5 takeaways from Twitter whistleblower Peiter Zatko

Startling new claims from Twitter’s former security chief, Peiter Zatko, have raised serious questions about the security of the platform’s serviceits ability to identify and remove fake accounts, and the veracity of its statements to users, shareholders and federal regulators.

Zatko — better known by his hacker handle “Mudge” — is a respected cybersecurity expert who first came to prominence in the 1990s and later held senior positions at the Pentagon’s Defense Advanced Research Agency and Google. Twitter fired him from his security job early this year due to what the company called “ineffective leadership and poor performance.” Zatko’s lawyers say the allegation is false.

In a whistleblower complaint made public Tuesday, Zatko documented his uphill 14-month effort to strengthen Twitter security, increase the reliability of the service, repel intrusions by foreign government agents and both measure and take action against fake “bot” accounts that spammed platform. In a statement, Twitter called Zatko’s description of events “a false narrative.”

Here are five takeaways from that complaint.

Twitter’s security and privacy systems were grossly inadequate

In 2011, Twitter settled a Federal Trade Commission investigation into its privacy practices by agreeing to put in place stronger data security protections. Zatko’s complaint alleges that Twitter’s problems worsened over time instead.

For example, the complaint says, Twitter’s internal systems allowed far too many employees to access personal user data they didn’t need for their jobs — a situation ripe for abuse. For years, Twitter also continued to mine user data such as phone numbers and email addresses — intended only for security purposes — for ad targeting and marketing campaigns, according to the complaint.

Twitter’s entire service could have collapsed irreparably under the stress

One of the most striking revelations in Zatko’s complaint is the claim that Twitter’s internal computer systems were so dilapidated — and the company’s emergency plans so inadequate — that any major crash or unplanned shutdown could have affected the entire platform.

The concern was that a “pervasive” data center failure could quickly spread across Twitter’s fragile information systems. As the complaint put it: “That meant that if all the centers went offline at the same time, even briefly, Twitter was unsure whether they could bring service back up. Downtime estimates ranged from weeks of around-the-clock work, to permanent unrecoverable failure. .”

Twitter misled regulators, investors and Musk about bots and spam accounts

Essentially, Zatko’s complaint says that Tesla CEO Elon Musk — whose $44 billion bid to buy Twitter is heading toward October trial in a court in Delaware — is right to charge that Twitter executives have little incentive to accurately measure the prevalence of fake accounts on the system.

The complaint alleges that the company’s senior management practiced “willful ignorance” about the subject matter of these spambots. “Senior management had no appetite to properly measure the prevalence of bot accounts,” the complaint says, adding that executives believed accurately measuring bot presence would damage Twitter’s “image and valuation.”

The SEC in June asked Twitter about its methods for measuring bots.

On January 6, 2021, Twitter could have been at the mercy of disgruntled employees

Zatko’s complaint says that when a mob gathered in front of the US Capitol on January 6, 2021, and eventually stormed the building, he became concerned that employees sympathetic to the rioters might try to sabotage Twitter. This concern increased when he learned that it was “impossible” to protect the platform’s core systems from a hypothetical rogue or disaffected engineer intent on wreaking havoc.

“There were no logs, no one knew where data lived or whether it was critical, and all engineers had some form of critical access” to Twitter’s core functions, the complaint said.

A playground for foreign governments

The Zatko complaint also highlights Twitter’s difficulty identifying — much less countering — the presence of foreign agents on the service. In one case, the complaint alleges, the Indian government required Twitter to hire specific individuals alleged to be spies who would have had significant access to sensitive data thanks to Twitter’s own lax security controls. The complaint also alleges a more sinister situation involving taking money from unidentified “Chinese entities” that could then access data that could put Twitter users in China at risk.

Zatko is now speaking with investigators from the SEC, FTC and Justice Department and has met with the Senate Intelligence Committee, according to his lawyer.

Leave a Reply

Your email address will not be published.