Peiter Zatko, who is also known as "Mudge," poses for a portrait against a blue wall.
Photo: Matt McClain/The Washington Post via Getty Images

Mudge’s Twitter complaint is a siren call to Washington

Protocol Policy

Hello and welcome to Protocol Policy! Today, we’re talking about former Twitter head of security Peiter “Mudge” Zatko’s bombshell whistleblower complaint. Plus, the FTC gives Zuck a break and tech for school tests loses in an Ohio court.

It’s not (just) about the bots

Jack Dorsey hired acclaimed hacker Peiter “Mudge” Zatko in 2020 to clean up after the massive hack that left Joe Biden’s account — and just about every other VIP account on Twitter — flinging bitcoin scams for a brief, bizarre moment in time.

Two years later, Zatko just handed Twitter an even bigger mess in the form of an 84-page SEC complaint that accuses Twitter of egregious security flaws, breaking promises to regulators, lying to Elon Musk about bots and letting agents of foreign governments spy on users.

Each allegation is more damning than the next. And while Twitter accused Zatko, who was fired in January, of “opportunistically seeking to inflict harm on Twitter,” the complaint is already drawing interest from lawmakers and regulators.

So what will they find most interesting? Let’s start with the SEC. Twitter is neck-deep in a legal fight with Musk over the number of bots on the platform. Musk launched his bid to buy the company by promising to “defeat the bots.” But he now disputes Twitter’s claims that only 5% of monetized accounts are bots and tried to nuke the acquisition deal over it. Zatko seems to be handing Musk ammo.

  • The complaint alleges that Twitter intentionally reports bots as a percentage of monetizable daily active users, not all daily active users, because the company knows the actual share of spam accounts is much higher.
  • “There are many millions of active accounts that are not considered ‘mDAU,’ either because they are spam bots, or because Twitter does not believe it can monetize them,” the complaint reads.
  • Since so much of the Twitter v. Musk saga has played out through SEC filings, the agency will no doubt be interested in knowing whether Zatko’s claims are legit.

But it’s not just the bots the SEC might need to look into. Zatko also alleges that Twitter executives knowingly misled their own board members, in violation of securities law.

  • According to the complaint, in December of 2021, Twitter prepared materials for board members that downplayed the actual number of security incidents the company experienced in 2021, overstated how secure employees’ devices were and suggested Twitter had made progress on limiting employee access to production systems, when it really hadn’t.
  • While the materials were never shared with the full board due to Zatko’s concerns, according to the allegations, new CEO Parag Agrawal, who succeeded Dorsey, instructed Zatko to provide the documents to the board’s risk committee soon after.
  • Zatko lists this incident as one of several “episodes of fraud.”

The DOJ and Congress might also want a piece of this. Among the most alarming allegations is Zatko’s claim that Twitter was pressured into hiring two agents of the Indian government and giving them access to sensitive data.

  • The complaint is light on details about this allegation, but Zatko has referred additional details about it to the DOJ’s Counterintelligence and Export Controls Section, as well as the Senate Intelligence Committee.
  • Given the fact that a former Twitter employee was just this month convicted of spying for the Saudis, you can imagine the feds wanting to give this alleged deal in India a closer look.

Then there are the FTC concerns. Twitter has already been fined $150 million for misusing user emails and phone numbers for marketing purposes in violation of its 2011 consent decree with the FTC. But there may be more where that came from.

  • According to the complaint, when the FTC asked Twitter whether it was deleting data from users who had deleted their accounts, Twitter replied merely that the accounts were “deactivated,” when in reality, Twitter couldn’t account for the data.
  • Zatko also found that Twitter had failed to broadly implement a software development process mandated by the consent decree.

Twitter employees have already been through the ringer over the last year: The CEO switch. The on-again, off-again takeover bid by the platform’s biggest, richest troll. Executive firings. The mass staff exodus.

But Zatko’s complaint paints a picture of a company that’s struggling to meet basic standards of technological competence, with investors and regulators expecting far better. As Twitter tries to account for all these accusations, the worst may be yet to come.

— Issie Lapowsky (email | twitter)

In Washington

A bipartisan group of top lawmakers focused on competition unveiled a new version of the bill to give news publishers antitrust exemption, allowing them to bargain together with digital platforms.

The FTC wants to know if kids can tell the difference between a digital ad and everyday content. The agency also announced an October event on “Protecting Kids from Stealth Advertising in Digital Media.”

In the states

How can economically depressed states train and retain their brightest minds? That’s a problem Brad D. Smith, the former CEO of Intuit, is tackling in his new role as president of Marshall University. In an interview with Protocol, Smith took us through his decision to leave Silicon Valley and return to his home state of West Virginia.

McKinsey has recommendations for state and local governments if they can’t just “dig once” to put in new broadband capability while road repair is going on. Although “dig once” is considered a best practice, budget cycles, red tape and turf wars often mean localities can’t put together two different types of projects. In a report noting the billions in infrastructure funding that’s going out the door, the consultancy recommended using planning forums where bureaucrats can at least try to talk, or a coordinator who can take charge of applications and timelines.

Yelp added warnings for customers viewing crisis pregnancy centers, which don’t provide abortion services even though their names are often similar. The move is intended to help customers differentiate abortion clinics from the crisis centers.

Sponsored content from Cisco

How cybercrime is going small time: Cybercrime is often thought of on a relatively large scale. Massive breaches lead to painful financial losses, bankrupting companies and causing untold embarrassment, splashed across the front pages of news websites worldwide.

Read more from Cisco

In the courts

The FTC has dropped Mark Zuckerberg from the agency’s suit to block Meta’s purchase of the VR fitness app Supernatural. The move comes after Zuck agreed not to purchase the app’s maker, Within, in his personal capacity or through another entity. FTC boosters have cast the naming of executives in lawsuits as a much-needed step to hold leadership of companies accountable.

A federal judge in Ohio ruled that scans of student rooms before tests violate constitutional protections against unreasonable searches. A Cleveland State University student sued over the practice, which became a common way to try to detect cheating during the pandemic.

Elon Musk’s team subpoenaed Jack Dorsey in the lawsuit over whether Twitter can force Musk to go through with his acquisition of the company.

Ohio Attorney General Dave Yost won the first battle in a larger war against Google. Yost convinced an Ohio state judge to split his lawsuit against Google into two parts: one that will determine whether the company acts as a common carrier and, if successful, a second that determines what to do about it. If Yost wins the first case, it could limit Google’s ability to self-preference.

In data

$1,000: That’s the entry contribution cost to attend Sen. Kyrsten Sinema’s campaign fundraising reception on Sept. 7. Sinema became a power player in Washington this term, forcing Democrats to make critical concessions to get bills through a split Senate. Sinema now has plenty of support in the private sector, since she played a key role in saving the carried-interest loophole that saves private equity billions of dollars in taxes a year.

Amazon’s sports push

Amazon has made a big push into sports streaming recently, which NFL fans may notice this coming season. The company won exclusive rights to Thursday Night Football games for the next 11 seasons and even created a new theme song. But not all efforts have gone so well — Amazon lost the rights to Champions League soccer, as it apparently wasn’t willing to go above Paramount’s $1.5 billion, six-year bid.

Sponsored content from Cisco

How cybercrime is going small time: People have been swindled since before man created monetary systems. These aren’t new crimes; just new ways to commit them. But as cybercrime increasingly goes small-time, those on the front lines will need new and more effective ways to fight it.

Read more from Cisco

Thanks for reading! See you Friday!

Recent Issues