What Are the Twitter Whistleblower’s Allegations Against the Company?

When the former Twitter CEO Jack Dorsey hired Peiter Zatko as Twitter’s security chief in 2020, he thought that the hacker-turned-cybersecurity-specialist could help the company improve its security posture. But two years later, either Peiter couldn’t help Twitter or the company didn’t want his aid. He was fired for ineffective leadership and bad performance, but Zatko argues otherwise.

He filed a complaint with the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), and the Justice Department accusing Twitter of willful ignorance and major security flaws.

It’s a litany of charges, each more damning than the next. Here are more revelations from Zatko’s chargesheet against Twitter.

1. Dangerous Security Vulnerabilities

Among the most serious allegations Zatko made against Twitter is that the company does little to protect its 238 million daily users (which include heads of state, government agencies, and influential public figures) against hackers.

He alleges that half of Twitter servers run out-of-date software and nearly a quarter of the employees have disabled software updates on their systems that could provide essential security patches.

If true, Twitter may be held in violation of the 2011 agreement with the FTC on consumer security. The agreement required the company to create and maintain a solid information security model to be inspected by an independent auditor for 10 years.

2. Problematic Internal Accesses

One factor that makes the platform vulnerable is the wide-ranging and unnecessary access employees reportedly have to the production environment.

Mr. Zatko alleges that far too many employees, including all the engineers and roughly half the workforce, work directly on the platform’s live product and access actual user data. This is unheard of in tech companies like Meta and Google where developers use dummy data to code and test in specialized sandboxes without affecting the main products.

The poorly tracked access to core company software has led to embarrassing hacks in the past, including the commandeering of high-profile user accounts like Bill Gates, Elon Musk, and Joe Biden.

3. Misleading Spam and Bot Count

The Twitter whistleblower’s disclosure accuses the company of misleading the investors and the public over the amount of spam and bots on the platform.

Previously, Twitter had claimed that only five percent of accounts on the platform are bots, but Zatko says the real number is far higher. He alleges that the company prioritizes user growth over reducing spam and that executives earn bonuses worth millions to increase daily user activity.

This accusation provides enough ammunition to Elon Musk in his legal battle to back out of a $44 billion deal to buy the company.

4. International Threats

Pieter Zatko claims that foreign governments that gain access to the platform or find leverage against it can do enormous damage to the US national security and interests. The threat isn’t theoretical when you consider the past incidents and weak cybersecurity stance of the company.

The report claims that shortly before Zatko was fired, the US government tipped Twitter off that at least one of its employees was an agent for a foreign intelligence agency. Zatko also believes that the company hired two people who were agents of the Indian government.

Similarly, Zatko claims that prior to Russia’s invasion of Ukraine, Parag Agrawal, who was Twitter’s CTO at the time, proposed making concessions to Russia in order to grow in the country at the cost of censorship or surveillance.

This is not the first time Twitter has been accused of helping countries censor or surveil the platform for monetary benefits. Just two weeks before Zatko’s disclosure, a jury convicted a former Twitter manager of spying for Saudi Arabia.

What Does Twitter Say About the Allegations?

Zatko’s report contains dozens of serious allegations against Twitter’s wrongdoings, including security vulnerabilities, poor access controls, misleading measurement of spam and bot accounts, and more.

But the company’s vice president of communications, Rebecca Hahn, told The Washington Post that Zatko’s disclosure lacks “important context”. Hahn believes that the “allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter” and that “security and privacy have long been company-wide priorities”.

Agrawal also denied the accusations against Twitter and called it “a false narrative that is riddled with inconsistencies and inaccuracies.” In a memo to employees, he stressed the company will pursue all paths to defend its integrity and set the record straight.

What Can We Learn From the Twitter Whistleblower?

Importantly, we all need to be aware that we can’t rely solely on other parties to keep ourselves secure online. Twitter may or may not leave its users open to hackers, but ultimately, we each need to take personal responsibility with what data we hand over to the company—and, indeed, any organization that asks for more personal information than is necessary.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button