Twitter’s Former Security Chief Accuses It of ‘Misleading’ Public on Security Practices
Twitter’s former head of security accused the company of making false and misleading statements about its security practices and lying to Elon Musk about fake accounts on its platform, potentially landing the social media service in new regulatory trouble as it tries to force Mr. Musk to complete a $44 billion deal to buy it.
Peiter Zatko, Twitter’s head of security who was terminated by the company in January, said in a whistle-blower complaint that the firm had deceived the public by misrepresenting how it fights spam and hackers. That violated a 2011 agreement that Twitter had struck with the Federal Trade Commission, which had barred the company from misleading users about its security and privacy measures, he contended.
In his complaint, which was filed with the Securities and Exchange Commission on July 6, Mr. Zatko accused Parag Agrawal, Twitter’s chief executive, and other executives and directors of “extensive legal violations” and acting with “negligence and even complicity” against hackers. Mr. Zatko also sent the complaint and supporting documents to the Justice Department and the F.T.C.
Mr. Zatko said Twitter had also lied to Mr. Musk, who signed a blockbuster deal to buy the company in April but has been trying to back out of the acquisition. The complaint could give Mr. Musk legal fodder, with the billionaire’s lawyers saying they had already subpoenaed Mr. Zatko.
The whistle-blower complaint is another strange twist for Twitter as it tries to ensure its corporate survival. The company, which is based in San Francisco, has been embroiled for months in a struggle with Mr. Musk, the world’s richest man, as he has blown hot and cold over owning the social media service, raising questions about its future as an independent entity. At the same time, Twitter has been grappling with an economic slowdown and has cut costs.
The whistle-blower complaint could lead to fresh scrutiny for Twitter as regulators and lawmakers train their sights on the power and influence of technology companies. In 2019, the F.T.C. fined Facebook about $5 billion for violating its privacy settlement with the agency. The S.E.C. has also focused on companies that insufficiently disclose their susceptibility to security breaches.
Both agencies, which declined to comment, are likely to ask for additional documents and speak with Mr. Zatko, experts said. If they find his claims have merit, they could fine Twitter or require it to change the way it operates.
“There’s a near certainty that this will provoke a careful review by the Federal Trade Commission, maybe other public agencies, of the operation and management of the company, and that is at a moment where they are buffeted by so many other unwelcome forces — you don’t need another shock of this kind,” Bill Kovacic, a former chair of the F.T.C., said of Twitter.
Mr. Zatko’s complaint was reported earlier by The Washington Post and CNN.
A Twitter spokeswoman said Mr. Zatko was fired in January for ineffective leadership and poor performance. She said he was spreading “a false narrative about Twitter and our privacy and data security practices.” She also suggested that he was capitalizing on the company’s situation with Mr. Musk “to capture attention and inflict harm on Twitter, its customers and its shareholders.”
Debra Katz, a lawyer representing Mr. Zatko, disputed the idea that he was a disgruntled former employee and said he had tried to do the right thing by raising his concerns about Twitter’s security practices. Whistleblower Aid, an organization that is working with Mr. Zatko on his complaint, said the facts in the disclosure spoke for themselves.
Mr. Musk, who did not respond to a request for comment, indirectly referred to the whistle-blower complaint on Tuesday. He tweeted a meme of Jiminy Cricket from the movie “Pinocchio” that said, “Give a little whistle.”
Mr. Zatko has not been in touch with Mr. Musk, said a person with knowledge of the situation who spoke on the condition of anonymity because the proceedings were confidential. But Mr. Musk’s lawyers indicated they were interested in investigating Mr. Zatko’s claims.
“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” Alex Spiro, a lawyer for Mr. Musk, said in a statement. Ms. Katz said her client had not received a subpoena.
Mr. Zatko, a well-known hacker who goes by the nickname Mudge in the security community, joined Twitter in late 2020 after the company was hacked by teenagers who impersonated prominent figures on the social media service to accumulate Bitcoin. He began working to document fraud at Twitter around the time of his firing, according to his complaint, and continued to share his findings with the company after he departed.
Mr. Zatko said in his complaint that he had quickly found that Twitter had made “little meaningful progress on basic security, integrity and privacy systems” and that the company “suffered from anomalously high rate of security incidents.” He contended that many regulatory filings Twitter had made detailing its privacy practices were “misleading, at best.”
In February 2021, Mr. Zatko made a presentation to Twitter’s board about the company’s lack of preparations for a potential data center failure that could knock the service offline. He also commissioned a third-party report on Twitter’s approach to spam and started projects to improve data security, the complaint said.
Mr. Zatko also said in his complaint that the Indian government had forced Twitter to hire government agents, who had access to internal data, and that a U.S. official had warned the company that one or more of its employees were working on behalf of a foreign intelligence agency.
Twitter has been infiltrated by foreign operatives in the past. This month, a former Twitter employee was convicted of spying on users on behalf of Saudi Arabia.
In December, Twitter’s board received a briefing on security practices. In January, Mr. Zatko began voicing his concerns that the board had been presented with “fraudulent” information about his work on security. Three days later, he was fired, he said. Mr. Zatko said he had later sent material to support his claims to Twitter and the board.
In May, Mr. Musk began needling Twitter over the number of fake accounts on its platform. Mr. Agrawal, the chief executive, responded by saying the company had a strong incentive to detect and remove spam. Mr. Zatko said Mr. Agrawal’s response was false.
In a section of his complaint titled “Lying About Bots to Elon Musk,” Mr. Zatko cited Mr. Agrawal’s tweets about Twitter’s number of fake accounts as an “example of misrepresentations by Twitter.” Executives are “not incentivized to accurately detect” spam because of how they measure the site’s user base for advertising purposes, Mr. Zatko said.
Mr. Zatko’s other claims about the weakness of Twitter’s privacy and security could give Mr. Musk new grounds to abandon the deal, legal experts said.
“If Twitter left out things that it should have disclosed, that management knew were serious problems to the business that makes its S.E.C. filings inaccurate, because they do not disclose material information about the business, that could help Musk with his fraud claim,” said Ann Lipton, a professor of corporate governance at Tulane Law School.
(Mr. Musk has signed a binding agreement to buy Twitter. Some legal experts have said his original claims about misleading disclosures on fake accounts Twitter may be a weak argument to back out of the deal because the company amply hedges those disclosures.)
Twitter has violated its 2011 agreement with the F.T.C. before. Under the terms of that agreement, the company was barred for 20 years from misleading consumers about the steps it takes to protect their information and honor their privacy choices.
In May, the F.T.C. and the Justice Department fined Twitter $150 million for violating the settlement after the company told users that it was collecting their email addresses and phone numbers to protect their accounts. The agencies said Twitter had not done enough to say the information was also used to help marketers target ads.
Mr. Musk and Twitter are headed toward a five-day trial in October in Delaware Chancery Court over whether Mr. Musk must abide by his agreement to buy the company. This month, his legal team asked Twitter to turn over documents of several former Twitter executives, including Mr. Zatko, two people with knowledge of the proceedings said. Mr. Musk’s lawyers also sought documents from Jack Dorsey, Twitter’s former chief executive, and Kayvon Beykpour, its former head of product, according to court filings.
In a letter to the court on Aug. 11, lawyers for Twitter argued that Mr. Zatko, whose name is redacted in the filing, oversaw security and compromised accounts but was not involved in spam-fighting efforts and therefore was not relevant to Mr. Musk’s case. A judge ruled that Twitter should hand over Mr. Beykpour’s records but denied the request for Mr. Zatko’s records.
Ms. Katz said that although Mr. Zatko had not overseen spam issues directly, he had often been asked to help quantify spam and provided those results to the Twitter executives responsible for combating the issue.
“It’s a predictable human emotion to be upset about being fired when you’ve been fired for doing the right thing,” she said.
Cecilia Kang contributed reporting