According to a whistleblower disclosure, CNN and The Washington Post have discovered that Twitter has serious security problems. These security issues could pose a threat not only to Twitter’s users but also to company shareholders, national security, democracy, and national security. The disclosure, which was sent to Congress and federal agencies last month, shows a chaotic and reckless company that allows too many employees access to the platform’s central control and most sensitive information without proper oversight. It also claims that some of the company’s top-ranking executives tried to hide Twitter’s serious vulnerabilities. Additionally, one or more current employees could be working for a foreign intelligence agency. Peiter “Mudge”, Zatko, the whistleblower has agreed to be identified publicly. He was previously the company’s head of security and reported directly to the CEO. Zatko also claims that Twitter’s leadership misled its board and government regulators regarding its security vulnerabilities. This includes those that could open the door for foreign spying, manipulation, hacking, and disinformation campaigns. The whistleblower claims that Twitter doesn’t always delete users’ data when they cancel their accounts. This could be because it has lost track of the information or it has misled regulators as to whether it does so. The whistleblower claims that Twitter executives lack the resources and motivation to fully understand the true number bots on the platform. The bots have been central to Elon Musk’s attempts to renegotiate a $44billion deal to buy the company (although Twitter disputes Musk’s claims).

Document: Twitter whistleblower exposes alleged security breaches, violations, and fraud

Twitter (TWTR), fired Zatko in January over what the company claimed was poor performance. Zatko claims that he whistleblowed publically after trying to flag security lapses to Twitter’s board. He also tried to help Twitter fix years worth of technical problems and alleged non-compliance to an earlier privacy agreement with Federal Trade Commission. Whistleblower Aid is representing Zatko, the same group that represented Frances Haugen, the Facebook whistleblower. John Tye, the founder of Whistleblower Aid, and Zatko’s lawyer, said that Zatko had not been in touch with Musk and that Zatko started the whistleblower process long before there was any evidence of Musk’s involvement on Twitter. Read MoreAlthough this article was originally published, Alex Spiro for Musk told CNN that he had already issued a subpoena to Mr. Zatko and that he and other key employees were curious about what we’ve been finding. “CNN asked Twitter for comment on more than 50 questions related to the disclosure. A Twitter spokesperson stated that privacy and security are long-term priorities. Twitter stated that the company offers clear tools for users to control privacy and ad targeting, data sharing, and that it has created internal workflows so that users know that if they cancel their accounts, Twitter will deactivate them and begin a deletion process. Twitter declined to comment on whether the process is completed in a typical fashion. Twitter spokesperson stated that Mr. Zatko was fired in January 2022 from his position as senior executive at Twitter for ineffective leadership and poor performance. “What we have seen so far is a false narrative regarding Twitter and our privacy/data security practices. It is riddled inconsistencies, inaccuracies, and lacks essential context. Mr. Zatko’s claims and opportunistic timing seem designed to grab attention and inflict damage on Twitter, its customers, and its shareholders. Twitter has been a company-wide priority in privacy and security for a long time.

Peiter “Mudge” Zatko was the head security at Twitter.

Zatko is a well-known “ethical hacker” who has also held senior positions at Google, Stripe, and the US Department of Defense.

Some of Zatko’s most troubling claims stem from his apparently tense relationship to Parag Agrawal (the company’s former chief tech officer) who was appointed CEO last November after Jack Dorsey left. According to the disclosure, Agrawal’s lieutenants discouraged Zatko’s presentation of a complete accounting of Twitter’s security issues to the company’s board. According to reports, Zatko was instructed by the company’s executive team to present an oral report of his initial findings regarding the company’s security situation to the board. Instead of a detailed written account, Zatko was directed to knowingly present cherry-picked data to create the false impression of progress on urgent cybersecurity problems. Zatko was then ordered to conceal the true extent of the company’s problems by having a third-party consulting company’s report rewritten. This disclosure is generally more favorable to Dorsey who hired Zatko, and Zatko believes he wanted to see the problems in the company fixed. It does show him as very disengaged in the final months of his Twitter leadership — so much that some senior staff even considered the possibility that he was sick. CNN reached out to Dorsey to provide comment. According to a person familiar with Zatko’s tenure at Twitter, the company investigated several claims that he made at the time he was fired and found them unpersuasive. The person also stated that Zatko sometimes did not understand Twitter’s FTC obligations. Zatko believes that his firing was in retaliation to him raising concerns about security issues at the company. The detailed disclosure, which includes supporting exhibits, totals about 200 pages and was sent to a number of US government agencies and committees last month, including the Securities and Exchange Commission, Federal Trade Commission and Department of Justice. The disclosure’s existence and details have never been reported. CNN obtained a copy from a top Democratic aide on Capitol Hill. The FTC, DOJ, and SEC declined to comment. However, the Senate Intelligence Committee received a copy and is now considering the allegations. According to Rachel Cohen, a spokesperson for the committee, the meeting will be held to discuss them. Sen. Chuck Grassley is the Senate Judiciary Committee’s top Republican. Dick Durbin, who chairs Senate Judiciary Committee, also received the report. He pledged to investigate and take any further steps necessary to uncover the truth about these alarming claims. In a CNN statement, Sen. Chuck Grassley (the top Republican on the panel) expressed deep concern about the allegations. Grassley stated, “Take a tech platform which collects huge amounts of user data, and combine it with what appears be an incredibly weak security system and infuse that with foreign state actors with a agenda, and you have a recipe for disaster.” “The claims that I received from a Twitter whistleblower raise serious privacy and national security concerns, and should be investigated further.” In 1998, the WhistleblowerZatko was first brought to national attention when he participated in the first congressional hearings about cybersecurity. “All my life, I have been focused on finding places where I can make a difference. That’s what I did through the security industry. In an interview with CNN earlier this month, he stated that that’s his main lever. ReplayMore Videos…MUST WATCHTwitter whistleblower appeared on CNN 22 years ago. Here’s what he said 03:22. The events that led to his decision to whistleblower were before he started working at Twitter. In 2020, there was a catastrophic hack that compromised the Twitter accounts of many of the world’s most prominent people, including former President Barack Obama and Kim Kardashian. Twitter stated to CNN that the company had begun to separate customer support tools access in response to the incident. Dorsey hired Zatko, a well known “ethical hacker” who was also a cybersecurity insider and executive. He had previously held senior positions at Google, Stripe, and the US Department of Defense and told CNN that he had been offered a top, day-one cyber job in the Biden administration. Zatko, center, was one of a group that testified before Congress in 1998 on cybersecurity. He said that he found a company with extremely poor security practices. This included allowing thousands of employees of the company — roughly half of the workforce — access to certain critical controls. His disclosure described his overall findings as “egregious defects, negligence, willful ignorance and threats to national security, democracy, and society.” According to his disclosure, Zatko was concerned that someone within Twitter could attempt to manipulate the company’s platform following the January 6 insurrection. He wanted to restrict internal access that allows Twitter engineers, also known as the “production environments”, to make changes to the platform. According to the disclosure, Zatko quickly learned that it was impossible to protect the production environments. All engineers had access. No logs were kept of who entered the environment or what they did Nobody knew the location of data or if it was critical. All engineers had access to the production environment in some way. Twitter also lacks the ability to hold employees accountable for security breaches because it has no control over individual work computers. Zatko claims that Twitter’s internal cybersecurity reports show that 4 out 10 devices are not up to basic security standards. It was impossible to protect the production environment. All engineers had access. All engineers had access. The disclosure states that approximately half of the company’s 500,000 servers are running outdated software that doesn’t support basic security features like encryption for stored data, regular security updates by vendors, and a February email Zatko sent to Patrick Pichette (a member of Twitter’s board), that is included in the disclosure. According to Zatko’s disclosure, the company lacks sufficient redundancies or procedures to restart or restore from data center crashes. This could mean that even minor outages at one time could cause the Twitter service to go offline, possibly permanently. Twitter did not respond directly to CNN’s questions about the possibility of data center outages. However, Zatko stated that engineers and product team members are authorized to access the production environment only if there is a business reason. Twitter said that employees of Twitter use devices controlled by other IT and security teams. They can block devices from connecting to sensitive internal systems if they are running outdated software. The company stated that it uses automated checks in order to make sure that laptops with outdated software are not able to access the production environment. Employees may also only make changes to Twitter’s live products if the code meets certain record-keeping requirements and is under review. Peiter Zatko, a whistleblower, and Parag Agrawal (the CEO of Twitter), exchanged e-mails in which they discussed their confusion about corrective documents. According to a person familiar with Zatko’s tenure at Twitter, the company tests its internal security tools regularly and has external auditors test it every two years. According to the person, some of Zatko’s statistics regarding device security were not credible and were derived from a small group that did not properly account Twitter’s existing security procedures. Twitter’s security issues had been known before 2020. The FTC filed a complaint against Twitter in 2010 for mishandling users’ private data and accessing Twitter’s central controls by too many employees. An FTC consent order was issued by the FTC in response to the complaint. Twitter promised to correct its mistakes, including creating and maintaining a comprehensive information security program. Zatko claims that, despite Twitter’s claims to contrary, it “never was in compliance” with the FTC’s demands more than ten years ago. He claims that Twitter has an “anomalously large number of security incidents” due to its failure to address vulnerabilities raised earlier by the FTC and other deficiencies. There are approximately one per week that is serious enough to warrant disclosure to government agencies. After being fired by Twitter in January, Zatko wrote that “peer companies don’t have this magnitude and volume of incidents” in a February letter to Twitter. The stakes for Zatko’s disclosure of his information are huge. According to Jon Leibowitz (former chair of the FTC), it could result in billions of dollars of new fines for Twitter if it is found to have violated its legal obligation. According to Jon Leibowitz, who was the FTC’s former chair, if there is a violation, which is a very small if, then the FTC should seriously consider imposing new fines on Twitter. This comes after officials chose not to name top Facebook executives, including Sheryl Sandberg and Mark Zuckerberg, in the FTC’s $5billion privacy settlement with the company in 2019. Leibowitz spoke to CNN about the FTC’s failure to name executives in the Facebook order violation case. “And if there is a violation here — which is a big if — then the FTC should seriously consider not only fining the corporation, but also putting the executives under order. Twitter stated that its FTC compliance record speaks itself. It cited third-party audits submitted to the agency under the 2011 consent orders in which Zatko was not involved. Twitter also stated that it is in compliance of relevant privacy rules and has been transparent with regulators regarding its efforts to correct any deficiencies in its systems. According to CNN, Zatko’s claims are partly based on his inability to understand how Twitter’s processes and programs work to meet its FTC obligations. A person familiar with his tenure said that this misunderstanding led him to make inaccurate claims regarding the company’s compliance. Foreign threats Twitter is extremely vulnerable to foreign government exploitation in a way that undermines US national security. The disclosure claims that the company may even have foreign spy employees. According to the whistleblower report, the US government provided evidence to Twitter that at least one of its employees was working for an intelligence service of another government shortly before Zatko was fired. The report doesn’t say if Twitter knew about the tip or acted on it. Parag Agrawal was Twitter’s former chief tech officer. He was appointed CEO last November after Jack Dorsey left. Zatko claims that Agrawal proposed to Zatko that Twitter conform to Russian demands that could lead to broad-based surveillance or censorship of the platform. The disclosure does not give details about Agrawal’s suggestion. However, Russia passed a law last summer requiring tech platforms to open offices in Russia or face bans on advertising. This was a move that western security experts claimed was meant to give Russia more leverage over US companies. Zatko said that while Agrawal’s suggestion was eventually discarded, it was an alarming sign of just how far Twitter was willing go to pursue growth. According to Zatko’s disclosure, Twitter’s current CEO suggested that Twitter would become complicit in the Putin regime. This raises concerns about Twitter’s impact on US national security. Zatko’s report comes just two weeks after a former Twitter manager was found guilty of spying on Saudi Arabia. The gravity of the accusations Zatko is making at Twitter is evident in the Saudi case. His report could further irritate bipartisan concerns in Washington regarding foreign adversaries, and the cybersecurity threats that they pose to Americans. This includes the theft of US citizens data, manipulation of US voters, and theft technology and trade secrets. Twitter did not respond to specific questions regarding its alleged foreign intelligence vulnerabilities. The disclosure of the Musk element Zatko comes at a very fortunate moment for Musk, who is currently in a legal battle against Twitter over his attempt to rescind his purchase of the company. Musk claims that Twitter lied about the number spam bots it hosts, a matter that should have allowed him to terminate the deal. Although the April binding acquisition agreement Musk signed with Twitter did not contain any exemptions for bots, the billionaire claims that bots on the platform have an impact on user experience and that having more bots could affect the company’s long term value. Twitter filed a lawsuit against Musk, claiming that he was using bots to avoid closing the deal. This lawsuit was filed after Musk attempted to terminate the purchase. In October, the Delaware Chancery Court will hear the case. Twitter employees pass the company’s headquarters, San Francisco. User numbers are crucial information for any social media company. Advertising revenue is dependent on how many people can see an ad. However, figures about the number of users a service has or how many people view an ad on a site are notoriously difficult to determine. This is due to manipulation and error. Twitter is the only social media company that reports its user numbers to advertisers and investors using a measurement it calls monetizable everyday active users (mDAUs). Twitter’s rivals simply count all active users and report them; this was the way that Twitter did until 2019. However, Twitter’s figures could be subject to significant swings in certain circumstances, including takedowns by major bot networks. According to Zatko’s disclosure, Twitter switched to mDAUs. This counts all users who could be shown an ad on Twitter. It also leaves all accounts that can’t be shown an ad in a separate bucket. According to the company, less than 5% of its fake or spam accounts are reported. A person who is familiar with the matter confirmed that assessment to CNN this week. They also pointed to other investor disclosures that the figure relies upon significant judgment that may not accurately reflect reality. Zatko claims that by reporting bots as a percentage (instead of as a proportion of total accounts on the platform), Twitter conceals the true scale and extent of spam and fake accounts on the service. This is a claim Zatko alleges to be deliberately misleading. Zatko claims that he first inquired about the number of bot accounts on Twitter in the early 2021s. He was told by Twitter’s head for site integrity that they didn’t know the total number. He claims that he learned from his conversations with the integrity team that the company had “no appetite to properly measure bots” because if it became public, it could damage the company’s image and value. Jack Dorsey approached me and asked me to perform a crucial task at Twitter. Jack Dorsey reached out to me and asked me to perform a critical task at Twitter. There are many harmless bots on Twitter and across the internet, such as automated news accounts. Twitter offers an opt in feature that allows such accounts to clearly label themselves as “automated” using transparent labels. Twitter stated to CNN that it does not know how many bots are on Twitter. It also reiterated that not all bots can be bad. Twitter added that if Twitter focuses on the total number of Twitter bots, that would include bots that it may have identified and taken action against. Twitter stated that it does not believe it is able to catch all spam accounts on the platform. This is why it reports its less than 5% figure in its financial filings. CNN was told by Zatko that he believes it would still be worthwhile to attempt to determine the total number of spamming, false, or other potentially harmful automated accounts on Twitter. He stated that the board, the executive team, shareholders, and users all deserve to know the truth about what they are consuming on the platform. “From my perspective, I want the company to be transparent with me because I want to make strategic investments in the long-term success of an organization.” Twitter claims that bots are allowed on its platform but that its rules prohibit spamming and platform manipulation. As with all social media platforms, the problem lies in enforcing their policies. Elon Musk is currently in a legal dispute with Twitter over his attempt at resigning from the purchase of the company. The company claims it regularly challenges, suspends, and removes accounts involved in spam and platform manipulation. It also typically removes more than one million spam accounts per day. Twitter stated that the total number of bots on its platform is not useful. As context for its daily bot deletion figures, Twitter declined to answer questions regarding the total number of accounts on its platform and the average number daily of new accounts. However, Zatko’s claims could be used to support Musk’s central claim that the number of spam and fake accounts is much higher than what Twitter has publicly reported. Zatko claims that he is fulfilling the task he was hired for, and that he has made his public statements to prove it. Jack Dorsey reached me and asked me to join him in performing a crucial task at Twitter. He said that he signed me up to do it, and that he believes he is still fulfilling that mission.