A former head of security at Twitter has filed whistleblower complaints with U.S. officials, alleging that the company misled regulators about its cybersecurity defenses and its problems with fake accounts, according to reports by The Washington Post and CNN.
Peiter Zatko, Twitter’s security chief until he was fired early this year, filed the complaints last month with the U.S. Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice.
The Post, which obtained the complaint, reported that among the most serious accusations is that Twitter violated the terms of an FTC settlement by falsely claiming that it had a strong security plan. Zatko also accuses the company of deceptions involving its handling of “spam” or fake accounts, an allegation that is at the core of the attempted withdrawal of a $44 billion takeover bid for Twitter by billionaire Elon Musk. Shares of Twitter Inc. slid 4% Tuesday.
Zatko didn’t immediately respond to a request for comment Tuesday but told the Post he “felt ethically bound” to come forward. Zatko, better known as Mudge, is a highly respected cybersecurity expert who first gained prominence in the 1990s and later worked in senior positions at the Pentagon’s Defense Advanced Research Agency and Google. He joined Twitter at the urging of then-CEO Jack Dorsey in late 2020.
Twitter said in a prepared statement Tuesday that Zatko was fired for “ineffective leadership and poor performance” and that the “allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” the company said.
A spokesperson for the U.S. Senate’s intelligence committee, Rachel Cohen, said the committee has received the complaint and “is in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously.”
Sen. Dick Durbin, an Illinois Democrat, said in a prepared statement that if the claims are accurate, “they may show dangerous data privacy and security risks for Twitter users around the world.”
Among the most alarming complaints is Zatko’s allegation that Twitter knowingly allowed the Indian government to place its agents on the company payroll where they had “direct unsupervised access to the company’s systems and user data.”
A 2011 FTC complaint noted that Twitter’s systems were full of highly sensitive data that could allow a hostile government to find precise geo-location data for a specific user or group and target them for violence or arrest. Earlier this month, a former Twitter employee was found guilty after a trial in California of passing along sensitive Twitter user data to royal family members in Saudi Arabia in exchange for bribes.
The complaint said Twitter was also heavily reliant on funding by Chinese entities and that there were concerns within Twitter that the company was providing information to those entities that would enable them to learn the identify and sensitive information of Chinese users who secretly use Twitter, which is officially banned in China.
Zatko also describes “deliberate ignorance” by Twitter executives on counting the millions of accounts that are automated “spam bots” or otherwise have no value to advertisers because there is no person behind them.Alex Spiro, an attorney representing Musk in his effort to back out of the deal to buy Twitter, said lawyers have issued a subpoena for Zatko. “We found his exit and that of other key employees curious in light of what we have been finding,” Spiro wrote in an email Tuesday.