A former Twitter security chief has alleged the company misled regulators over its weak cybersecurity defenses and its negligence in trying to root out fake accounts that spread misinformation, a pitcher complaint alleges. alert filed with US officials.
The revelation could create serious legal and financial problems for the social media platform, which is currently trying to force Tesla CEO Elon Musk to complete his $44 billion bid to buy the company. Several members of Congress on Tuesday called on regulators to investigate the allegations, ABC News reported.
Peiter Zatko, Twitter’s chief security officer until his firing earlier this year, filed the complaints last month with the US Securities and Exchange Commission, Federal Trade Commission and Justice Department. The nonprofit organization Whistleblower Aid, which works with Zatko, confirmed the authenticity of a redacted copy of the complaint posted online by The Washington Post.
“It was a last resort for him,” John Tye, the group’s co-founder and chief disclosure officer, said in an interview Tuesday. He said Zatko had exhausted all attempts to resolve his issues at the company before he was fired in January.
One of Zatko’s most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had stricter measures in place to protect the security and privacy of its users. Zatko also accuses the company of deceptions involving its handling of “spam” or fake accounts, an allegation that is at the heart of Musk’s bid to back out of the Twitter takeover.
Shares of Twitter Inc. had fallen more than 6% at one point on Tuesday.
Better known by his hacker name “Mudge”, Zatko is a well-respected cybersecurity expert who first rose to prominence in the 1990s and later held senior positions at the Pentagon’s Defense Advanced Research Agency and to Google.
He joined Twitter at the behest of then-CEO Jack Dorsey in late 2020, the same year the company suffered an embarrassing security breach involving hackers who broke into the Twitter accounts of world leaders. , celebrities and tech moguls including Musk in an attempt to scam their followers out of bitcoin.
Twitter said in a prepared statement on Tuesday that Zatko was fired for “ineffective leadership and poor performance” and said “the allegations and opportunistic timing appear designed to draw attention to and harm Twitter, its customers and its shareholders”. The company called its complaint a “false narrative” that is “tricked with inconsistencies and inaccuracies and lacks significant context.”
Zatko’s attorneys, Debra Katz and Alexis Ronickher, said Twitter’s claim about his poor performance was false and he repeatedly raised concerns about “grossly inadequate information security systems to Twitter’s senior executives and board. The lawyers said that in late 2021, after the board received “whitewashed” information about these security issues, Zatko escalated his concerns, “clashed” with CEO Parag Agrawal and the board member Omid Kordestani and was fired two weeks later.
The 84-page complaint describes a broken corporate culture at Twitter that lacked effective leadership and where Zatko said top leaders practiced “willful ignorance” of pressing issues. His description of Dorsey’s leadership style is particularly scathing; he described the Twitter founder as “extremely disengaged” in his final months as CEO to the point that he wouldn’t even speak in meetings about the complex issues facing the company.
Zatko said he heard colleagues say Dorsey would be silent for “days or weeks.” Dorsey announced he was stepping down as CEO of Twitter in November 2021.
The disclosure says Twitter has not offered any monetary incentives to improve the security and integrity of the platform, although the company last year offered $10 million in bonuses to senior executives who could generate revenue. short-term user growth.
Among Zatko’s accusations of cybersecurity malpractice: software and security updates were disabled on more than a third of employee computers – unduly exposing them to malware – and it was common for people install “any software they wanted on their work systems”. Such failures are generally considered deadly sins in cybersecurity.
Whistleblower Aid said it was legally prohibited from sharing Zatko’s statement. The same group worked with former Facebook employee Frances Haugen, who testified in Congress last year after leaking internal documents and accusing the social media giant of choosing profit over safety.
“I wouldn’t say he’s happy to have to become a whistleblower, but he’s adamant in his decision,” Tye said. “And committed to getting to the bottom of it.”
A spokeswoman for the U.S. Senate Intelligence Committee, Rachel Cohen, said the committee had received Zatko’s complaint and was working to schedule a meeting “to discuss the allegations in more detail. We take this matter seriously. “.
Sen. Dick Durbin, a Democrat from Illinois, said in a prepared statement that if the claims are accurate, “they may show dangerous privacy and data security risks for Twitter users around the world.”
Among the most alarming complaints is Zatko’s allegation that Twitter knowingly allowed the Indian government to place its agents on the company’s payroll where they had “direct and unsupervised access to corporate systems and data.” enterprise users.
A 2011 FTC complaint noted that Twitter’s systems were full of highly sensitive data that could allow a hostile government to find precise location data for specific users and target them for violence or arrest. Earlier this month, a former Twitter employee was found guilty after a trial in California of handing over sensitive Twitter user data to royals in Saudi Arabia in exchange for bribes. wine.
The complaint said that Twitter was also heavily dependent on funding from Chinese entities and that Twitter was concerned that the company was providing information to these entities that would allow them to learn the identities and sensitive information of Chinese users who covertly use Twitter. which is officially banned in China
Zatko also describes Twitter executives’ willful ignorance of counting the millions of accounts that are automated “spam bots” or have no value to advertisers because there is no one behind them. Zatko cited a “damning” outside report from 2021 which found that Twitter’s tools for combating bots were neither automated nor sophisticated enough and instead relied on humans “not sufficiently staffed or resourced, to solve the problem of misinformation and misinformation”.
Alex Spiro, an attorney representing Musk in his effort to walk away from his deal to acquire Twitter, said the attorneys issued a subpoena for Zatko. “We found his release and that of other key employees curious in light of what we found,” Spiro wrote in an email Tuesday. Spiro said Zatko and Musk have not been in contact at any time this year.
Copyright © 2022 ABC, Inc.
