Twitter’s Ex-Security Head Files Whistleblower Complaint
23 Aug 2022 (MSN)
A whistleblower complaint by Twitter Inc.’s former head of security alleging widespread mismanagement spurred new scrutiny of the social-media company, adding to its challenges as it prepares for its legal battle with Elon Musk.
The complaint, which was submitted to the Securities and Exchange Commission last month and became public Tuesday, was made by Peiter Zatko, who was fired earlier this year. Mr. Zatko’s submission says that he “uncovered extreme, egregious deficiencies by Twitter in every area of his mandate,” including privacy, digital and physical security, platform integrity and content moderation.
Among Mr. Zatko’s claims are that Twitter executives, including Chief Executive Parag Agrawal, deliberately undercounted the prevalence of spam on the platform. Those claims could further complicate Twitter’s battle with Mr. Musk, whom the company sued in July to enforce his $44 billion takeover deal. Mr. Musk has alleged Twitter misrepresented its business, particularly as it relates to the level of spam or bot accounts, which Twitter denies.
The SEC declined to comment. The whistleblower complaint was also submitted to the Federal Trade Commission and the Justice Department. The Justice Department declined to comment. The FTC didn’t respond to a request for comment.
A five-day nonjury trial over the stalled deal is scheduled to start Oct. 17 in Delaware Chancery Court.
The existence of the whistleblower complaint was reported earlier on Tuesday by the Washington Post and CNN.
A Twitter spokeswoman said Mr. Zatko was fired “for ineffective leadership and poor performance” and that the complaint “is riddled with inconsistencies and inaccuracies and lacks important context.”
A lawyer for Mr. Musk said: “We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”
Twitter’s shares fell 7.3% in Tuesday trading to their lowest closing price in nearly a month.
Mr. Zatko, a former hacker who is known as “Mudge,” has been a noted computer-security researcher for decades. He was a member of a Boston cybersecurity collective that came to prominence in 1998 when it offered warnings about the state of national cybersecurity in testimony to the U.S. Senate. During one Senate hearing, the group told lawmakers they could take down the internet in 30 minutes.
He was hired by Twitter in late 2020 after stints at the payments company Stripe, Alphabet Inc.’s Google unit, and the U.S. Defense Advanced Research Projects Agency, known as Darpa, according to his LinkedIn profile.
The whistleblower complaint adds a new dimension to the lawsuit over Musk’s intention to walk away from the deal, according to Charles Elson, founding director of the John L. Weinberg Center for Corporate Governance at the University of Delaware.
“He is arguing that he was misled by Twitter” and the complaint suggests the same thing, Mr. Elson said. Mr. Zatko will be brought in as part of the discovery process, Mr. Elson said, and the judge will be tasked with deciding whether the allegations would have a material impact on Mr. Musk’s case.
Like the Tesla Inc. CEO, Mr. Zatko alleges that Twitter miscounts users by focusing only on what are known as monetizable daily active users, or MDAUs, rather than all total daily users. The former category counts only those accounts that are thought to view advertising.
“There are many millions of active accounts that are not considered ‘mDAU,’ either because they are spam bots, or because Twitter does not believe it can monetize them,” Mr. Zatko says in the complaint. “These millions of non-mDAU accounts are part of the median user’s experience on the platform.”
Twitter has said it has a system for measuring users and spam that entails multiple human reviews of thousands of accounts sampled at random over time.
Mr. Zatko says in the complaint that he attempted to formally notify Twitter’s board of his concerns but was steered off by Mr. Agrawal.
John Tye, founder of Whistleblower Aid, an organization that helped file the whistleblower claims, said Mr. Zatko first approached the nonprofit in early March through the encrypted messaging app Signal. Mr. Tye said Mr. Zatko has never met or spoken with Mr. Musk and that Mr. Musk’s team hasn’t been in contact with the nonprofit about Mr. Zatko’s complaint.
“He sees this whistleblowing as sort of the last resort,” Mr. Tye said of Mr. Zatko.
Mr. Zatko was brought into Twitter by co-founder Jack Dorsey after a high-profile hack by a teenager who bypassed the company’s securities systems. Mr. Dorsey “specifically recruited Mudge for his reputation of speaking truth to power,” according to the complaint.
Mr. Dorsey, however, was only a sporadic presence at the company, and the new hire—who had hundreds of staff reporting to him—was quickly overwhelmed by the task at hand, according to the complaint. At one point, Mr. Agrawal told his team, “Twitter has 10 years of unpaid security bills,” per the complaint.
The relationship between Mr. Zatko and Twitter’s leadership deteriorated over the subsequent months, according to both parties. Mr. Zatko helped oversee a critical report on Twitter’s ability to fight misinformation and spam, which other executives watered down, according to the complaint. Mr. Zatko also said he was told by a Twitter lawyer that the changes were intended to hide the findings and prevent them from leaking internally or externally.
Mr. Zatko, in the complaint, also expressed concerns about Twitter’s ties to foreign governments and says the company may have foreign spies on its payroll. Mr. Zatko believed that the Indian government had forced the company to knowingly hire at least one employee who had access to “vast amounts of Twitter sensitive data,” the complaint shows. India’s Washington embassy didn’t respond to a request for comment.
Earlier this month, a former Twitter employee was found guilty by a U.S. jury of spying for Saudi Arabia by passing on private user information associated with critics of the kingdom in exchange for hundreds of thousands of dollars while he worked at the company from 2013 to 2015.
In a memo to employees Tuesday, Mr. Agrawal said: “I know this is frustrating and confusing to read, given Mudge was accountable for many aspects of this work that he is now inaccurately portraying more than six months after his termination.” Mr. Agrawal defended Twitter’s work on privacy and security, while adding that the attention the complaint has brought to the company will make its work harder. “We will pursue all paths to defend our integrity as a company and set the record straight,” he said.
Twitter in 2011 reached an agreement with the Federal Trade Commission to maintain rigorous security, including limiting the number of employees with access to its key security and privacy controls. Mr. Zatko alleges that the company is in violation of that accord. The FTC didn’t respond to a request for comment.
The allegations, if true, point to potential cultural and governance issues at Twitter, said Nils Puhlmann, a security specialist who was formerly chief security officer at cloud-communications company Twilio. In particular, the allegation that Twitter violated an FTC consent decree could lead to repercussions with the federal government. “A consent decree is like a yellow card in soccer,” he said. “There is no second yellow card.”
Copies of the complaint were sent to the Senate Judiciary and Intelligence committees, aides of each panel said.
Democrats and Republicans have raised concerns about Twitter and other social-media companies in recent years over how they use and protect customer data, and have considered legislation that could require firms to adhere to certain data transparency or security standards. “If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” Sen. Dick Durbin (D., Ill.), chairman of the Judiciary Committee, said in a statement.
Corrections & Amplifications Parag Agrawal is the CEO of Twitter. An earlier version of this article incorrectly spelled his last name as Agarwal.