Former Twitter Head of Security Files Whistleblower Complaints, Alleging Violations of Previous Regulator Settlements
Following charges that serious lapses in Twitter’s data security practices allowed hackers to obtain unauthorized administrative control in January and May 2009, the social media company agreed in 2011 to a settlement with the U.S. Federal Trade Commission (FTC).
The terms of the settlement were clear. Twitter was barred until 2031 from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, as well as the measures the company takes to prevent unauthorized access to nonpublic information and honor consumers’ privacy choices. Twitter was also required to establish and maintain a comprehensive information security program for 10 years, which would be assessed by an independent auditor every other year.
Now, that settlement might be in jeopardy after Twitter’s former head of security filed a whistleblower complaint with the U.S. Securities and Exchange Commission (SEC), the U.S. Department of Justice (DOJ), and the FTC, claiming that the company violated the settlement’s terms.
Peiter Zatko, a respected hacker known as Mudge, filed a whistleblower complaint last month with the SEC, DOJ, and FTC. The redacted complaint was also sent to U.S. Congressional committees, and a senior aid on Capitol Hill shared a version with The Washington Post and CNN.
“Among the most serious accusations in the complaint…is that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan,” according to The Washington Post. “Zatko’s complaint alleges he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software, and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes.”
The whistleblower complaint also alleges that thousands of Twitter employees have “wide-ranging” and “poorly tracked internal access to core company software,” The Post reports.
Additionally, CNN explains that the complaint alleges that current Twitter CEO Parag Agrawal discouraged Zatko from being fully transparent with Twitter’s board of directors about the company’s security posture.
“The company’s executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company’s security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko’s back to have a third-party consulting firm’s report scrubbed to hide the true extent of the company’s problems,” according to CNN.
Zatko was recruited by former Twitter CEO Jack Dorsey into the chief security role at Twitter in 2020 after a security breach where hackers accessed the accounts of world leaders—including former U.S. President Barack Obama—to scam followers out of Bitcoin. He was fired in January 2022, two months after Dorsey left the company.
Zatko is being represented by Whistleblower Aid, a non-profit legal organization, which did not return Security Management’s request for comment before press time. Zatko did speak with The Post, however, about his decision to join Twitter when Dorsey was at the helm, and his decision to file the whistleblower complaint.
“This would never be my first step, but I believe I am still fulfilling my obligation to Jack and to users of the platform,” Zatko told the Post about filing the whistleblower complaint. “I want to finish the job Jack brought me in for, which is to improve the place.”
The agencies Zatko filed the complaint with have not issued a public comment, but members of the U.S. Senate Intelligence Committee—who also received copies of the complaint—signaled that they might begin an investigation.
Rachel Cohen, a spokesperson for the committee, told the Associated Press that the committee is “in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously.”
One area the committee may look in to is allegations that the government of India forced Twitter to hire a government agent, which would give the country access to user data during protests.
Twitter said in a statement provided to CNN that privacy and security are priorities for the company, and that it provides resources and tools for users to control their privacy and data sharing.
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” Twitter said. “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers, and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
The public disclosure of the whistleblower complaint adds to an already tumultuous year for the social media company. Just two weeks ago, former Twitter Middle East and North Africa media partnerships manager—Ahmad Abouammo—was convicted on six charges related to spying on users and passing that information on to Saudi Arabia.
In May 2022, Twitter also agreed to another settlement with the FTC—paying $150 million and agreeing to align operational updates and program enhancements to ensure users’ personal data is secure and privacy is protected. Twitter is also engaged in a lawsuit with Elon Musk, CEO of Tesla, after he attempted to back out of an agreement to buy the company in a $44 billion deal in April 2022.