top of page

A Twitter whistleblower claims that inadequate cybersecurity fosters attacks and manipulation

A former Twitter cybersecurity official has revealed his views of systemic data security flaws at the firm, undercounting of phoney accounts, and how foreign intelligence agencies might exploit the social media network.

CNN and The Washington Post reported on Tuesday that Peiter "Mudge" Zatko, Twitter's former chief of security, wrote a 200-page notification to Congress and various regulatory agencies in July detailing the alleged vulnerabilities.

According to Zatko, Twitter fired him in January after he conveyed his concerns with management, including CEO Parag Agrawal, who was formerly the company's chief technical officer.

The disclosure has not been made public, but Whistleblower Aid, a nonprofit organisation that submitted the report on Zatko's behalf, asserts that he is entitled to whistleblower protections for legitimately making the revelation.

In response to media outlets, a Twitter spokesman described Zatko's allegations as "a misleading narrative about Twitter and our privacy and data security standards that is filled with contradictions and falsehoods and lacks crucial context." Mr. Zatko's allegations and opportunistic timing appear calculated to attract attention and cause damage to Twitter, its consumers, and its stockholders."

Similar to Facebook whistleblower Frances Haugen, Zatko's charges highlight a variety of possible compliance issues within Twitter that could serve as instructive opportunities for compliance officers. Here are five.

The bulk of Zatko's Twitter disclosure centred on the company's lax cybersecurity standards, including the fact that half of its servers purportedly run on obsolete software that does not support regular security features, such as encryption for stored data or vendor upgrades. According to Zatko, the corporation has the redundancy mechanisms to recover from data centre failures, thus even minor outages can take the entire service offline for hours.

Noncompliance with FTC consent order: In 2010, the Federal Trade Commission (FTC) argued that Twitter did not take sufficient measures to prevent data breaches or unauthorised access to thousands of user accounts for the purpose of sending bogus tweets. In 2011, both parties agreed to a consent order.

In its decision, the agency required Twitter to "create and maintain a robust information security programme that will be evaluated every other year for 10 years by an independent auditor." According to Zatko, the business has never cooperated with the injunction, which the business rejects.

Twitter was fined $150 million by the FTC and Department of Justice (DOJ) in May for violating the 2011 ruling by "misrepresenting" how it used nonpublic user information.

According to Whistleblower Aid, the FTC, together with the Department of Justice and Securities and Exchange Commission, received a copy of Zatko's disclosure.

How many bots are there? According to Zatko, Twitter is unique among social media businesses in how it counts its users.

Its competitors track and report all active users, as did Twitter until 2019. In that year, it transitioned to monetizable daily active users (MDAU), a metric that, according to the firm, includes all users who could be given advertisements on the network. Zatko stated that all other accounts are in a separate bucket, for example because they are known to be bots.

Twitter reports bots only as a percentage of MDAU and not as a percentage of the overall number of accounts on the site, which obscures the true magnitude of phoney and spam accounts on the service, according to Zatko.

The number of bots on Twitter is Elon Musk's primary concern as he attempts to back out of a $44 billion deal to acquire the firm.

Thousands of people, or approximately half of the company's personnel, have unrestricted access to some of Twitter's most vital controls, according to Zatko.

Even worse, the corporation allegedly has few systems in place to monitor staff migration and platform activity. It may be unable to hold personnel accountable for lapses or errors in judgement that lead to data breaches or more criminal acts, such as initiating disinformation campaigns on behalf of a particular group or foreign government, in the absence of such a monitoring system.

CNN stated that the U.S. government informed Twitter shortly before Zatko's dismissal that at least one of its workers, and perhaps more, were working for another government's intelligence service. There is no indication in Zatko's declaration as to whether Twitter was already aware or whether it later acted on the information.

This month, the U.S. District Court for the Northern District of California found former Twitter manager Ahmad Abouammo guilty of spying for Saudi Arabia and illegally exchanging user information.

Zakco stated that Twitter's lack of an adequate personnel monitoring system makes it more susceptible to these types of threats.



bottom of page