Twitter’s chaotic year keeps getting worse.
The Washington Post and CNN reported on Tuesday that Peiter “Mudge” Zatko, the former head of security at Twitter, is alleging in a whistleblower complaint that he uncovered “extreme, egregious deficiencies” by Twitter surrounding user privacy, security and content moderation.
Zatko, who Twitter fired in January, accuses the company, its executives and board of directors of violating federal law by making “false and misleading” to users and the Federal Trade Commission.
“Mudge spent 14 months pushing for improvements from the inside, and was terminated for his efforts,” the complaint states. Nonprofit law firm Whistleblower Aid is representing Zatko and confirmed to CNET that the complaint is authentic. Zatko filed the 84-page complaint in July to the US Securities and Exchange Commission, Department of Justice and the FTC.
The allegations come at a tumultuous time for Twitter. The influential social media company is in a high-profile legal battle with billionaire Elon Musk after the Tesla and SpaceX leader tried to back out of a $44 billion deal to purchase Twitter. The tech platform sued Musk to complete the deal and a five-day trial is scheduled for October.
The complaint not only raises serious questions about whether Twitter is doing enough to safeguard user privacy and security but could impact whether Musk gets forced to buy the platform.
Here’s what you need to know:
Who is the Twitter whistleblower?
Zatko is a well-known hacker and longtime security expert who worked at DARPA (the research and development agency of the US Department of Defense) and Google before joining Twitter in 2020.
He created software that’s still used today to test the strength of passwords. He’s also been a part of influential hacking groups such as L0pht that testified before Congress in the 1990s on security issues.
Former Twitter CEO Jack Dorsey recruited Zatko to work at the social media company after teenagers hacked the high-profile Twitter accounts of Musk, celebrity Kim Kardashian and even Joe Biden, who was the presumptive Democratic presidential nominee at the time for US president.
What are the allegations in the complaint?
The complaint is lengthy and includes several allegations against Twitter, including that the company prioritized daily user growth over the platform’s health and integrity.
Executives tried to hide bad news instead of trying to fix problems, possibly because they were rewarded financially for helping Twitter grow daily users, didn’t know better or had help create the “broken systems,” according to the complaint.
Zatko, also known as Mudge, alleges he uncovered various security and privacy problems at the company and brought it to the attention of executives in 2021. The company appeared to have a high rate of security incidents, some employees had disabled security and software updates on their devices and staff had too much access to user data, the complaint stated.
“Mudge identified there were several exposures and vulnerabilities at the scale of the 2020 incident waiting to be discovered, and reasonably feared Twitter could suffer an Equifax-level hack,” the complaint says.
Instead, Zatko alleges he didn’t get support to address these issues and received “stiff pushback” particularly from Parag Agrawal who is now Twitter’s CEO. Agrawal was Twitter’s Chief Technology Officer before he got promoted and the complaint notes that “Twitter’s problems had developed under Agrawal’s watch.”
The complaint accuses Twitter of violating an 11-year-old settlement with FTC by falsely claiming it had a comprehensive security program. Zatko alleges that his findings were worse than Dorsey feared and that the company had never complied with the FTC order and wasn’t on track to do so.
The complaint also alleges Twitter lied to Musk about the number of spam bots on its platform and misled the FTC about fully deleting data of users who leave the service. Zatko also outline threats to democracy and national security. Some of these threats include the Indian government forcing Twitter to hire government agents and the company becoming more dependent on revenue from Chinese entities, the complaint says.
What is Twitter’s response to the allegations?
Twitter says that Zatko was fired because of “ineffective leadership and poor performance” and the company prioritizes security and privacy.
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” Twitter spokeswoman Rebecca Hahn told The Post. “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”
Twitter provided CNET with the same statement.
How are US lawmakers and regulators responding?
The complaint is already sparking scrutiny from US lawmakers.
Sen. Richard Blumenthal, a Connecticut Democrat, urged FTC Chair Lina Khan to investigate Twitter.
“These troubling disclosures paint the picture of a company that has consistently and repeatedly prioritized profits over the safety of its users and its responsibility to the public, as Twitter executives appeared to ignore or hinder efforts to address threats to user security and privacy,” Blumenthal wrote in a letter to Khan.
The SEC and FTC declined to comment. The DOJ didn’t immediately respond to a request for comment.
Will the complaint impact whether Musk is forced to buy Twitter?
It’s possible. The complaint mentions that Zatko started to document evidence of fraud at Twitter in January 2022 before Musk offered to buy the company.
The Post, citing unnamed individuals with knowledge of the matter and legal experts, reported that Musk’s legal team is expected to use the complaint to argue for “wider discovery into Twitter’s internal practices and data.” That could help bolster Musk’s argument that the company provided him misleading information that led him to purchase Twitter for an inflated price.
Musk’s lawyers also reportedly scheduled a deposition with Zatko before news outlets reported on the whistleblower complaint and his lawyer Alex Spiro told CNN the legal team had already subpoenaed Zatko.
Musk has accused Twitter of misrepresenting the number of false or spam accounts on its platforms. The complaint alleges that Musk is correct in that Twitter executives have little or no personal incentive to accurately detect or measure spam bots because they feared that it could harm the image and valuation of the company.
On Tuesday, Musk tweeted a meme that said “Give a little whistle.”