Twitter Whistleblower Claims ‘Extreme, Egregious Deficiencies’ for Security, Privacy and Spam

Twitter is grossly negligent in several areas of information security. If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.

These are the words of Peiter ‘Mudge’ Zatko, a cybersecurity expert who was formerly an executive at Twitter. The quote is taken from Zatko’s final letter to the company detailing his security concerns, which was written shortly after he was dismissed as an employee. That letter is now included in the explosive whistleblowing complaint Zatko has lodged with the Securities and Exchange Commission (SEC), as revealed by The Washington Post yesterday. Zatko alleges Twitter:

  • misled the US Federal Trade Commission (FTC) and shareholders about steps taken to improve security;
  • allowed governments an unofficial mechanism to obtain personal data about Twitter users by giving jobs that involve accessing user data to individuals nominated by those governments;
  • ran insecure out-of-date software on half of all its servers;
  • permitted a dangerously large number of staff to have excessive access rights;
  • made software changes to the live environment without checking for errors or vulnerabilities in a test environment first;
  • incentivized executives to increase apparent user numbers whilst the company failed to adequately resource the work needed to tackle spam and bots; and
  • was led by CEOs who were either negligent or deliberately deceptive about the company’s security failings.

Zatko was in a position to know about Twitter’s weaknesses, which he depicted as rooted in a broken company culture. Yesterday’s Washington Post summed up the story thus:

The complaint from former head of security Peiter Zatko, a widely admired hacker known as “Mudge,” depicts Twitter as a chaotic and rudderless company beset by infighting, unable to properly protect its 238 million daily users including government agencies, heads of state and other influential public figures.

It would be a disservice to only describe 51 year old Zatko as a hacker. Zatko gained prominence in his 20’s for his contribution to the L0pht hacker think tank and the development of L0phtCrack password cracking software. Whilst Zatko developed a following through presentations at events like DEF CON and USENIX he also pursued good relations with government and industry, leading him to testify to a Senate committee about internet vulnerabilities and to meet with Bill Clinton at a summit of security leaders arranged by the President. Zatko was a scientist for government contractor BBN Technologies during his 30’s, and by his 40’s he was directing security research on behalf of the US government’s Defense Advanced Research Projects Agency (DARPA). It was because of his expertise and credibility that Jack Dorsey, then the CEO of Twitter, hired Zatko in 2020 and tasked him with strengthening the company’s security following the embarrassment caused by hackers taking control of the Twitter accounts of some of the world’s most prominent individuals including Barack Obama and Bill Gates.

Zatko’s recruitment in 2020 sent a signal that Twitter was taking security seriously. His role reported directly to Dorsey. However, Zatko was unceremoniously terminated in January 2022, just two months after Dorsey was succeeded as CEO by Parag Agrawal. Zatko subsequently lodged a whistleblowing complaint about alleged wrongdoing at Twitter; this complaint entitles him to special protections under US law. Twitter responded to the public reporting of this complaint by immediately seeking to portray Zatko as a failed former employee who bears a grudge. A spokesperson for Twitter said the company had greatly improved security since 2020 and that Zatko’s allegations were “riddled with inaccuracies”, before emphasizing that Zatko was fired because of his “poor performance and leadership”. Agrawal followed up by reinforcing that message to Twitter’s employees.

However, my instincts tell me to be circumspect about the rush to rubbish Zatko by Twitter’s boss and his minions. Zatko’s accusations should be examined seriously for three simple reasons:

  • Twitter has long had a terrible track record that includes multiple prominent security and privacy failures. Many occurred during Agrawal’s time as CTO. Twitter are now engaged in a gargantuan legal struggle with Elon Musk over his claims that Twitter massively understates the number of fake users on their platform, an issue which directly relates to the truthfulness of Twitter’s public assertions about information security.
  • Zatko is old enough and serious enough to know that testimony like this will hamper his chances of securing big corporate jobs in future, even though his official status as a whistleblower who submitted his allegations to the SEC means he is legally protected from any direct revenge by Twitter.
  • The story that Zatko tells is credible. He recounts how he reported to CEOs who either failed to give him the support needed to succeed or who were angered when Zatko challenged misinformation designed to give an unrealistically favorable impression of the progress made to address security flaws.

This last point is key. If Twitter succeeded in rapidly improving their security then it seems unlikely they would rush to eject the man who had been specifically recruited to lead this effort. And if the company has always taken security and privacy seriously, why did the CISO of Twitter, who was given that role at the time of Zatko’s departure, take to Twitter just a few days ago to advertise a long string of senior security and privacy vacancies? A business that hurriedly hires and fires security leaders cannot then pretend they never have problems with establishing and developing the skilled team they need.

It is often said that the tone set by people at the top of an organization is a vital precursor to good corporate governance. So it hits hard when Zatko asserts Twitter executives could individually receive bonuses worth up to USD10mn if user growth targets are met, but with no conditions tied to their tackling bogus user accounts. Zatko was an executive who reported directly to the CEO, so he would have been aware of the objectives and incentives given to the top tier of management. If his claim about executive remuneration is false then he would have known it could easily be disproved; Twitter has instead acknowledged that user growth is a factor in determining bonuses but played it down by saying other factors, such as revenue growth, have greater influence on the rewards paid to executives.

Twitter’s management team has strenuously disputed Elon Musk’s publicly-stated argument that Twitter lacks the controls needed to properly measure and deactivate bots that simulate genuine users. Perhaps Twitter are doing enough to tackle spam and bots, but the executives are intelligent people who must know that every success in this arena could cost them money by making it harder to meet their performance targets. Twitter generates income from advertising; any reduction to user numbers caused by culling bots would also potentially hurt revenues too. The executive team could have sought to balance bonuses oriented around growth by also negotiating a reward for limiting bogus users, but they did not. Zatko does not hold back in his criticism, accusing Agrawal of “lying” when he tweeted at Musk about Twitter management being “strongly incentivized” to reduce phoney users.

Zatko’s dislike of Agrawal is palpable, and his complaint singles out the current CEO for criticism in how the company has handled spam and bots on its platform.

…Agrawal’s Tweets and Twitter’s previous blog posts misleadingly imply that Twitter employs proactive, sophisticated systems to measure and block spam bots. Mudge discovered the reality: mostly outdated, unmonitored, simple scripts plus overworked, inefficient, understaffed, and reactive human teams. The scripts were largely un-owned by any person or team, and their results were not tracked. Furthermore no effort was made to compare costs to benefits of the scripts, nor approaches, nor their veracity.

…during the 2021 calendar year, he developed and presented to the Board of Directors a sweeping, 3-year Board-supervised objective… [that] would have assigned responsibility for properly measuring bot prevalence… If Twitter was already accurately measuring and estimating spam bot prevalence on the platform, this issue would not have reached the Board and been a specific part of Mudge’s 2022 plans.

Zatko’s claims about the poor tools available to Twitter employees tasked with identifying and reducing bots were supported by an independent report produced for Twitter by an external firm. An excerpt from that report reads:

Tools available to Site Integrity to work on these issues are often outdated, “hacked together”, or difficult to use, limiting Twitter’s ability to effectively enforce policies at scale. A lack of automation and sophisticated tooling means that Twitter relies on human capabilities, which are not adequately staff or resourced, to address the misinformation and disinformation problem.

Zatko evidently had a fractious relationship with Agrawal, who was the CTO of Twitter before his promotion to CEO. Zatko’s whistleblowing complaint puts Agrawal in particular jeopardy as both the CTO who played down technological weaknesses whilst positioning himself for the top job, and as the CEO who publicly argued Twitter’s management can be confident that bot users represent less than 5 percent of the total user base. Agrawal had most to lose from admitting the need for a major overhaul of the company’s technology to address many of the security failings identified by Zatko, both whilst Agrawal was CTO and later when he was deflecting criticism during Twitter’s public rows with Musk.

Cybersecurity had been the responsibility of Agrawal before Zatko was recruited, so their relative positions set them up for conflict. In contrast, Zatko seemingly made little progress when Dorsey was CEO because the two of them rarely talked to each other, and Dorsey showed no interest in supporting Zatko’s work. Zatko reported directly to Dorsey but the two men only spoke privately, without the participation of others, on just six occasions during the entire year they worked together.

Amongst the most damaging of Zatko’s claims is that at least one known agent of the Indian government was employed by Twitter during a period when the government was seeking to crack down on protests that were often organized using social media. This effectively allowed Twitter to pretend it takes privacy seriously whilst the Indian government could help itself to the data it wanted without the rigmarole of going through lawful channels to obtain it.

The Indian government forced Twitter to hire specific individual(s) who were government agents, who (because of Twitter’s basic architectural flaws) would have access to vast amounts of Twitter sensitive data. Twitter’s transparency reports purported to quantify the number of government data requests from the Indian government, but the company did not in fact disclose to users that it was believed by the executive team that the Indian government has succeeded in placing agents on the company payroll. By knowingly permitting an Indian government agent direct unsupervised access to the company’s systems and user data, Twitter executives violated the company’s articulated commitments to its users.

The Indian government is unlikely to sue Twitter over its failings, but there is now a distinct possibility that the Federal Trade Commission (FTC) in the USA will take action. Twitter’s past failings led to a settlement with the FTC in 2011 which required Twitter to better protect its users. A violation of the 2011 order resulted in a USD150mn fine for Twitter as recently as May this year. Zatko’s complaint alleges many more failures to satisfy the stipulations in the FTC order, leaving Twitter at risk of even larger fines if the FTC investigates and finds Zatko’s allegations are correct.

Zatko was ultimately fired by Agrawal just two weeks after Zatko prompted the Audit Committee to perform an investigation which centered on whether the company’s Risk Committee had been fed misinformation about the number of security intrusions Twitter was suffering. Zatko challenged figures included in a presentation written for the first board meeting that Agrawal attended as CEO. The objections from Zatko led to that pack not being provided at that board meeting. However, Agrawal decided the same pack should be be given to the Risk Committee a week later, despite Zatko’s continued complaints about the accuracy of the information it contained.

Twitter has come under a lot scrutiny since Elon Musk first offered, then withdrew, a USD44bn offer to purchase the company. Zatko’s allegations are not proven, but if even half of his complaints are valid then Twitter’s top management would have very strong motives to suppress the truth about the company’s internal difficulties. One reason to take Zatko’s allegations seriously is that he has little to gain by blowing the whistle; even honest companies will now be reluctant to hire him. Zatko’s whistleblowing evidence could lead to a pay-out from the government if it results in a successful legal action, but that is far less guaranteed than the remuneration he could command as a leading corporate cybersecurity executive. If Zatko’s claims are judged false, he has effectively ended what had been a stellar career. In contrast, Twitter has much more to lose than Zatko stands to gain. If Twitter are caught lying then it could prompt multi-million dollar fines resulting from their non-compliance with the existing FTC order, and would cost shareholders billions as a result of the collapse of the legal fight with Musk and the hit to the reputation of the current management team.

Many of Zatko’s claims have been corroborated by Twitter insiders interviewed by Washington Post journalists. The methodical way they have investigated this story stands in sharp relief to the shockingly lackadaisical standards recently exhibited by many working for US tech-oriented publications. An unhealthily large section of the free press has reported statements made by Twitter’s senior management as if they must true because they contradict assertions made by Elon Musk. Instead of evaluating claims and counter-claims in an even-handed way, they have become part of the social media echo chamber that only tells listeners what they want to hear. This is irresponsible because the public needs proper advice as to whether their privacy might be compromised and the risk that misinformation is being pumped by bots whose sole purpose is to sway public opinion.

Journalists who portray themselves as caring about topics like fake news and privacy have allowed their irrelevant feelings about Musk to lead them to wholly unfounded assumptions about how well Twitter is performing as a business, the adequacy of controls Twitter has implemented to identify bogus user activity, and the extent to which Twitter has protected the personal data of users. The lack of objectivity exhibited by large swathes of the US tech media is a problem whether or not Zatko’s allegations are founded in truth. But if Zatko’s claims are proven correct, it will demonstrate the seriousness of the failings of journalists who encouraged the public to believe everything said by Twitter’s management for no reason other than to indulge their petty dislike of Musk.

Whilst Elon Musk is not always the most reliable commentator on events, it is irresponsible to infer that everything he says must be false, so that any business which contradicts Musk must be telling the truth. We shall have to see if Zatko’s whistleblowing results in legal action against Twitter, but we do not need to wait until then to conclude many professional commentators on matters relating to privacy and security cannot be trusted to fairly analyze evidence of risk to the public.

The Washington Post’s account of this story, including links to the whistleblowing documents submitted by Zatko, is published here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.