A sign outside the building housing the headquarters of Twitter in San Francisco on July 18, 2022. Twitter's former head of security has accused the social media company and its executives of “extensive legal violations.” (Jim Wilson/The New York Times)
Twitter’s former head of security accused the company of making false and misleading statements about its security practices and lying to Elon Musk about fake accounts on its platform, potentially landing the social media service in new regulatory trouble as it tries to force Musk to complete a $44 billion deal to buy it.
Peiter Zatko, Twitter’s head of security who was terminated by the company in January, said in a whistleblower complaint that the firm had deceived the public by misrepresenting how it fights spam and hackers. That violated a 2011 agreement that Twitter had struck with the Federal Trade Commission, which had barred the company from misleading users about its security and privacy measures, he contended.
In his complaint, which was filed with the Securities and Exchange Commission on July 6, Zatko accused Twitter CEO Parag Agrawal and other executives and directors of “extensive legal violations” and acting with “negligence and even complicity” against hackers. Zatko also sent the complaint and supporting documents to the Justice Department and the FTC.
Zatko said Twitter also lied to Musk, who signed a blockbuster deal to buy the company in April but has been trying to back out of the acquisition. The complaint could give Musk legal fodder, with the billionaire’s attorneys saying they had already subpoenaed Zatko.
The whistleblower complaint is another strange twist for Twitter as it tries to ensure its corporate survival. The company, which is based in San Francisco, has been embroiled for months in a struggle with Musk, the world’s richest man, as he has blown hot and cold over owning the social media service, raising questions about its future as an independent entity. At the same time, Twitter has been grappling with an economic slowdown and has cut costs.
The whistleblower complaint could lead to fresh scrutiny for Twitter as regulators and lawmakers train their sights on the power and influence of technology companies. In 2019, the FTC fined Facebook about $5 billion for violating its privacy settlement with the agency. The SEC has also focused on companies that insufficiently disclose their susceptibility to security breaches.
Both agencies, which declined to comment, are likely to ask for additional documents and speak with Zatko, experts said. If they find his claims have merit, they could fine Twitter or require it to change the way it operates.
“There’s a near certainty that this will provoke a careful review by the Federal Trade Commission, maybe other public agencies, of the operation and management of the company, and that is at a moment where they are buffeted by so many other unwelcome forces — you don’t need another shock of this kind,” Bill Kovacic, a former chair of the FTC, said of Twitter.Also read: Twitter shareholders to vote on Musk buy in September
Zatko’s complaint was reported earlier by The Washington Post and CNN.
A Twitter spokesperson said Zatko was fired in January for ineffective leadership and poor performance. She said he was spreading “a false narrative about Twitter and our privacy and data security practices.” She also suggested that he was capitalizing on the company’s situation with Musk “to capture attention and inflict harm on Twitter, its customers and its shareholders.”
Debra Katz, an attorney representing Zatko, disputed the idea that he was a disgruntled former employee and said he had tried to do the right thing by raising his concerns about Twitter’s security practices. Whistleblower Aid, an organization that is working with Zatko on his complaint, said the facts in the disclosure speak for themselves.
Musk, who did not respond to a request for comment, indirectly referred to the whistleblower complaint Tuesday. He tweeted a meme of Jiminy Cricket from the movie “Pinocchio” that said, “Give a little whistle.”
Zatko has not been in touch with Musk, said a person with knowledge of the situation who spoke on condition of anonymity because the proceedings were confidential. Bur Musk’s attorneys indicated they were interested in investigating Zatko’s claims.
“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” Alex Spiro, an attorney for Musk, said in a statement. Katz said her client had not received a subpoena.
Zatko, a well-known hacker who goes by the nickname Mudge in the security community, joined Twitter in late 2020 after the company was hacked by teenagers who impersonated prominent figures on the social media service to accumulate bitcoin. He began working to document fraud at Twitter around the time of his firing, according to his complaint, and continued to share his findings with the company after he departed.
Zatko said in his complaint that he had quickly found that Twitter had made “little meaningful progress on basic security, integrity and privacy systems” and that the company “suffered from anomalously high rate of security incidents.” He contended that many regulatory filings Twitter had made detailing its privacy practices were “misleading, at best.”
In February 2021, Zatko made a presentation to Twitter’s board about the company’s lack of preparations for a potential data center failure that could knock the service offline. He also commissioned a third-party report on Twitter’s approach to spam and started projects to improve data security, the complaint said.
Zatko also said in his complaint that the Indian government had forced Twitter to hire government agents, who had access to internal data, and that a U.S. official warned the company that one or more of its employees was working on behalf of a foreign intelligence agency.
Twitter has been infiltrated by foreign operatives in the past. This month, a former Twitter employee was convicted of spying on users on behalf of Saudi Arabia.
In December, Twitter’s board received a briefing on security practices. In January, Zatko began voicing his concerns that the board had been presented with “fraudulent” information about his work on security. Three days later, he was fired, he said. Zatko said he had later sent material to support his claims to Twitter and the board.
©2019 New York Times News Service