staff, and operations.”
Deep, deep trouble
The 84-page whistleblower document describes Twitter as a company without insight into its problems and without the leadership to fix them. It asserts that Twitter has failed to comply with its 2011 FTC Consent Order, a claim made separately in May by the FTC and Justice Department that Twitter settled for $150 million.
It paints a dire picture of Twitter’s IT operations, alleging that over 50 percent of the company’s 500,000 data center servers are running non-compliant kernels or operating systems, that over 30 percent of employee devices have disabled software and security updates, and that mobile device management and internal threat detection are deficient. We’re also told that about half of Twitter’s roughly 10,000 staff have access to live production systems and user data.
Particularly troubling is the claim that “the Indian government forced Twitter to hire specific individual(s) who were government agents who (because of Twitter’s basic architectural flaws) would have access to vast amounts of sensitive Twitter data.”
Agrawal, in an internal memo posted to Twitter by CNN reporter Donie O’Sullivan, echoes the statement provided by Twitter comms. He reiterates that Zatko was fired for cause and characterized the complaint as “a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context.”
Zatko’s complaint offers support for Musk’s allegations that Twitter undercounted the number of bots operating on its platform. For example, it cites a May 16, 2022 tweet by Twitter’s CEO that states, “we are strongly incentivized to detect and remove as much spam as we possibly can, every single day.”
The filing says, “Agrawal’s tweet is a lie. In fact, Agrawal knows very well that Twitter executives are not incentivized to accurately ‘detect’ or report total spam bots on the platform.”
It goes on to claim that executives are incentivized not to report spam bots because Twitter in 2019 adopted “a new, proprietary, opaque metric” called Monetizable Daily Active Users (mDAUs) and tied executive bonuses to the metric.
“Executives are incentivized to avoid counting spambots as mDAU, because mDau is reported to advertisers, and advertisers use it to calculate the effectiveness of ads,” the complaint says.
Musk has reportedly scheduled a deposition with Zatko prior to the trial of Twitter’s case against Musk on October 17, 2022 in the Delaware Chancery Court. He has also reportedly subpoenaed former Twitter CEO Jack Dorsey.
Earlier this month, Twitter filed an answer [PDF] to Musk’s claims in the Delaware litigation, characterizing them as pretextual efforts to avoid fulfilling his contractual obligation to buy the company. ®