From national security threats to recklessness: Whistleblower ‘exposes’ Twitter

In what is expected to stir up a gigantic storm worldwide, a whistleblower has claimed that Twitter's board has been covering up the 'extreme, egregious deficiencies' in its security that allegedly pose a massive risk to national security, democracy, user's personal data and company shareholders, and executives are clueless about the number of bots on the platform. 

The scathing disclosure, made by Twitter's former Head of Security, Peiter 'Mudge' Zatko, totalled around 200 pages and was sent to US Congress and federal agencies last month.

Also read: Tesla CEO Elon Musk trolled after pulling out of $44 billion Twitter deal

Here's a look at some of the key claims made by whistleblower Zatko:

* According to CNN and Washington Post, quoting Zatko's disclosure, Twitter is horribly mismanaged, with thousands of employees having unfettered access to critical controls and the most sensitive information.

* Zatko, who reported directly to the CEO, claimed that senior executives have been covering up Twitter's most significant vulnerabilities and even alleged that one or multiple employees could be working for foreign intelligence services.

* According to the disclosure, Twitter is particularly open to being used by foreign governments in ways that endanger US national security, and the firm may even currently employ foreign spies. According to the whistleblower claim, the US government gave Twitter explicit proof that at least one, and maybe more, of its workers were working for an outside intelligence agency just before Zatko was fired. The report doesn't specify whether Twitter was already informed or whether it responded to the tip.

* Before Russia's invasion of Ukraine last year, Agrawal, then Twitter's chief technology officer, allegedly suggested to Zatko that Twitter submit to Russian requests that might lead to widespread blocking or surveillance of the platform. Zatko claimed that even if Agrawal's offer was ultimately rejected, it was nevertheless a troubling indication of the lengths to which Twitter was prepared to go in order to expand. "The fact that Twitter's current CEO even suggested Twitter become complicit with the Putin regime is cause for concern about Twitter's effects on US national security," Zatko's disclosure says.

Also read: Explained: How Russia-Ukraine war threatens to sabotage integrity of global internet

* According to the whistleblower, Twitter's management deceived the board and authorities about the system's security weaknesses, which left it open to hacking, manipulation, foreign spying and disinformation.

* In claims that will bolster billionaire Elon Musk's legal bid, Zatko also said Twitter chiefs lack the resources to determine the number of bots on the micro-blogging platform. He alleges that he came away from conversations with the integrity team with the understanding that the internet giant 'had no appetite to properly measure the prevalence of bots,' in part because if the true number became public, it could harm the company's value and image. The Tesla CEO backed out of his $44 billion takeover agreement after claiming that the platform had not been forthright about the number of bots and fraudulent accounts among its 238 million daily active users.

* Zatko, a former employee of Google and the Department of Defense, also alleged that Twitter does not reliably delete user data after an account is cancelled, often because staff have lost track of it.

* The disclosure describes Zatko's overall findings as 'egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.' 

* Zatko disclosed that he and Twitter CEO Parag Agrawal, who succeeded Jack Dorsey in November, had a contentious relationship. He claimed that Agrawal and his staff repeatedly advised him not to present the board with a thorough account of the security issues and instead to present his findings orally. The whistleblower claimed that after being told to offer selective statistics to create the impression of progress, they worked behind his back to edit a consulting firm's report and conceal the severity of the issues.

* Zatko claimed that Dorsey was less involved in his final months at the tech giant than Agrawal, despite the latter being more receptive to his suggestions. Because Dorsey had grown so distant and uninterested in the business, some employees even believed he was unwell, according to Zatko.

* He continued, alleging that four out of ten devices do not adhere to fundamental security rules and that Twitter could not hold specific employees accountable because it had no control over or visibility into their machines.

Also read: Who is Parag Agrawal? Twitter’s youngest CEO in S&P 500 and IIT-Bombay graduate

* Aside from the staffing security concerns, Zatko also feared its server infrastructure made Twitter vulnerable. He said half of its 500,000 servers use outdated software that does not support encryption for stored data or regular security updates. Its inadequate recovery procedures from data centre crashes also mean that minor outages could knock Twitter offline for good, he claims.

Who is Peiter 'Mudge' Zatko, and why is Twitter's former Head of Security going public with these claims?

Zatko, a well-known hacker, claimed to Congress about 20 years ago that he could shut down the internet in 30 minutes. His career began in the 1990s, when he worked secretly for a government contractor while also leading the hacking collective Cult of the Dead Cow, known for disseminating Windows hacking tools to pressure Microsoft into enhancing security.

In 2020, he was appointed by then Twitter CEO Jack Dorsey to recommend changes in structure and practices to bolster its security after a series of damaging compromises that saw users including Barack Obama, Joe Biden and Elon Musk hacked.

At that time, he said he would examine 'information security, site integrity, physical security, platform integrity - which starts to touch on abuse and manipulation of the platform - and engineering.' 

Zatko's concerns at Twitter grew after the January 6 Capitol riots when he feared a sympathiser within the company could manipulate the platform on what is known as the 'production environment'. But he states he soon learned 'it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did.... Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.' 

Twitter terminated Zatko in January for what the firm deemed to be subpar performance. The tech wizard claimed that his attempt to alert Twitter's board of the security flaws and to assist the company in resolving years-old technical issues and claimed non-compliance with a prior privacy agreement with the Federal Trade Commission led to his public whistleblowing.

The same organisation that defended Facebook leaker Frances Haugen is representing Zatko: Whistleblower Aid

Also read: Metaverse will be addictive, rob more personal info, says Facebook whistleblower

Zatko claims that by going public, he is carrying out the task for which he was recruited for a platform that is essential to democracy. "Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I'm still performing that mission," he said.

Twitter claims Zatko's allegations designed to 'inflict harm' on the company

In a statement to CNN, a Twitter spokesperson said Zatko was fired from his senior executive role at the company owing to poor performance and ineffective leadership over six months ago.

"While we haven't had access to the specific allegations being referenced, what we've seen so far is a narrative about our privacy and data security practices that are riddled with inconsistencies and inaccuracies and lacks important context. Mr Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter, and we still have a lot of work ahead of us," the Twitter spokesperson added.

Also watch: Newsable Decipher EP02: Why Cybersecurity Must Be Digital India's Topmost Priority

What is the US Government's response to Zatko's disclosure?

In a statement to CNN, Sen. Dick Durbin, who chairs the Senate Judiciary Committee and also received the report, vowed to investigate "and take further steps as needed to get to the bottom of these alarming allegations." 

Sen. Chuck Grassley, the same panel's top Republican and an avid Twitter user, also expressed deep concerns about the allegations. "Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you've got a recipe for disaster. The claims I've received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further," Grassley told CNN.