Twitter whistleblower Peiter “Mudge” Zatko raises concerns over security threats at platform
The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.
The whistleblower, who has agreed to be publicly identified, is Peiter “Mudge” Zatko, who was previously the company’s head of security, reporting directly to the CEO. Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk’s attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk’s claims).
John Tye, founder of Whistleblower Aid and Zatko’s lawyer, told CNN that Zatko has not been in contact with Musk, and said Zatko began the whistleblower process before there was any indication of Musk’s involvement with Twitter.
CNN sought comment from Twitter on more than 50 specific questions regarding the disclosure.
In a statement, a Twitter spokesperson told CNN that security and privacy are both longtime priorities for the company. Twitter also said the company provides clear tools for users to control privacy, ad targeting and data sharing, and added that it has created internal workflows to ensure users know that when they cancel their accounts, Twitter will deactivate the accounts and start a deletion process. Twitter declined to say whether it typically completes the process.
“Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago,” the Twitter spokesperson said. “While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”
The disclosure is generally much kinder to Dorsey, who hired Zatko and whom Zatko believes wanted to see the problems within the company fixed. But it does depict him as extremely disengaged in his final months leading Twitter — so much so that some senior staff even considered the possibility he was sick.
CNN has reached out to Dorsey for comment. A person familiar with Zatko’s tenure at Twitter told CNN the company investigated several claims he brought forward around the time he was fired, and ultimately found them unpersuasive; the person added that Zatko at times lacked understanding of Twitter’s FTC obligations.
Zatko believes his firing was in retaliation for his sounding the alarm about the company’s security problems.
The scathing disclosure, which totals around 200 pages, including supporting exhibits — was sent last month to a number of US government agencies and congressional committees, including the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice. The existence and details of the disclosure have not previously been reported. CNN obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill. The SEC, DOJ and FTC declined to comment; the Senate Intelligence Committee, which received a copy of the report, is taking the disclosure seriously and is setting a meeting to discuss the allegations, according to Rachel Cohen, a committee spokesperson.
Sen. Dick Durbin, who chairs the Senate Judiciary Committee and also received the report, vowed to investigate “and take further steps as needed to get to the bottom of these alarming allegations.”
Sen. Chuck Grassley, the same panel’s top Republican and an avid Twitter user, also expressed deep concerns about the allegations in a statement to CNN.
“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” Grassley said. “The claims I’ve received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further.”
Zatko first came to national attention in 1998 when he took part in the first congressional hearings on cybersecurity.
“All my life, I’ve been about finding places where I can go and make a difference. I’ve done that through the security field. That’s my main lever,” he told CNN in an interview earlier this month.
What Zatko says he found was a company with extraordinarily poor security practices, including giving thousands of the company’s employees — amounting to roughly half the company’s workforce — access to some of the platform’s critical controls. His disclosure describes his overall findings as “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.”
But, the disclosure says, Zatko soon learned “it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did…. Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.” Twitter also lacked the ability to hold workers accountable for information security lapses because it has little control or visibility into employees’ individual work computers, Zatko claims, citing internal cybersecurity reports estimating that 4 in 10 devices do not meet basic security standards.
Twitter’s flimsy server infrastructure is a separate yet equally serious vulnerability, the disclosure claims. About half of the company’s 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors, according to the letter to regulators and a February email Zatko wrote to Patrick Pichette, a Twitter board member, that is included in the disclosure.
The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko’s disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.
Twitter did not respond to questions about the risk of data center outages, but told CNN that people on Twitter’s engineering and product teams are authorized to access the production environment if they have a specific business justification for doing so. Twitter’s employees use devices overseen by other IT and security teams with the power to prevent a device from connecting to sensitive internal systems if it is running outdated software, Twitter added.
The company also said it uses automated checks to ensure laptops running outdated software cannot access the production environment, and that employees may only make changes to Twitter’s live product after the code meets certain record-keeping and review requirements.
Twitter has internal security tools that are tested by the company regularly, and every two years by external auditors, according to the person familiar with Zatko’s tenure at the company. The person added that some of Zatko’s statistics surrounding device security lacked credibility and were derived by a small team that did not properly account for Twitter’s existing security procedures.
Zatko alleges that despite the company’s claims to the contrary, it had “never been in compliance” with what the FTC demanded more than 10 years ago. As a result of its alleged failures to address vulnerabilities raised by the FTC as well as other deficiencies, he says, Twitter suffers an “anomalously high rate of security incidents,” approximately one per week serious enough to require disclosure to government agencies. “Based on my professional experience, peer companies do not have this magnitude or volume of incidents,” Zatko wrote in a February letter to Twitter’s board after he was fired by Twitter in January.
The stakes of Zatko’s disclosure are enormous. It could lead to billions of dollars in new fines for Twitter if it’s found to have violated its legal obligations, according to Jon Leibowitz, who was chair of the FTC at the time of Twitter’s original 2011 consent order.
The agency now has another opportunity to show the tech industry it is serious about holding platforms accountable, Leibowitz added, after officials opted not to name top Facebook execs including Mark Zuckerberg and Sheryl Sandberg in the FTC’s $5 billion privacy settlement with that company in 2019.
“One of the big disappointments in the Facebook order violation case was that the FTC let executives off the hook; they should’ve been named,” Leibowitz told CNN in an interview. “And if there’s a violation here — and that’s a big if — then I think the FTC should very seriously consider not just fining the corporation but also putting the executives responsible under order.”
Twitter told CNN its FTC compliance record speaks for itself, citing third-party audits filed to the agency under the 2011 consent order in which it said Zatko did not participate. Twitter also said it is in compliance with relevant privacy rules and that it has been transparent with regulators about its efforts to fix any shortcomings in its systems.
Zatko’s allegations are based in part on a failure to grasp how Twitter’s existing programs and processes work to fulfill Twitter’s FTC obligations, the person familiar with his tenure told CNN, saying that misunderstanding has prompted him to make inaccurate claims about the company’s level of compliance.
Twitter is exceptionally vulnerable to foreign government exploitation in ways that undermine US national security, and the company may even have foreign spies currently on its payroll, the disclosure alleges.
The whistleblower report says the US government provided specific evidence to Twitter shortly before Zatko’s firing that at least one of its employees, perhaps more, were working for another government’s intelligence service. The report does not say whether Twitter was already aware or if it subsequently acted on the tip.
Last year, prior to Russia’s invasion of Ukraine, Agrawal — then Twitter’s chief technology officer — proposed to Zatko that Twitter comply with Russian demands that could result in broad-based censorship or surveillance of the platform, Zatko alleges.
While Agrawal’s suggestion was ultimately discarded, it was still an alarming sign of how far Twitter was willing to go in pursuit of growth, according to Zatko.
“The fact that Twitter’s current CEO even suggested Twitter become complicit with the Putin regime is cause for concern about Twitter’s effects on U.S. national security,” Zatko’s disclosure says.
The Saudi case underscores the gravity of the allegations Zatko now levels at Twitter. His report could further inflame bipartisan concerns in Washington about foreign adversaries and the cybersecurity threats they pose to Americans, ranging from the theft of US citizens’ data to manipulating US voters or stealing technology and trade secrets.
Twitter did not respond to specific questions about its alleged foreign intelligence vulnerabilities.
The Musk element
User numbers are vital information for any social media business, as advertising revenue depends on how many people could potentially see an ad. But figures about how many users a service has, or how many people actually view a given ad on a site, are notoriously unreliable throughout the tech and media industries due to manipulation and error.
Alone among social media companies, Twitter reports its user numbers to investors and advertisers using a measurement it calls monetizable daily active users, or mDAUs. Its rivals simply count and report all active users; until 2019, Twitter had worked that way as well. But that meant Twitter’s figures were subject to significant swings in certain situations, including takedowns of major bot networks. So Twitter switched to mDAUs, which it says counts all users that could be shown an advertisement on Twitter — leaving all accounts that for some reason can’t, for instance because they’re known to be bots, in a separate bucket, according to Zatko’s disclosure.
Zatko says he began asking about the prevalence of bot accounts on Twitter in early 2021, and was told by Twitter’s head of site integrity that the company didn’t know how many total bots are on its platform. He alleges that he came away from conversations with the integrity team with the understanding that the company “had no appetite to properly measure the prevalence of bots,” in part because if the true number became public, it could harm the company’s value and image.
But Zatko told CNN he thinks there would still be value in attempting to measure the total number of spam, false or otherwise potentially harmful automated accounts on the platform. “The executive team, the board, the shareholders and the users all deserve an honest answer as to what it is that they are consuming as far as data and information and content [on the platform … At least from my point of view, I want to invest in a company where I know what’s actually going on because I want to invest strategically in the long-term value of an organization,” he said.
Twitter says that it allows bots on its platform, but its rules prohibit those that engage in spam or platform manipulation. But, as with all social media platforms’ rules, the challenge often lies in enforcing its policies.
The company says it regularly challenges, suspends and removes accounts engaged in spam and platform manipulation, including typically removing more than one million spam accounts each day. Twitter said the total number of bots on the platform is not a useful number. The company declined to answer questions about the total number of accounts on the platform or the average number of new accounts added on the platform daily as context around its daily bot deletion figure.
But in casting doubt on Twitter’s ability to estimate the true number of fake and spam accounts, Zatko’s allegations could provide ammunition to Musk’s central claim that the figure is much higher than Twitter has publicly reported.
By going public, Zatko says, he believes he is doing the job he was hired to do for a platform he says is critical to democracy. “Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I’m still performing that mission,” he said.