Twitter has bigger problems than its impending court case against Elon Musk, after its former security chief Peiter Zatko has said there are “egregious deficiencies” in the security and handling of users’ personal data.
Zatko’s whistle-blower complaint will be music to the ears of Musk’s lawyers, as Twitter tries to enforce Musk’s $44bn offer to buy the social media site. The trial is due to start on October 17 in Delaware’s delightfully named Court of Chancery.
Zatko has accused Twitter CEO Parag Agrawal, among other executives and directors, of “extensive legal violations” and acting with “negligence and even complicity” in its efforts to thwart hackers.
He sent his whistle-blower complaint to the US Securities & Exchange Commission in July, as well as the US justice department and the Federal Trade Commission (FTC). He also claims Twitter violated a 2011 agreement with the FTC to warn users about privacy or security problems.
Zatko, who goes by his nickname, Mudge, is a prominent “ethical hacker”. He was hired in November 2020 after teenagers hacked Twitter in July that year to use the accounts of celebrities — including Musk, Bill Gates and Barack Obama — in a bitcoin scam.
Twitter has made “little meaningful progress on basic security, integrity and privacy systems”, Zatko wrote in his complaint, while it “suffered from [an] anomalously high rate of security incidents”.
Twitter immediately hit back, pointing out that Zatko was “fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance”.
A Twitter spokesperson said: “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
The circumstances around Zatko’s departure are curious. He reportedly presented his security concerns to the Twitter board in December 2021 and in January said the board had been given a “fraudulent” presentation about his security work. He was fired three days later.
But Twitter’s then CEO, Jack Dorsey, reportedly hand-picked him in the first place, and Zatko says he has been warning Twitter of its security issues. These include a February 2021 presentation to the board about it being underprepared for a data centre crash that would take Twitter offline, according to his complaint.
He commissioned a report on Twitter’s spam strategy and said the Indian government forced Twitter to hire its agents. The US government warned that some Twitter employees were working for a foreign intelligence agency.
A former Twitter employee was last month convicted for spying for Saudi Arabia.
Zatko accused Twitter’s executives of misleading the board and regulators about security problems, and said the social network does not completely delete the personal data of users who cancel their accounts.
“There’s a near certainty that this will provoke a careful review by the Federal Trade Commission, maybe other public agencies, of the operation and management of the company, and that is at a moment where they are buffeted by so many other unwelcome forces — you don’t need another shock of this kind,” former FTC chair Bill Kovacic told The New York Times.
Musk’s lawyers have already subpoenaed Zatko, with attorney Alex Spiro saying: “We found his exit and that of other key employees curious in light of what we have been finding.”
Musk’s argument for not buying Twitter is that it misrepresented its spam problem as being more than the 5% it has consistently reported with the SEC. Most commentators think this is a weak defence by Musk, with common sense suggesting he wants to get a cheaper price given the general slide in tech stock values.
“If Twitter left out things that it should have disclosed, that management knew were serious problems to the business that makes its SEC filings inaccurate, because they do not disclose material information about the business, that could help Musk with his fraud claim,” Ann Lipton, a professor of corporate governance at Tulane Law School, told The New York Times.
Twitter was fined $150m in May for not keeping to its 2011 consent decree agreement with the FTC, in which it is banned from misleading users about how it protects their data. That issue was because Twitter said it was collecting users’ e-mails and phone numbers to secure their accounts, but didn’t specify well enough that these were also given to marketers for advertising purposes.
These moves are heartening for consumers, but as with all social media, the many other problems remain.
As Stephen Fry once told Graham Norton about his 1-million followers: “I have to remind people, it’s not called social change, or heavy debate, it’s called ‘Twitter’. The clue is in the name.”
