Policy

Everything you need to know about the Twitter whistleblower complaint

In an 84-page complaint, Twitter’s former head of security accused the company of egregious security flaws and misleading its board, regulators and, yep, Elon Musk.

SUN VALLEY, IDAHO - JULY 07: Parag Agrawal, CEO of Twitter, walks to a morning session during the Allen & Company Sun Valley Conference on July 07, 2022 in Sun Valley, Idaho. The world's most wealthy and powerful businesspeople from the media, finance, and technology will converge at the Sun Valley Resort this week for the exclusive conference. (Photo by Kevin Dietsch/Getty Images)

Twitter CEO Parag Agrawal was allegedly defensive and in denial about the company’s security vulnerabilities, according to whistleblower Peiter "Mudge" Zatko.

Photo: Kevin Dietsch/Getty Images

Twitter is about to find out what it’s like to be Facebook after its former security chief, Peiter “Mudge” Zatko, filed a whistleblower complaint with the Securities and Exchange Commission on Tuesday that is likely to lead to further investigations.

The complaint, which was first reported on by The Washington Post and CNN, alleged that Twitter has misled the Federal Trade Commission about its security standards, violated SEC rules, misrepresented itself to the board of directors and allowed foreign governments to infiltrate the platform.

In the complaint, Zatko accused Twitter of lying about bots to Elon Musk, failing to secure the company’s servers, withholding crucial details about breaches from its board and even succumbing to pressure from the Indian government to hire government agents and give them access to sensitive data. Zatko lays blame largely with former CEO Jack Dorsey, whom Zatko describes as “disengaged,” and current CEO Parag Agrawal, who the complaint alleges was defensive and in denial about the company’s security vulnerabilities.

“Mudge is proceeding with these disclosures quite reluctantly,” the complaint reads. “When ethical researchers find a vulnerability that bad actors can exploit, first they make a quiet ‘responsible disclosure’ so that the affected company or government can fix it. But sometimes the vulnerable institution doesn’t want to hear the truth.”

Twitter did not immediately respond to Protocol’s request for comment. In a statement to The Washington Post, spokesperson Rebecca Hahn said Zatko’s complaint was “riddled with inaccuracies” and accused Zatko of “opportunistically seeking to inflict harm on Twitter” after he was fired in early 2022.

Zatko joined Twitter in 2020, after a high-profile hack of the platform left the accounts of Jeff Bezos, Tim Cook, Bill Gates, Elon Musk, Joe Biden and others compromised.

Zatko’s bombshell complaint stretches 84 pages, and is already drawing questions from lawmakers on Capitol Hill, as well as regulators.

“The whistleblower’s allegations of widespread security failures at Twitter, willful misrepresentations by top executives to government agencies, and penetration of the company by foreign intelligence raise serious concerns. If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” Democratic Sen. Dick Durbin, who chairs the Senate Judiciary Committee, said in a statement, promising to investigate the allegations further.

Allegation one: Twitter lied to Elon Musk about bots

Of all of Zatko’s allegations, this one will undoubtedly get the most attention. According to the complaint, Agrawal made “false and misleading statements” in a tweet that said Twitter employees are “strongly incentivized to detect and remove as much spam as we possibly can.”

“Agrawal’s tweet is a lie,” the complaint reads. Zatko pointed to Twitter’s practice of reporting “monetizable daily active users” rather than total daily active users as masking the true number of spam bots on the platform.

“There are many millions of active accounts that are not considered ‘mDAU,’ either because they are spam bots, or because Twitter does not believe it can monetize them,” Zatko said in the complaint.

The number of bots on the platform is a key focal point of the ongoing battle between Musk and Twitter. Twitter sued Musk after the billionaire filed to walk out on his $44 billion bid to buy the company, citing Twitter’s “false and misleading statements” about bots.

Allegation two: The Indian government forced Twitter to hire two government agents

Zatko accused Twitter of being “complicit in threats to democratic governance.” Specifically, he alleged that the company succumbed to pressure from the Indian government to hire two of its agents and give them access to “vast amounts of Twitter’s sensitive data.”

The complaint also stated that a U.S. government source told Twitter that “one or more particular company employees were working on behalf of another particular foreign intelligence agency.” This allegation comes just weeks after a former Twitter employee was convicted for spying on behalf of the government of Saudi Arabia.

Allegation three: Twitter misled its own board about security vulnerabilities

Zatko accused Agrawal of outright enabling fraud in December 2021. According to the complaint, materials prepared for a board meeting suggested that 92% of computers had security software installed, but left out other stats which suggested that around 50% of those computers had “critical flaws” or had “disabled critical safety settings.”

The materials also included details that Zatko alleged were designed to convince the board that Twitter was successfully limiting the number of employees who had access to production systems, a vulnerability that had contributed to a major hack of the platform in 2020.

“The graph misleadingly [suggested] that Twitter was making significant progress in reducing access to production systems,” the complaint reads. “Mudge knew that the actual underlying data showed that at the end of 2021, 51% of the ~11 thousand full-time employees had privileged access to Twitter's production systems.” According to the complaint, that’s a 5% increase from February 2021.

The complaint also stated that the materials minimized the total number of security incidents Twitter experienced in 2021 and mischaracterized the number of events that could be traced back to these access control issues.

While Zatko alleged that he prevailed in preventing the materials from being presented to the entire board on Dec. 9, the complaint says the materials were presented to the board’s Risk Committee a week later.

Allegation four: Twitter’s data-center infrastructure was prone to an existential outage threat

Building the reliable and scalable computing infrastructure needed to support Twitter’s real-time service has been a challenge for the company since its earliest days, and as of the spring of 2021, Zatko said it remained in a perilous state.

Specifically, Twitter lacked a “workable disaster recovery plan” in the event of even a partial data-center outage, which is considered table stakes for most companies operating services at Twitter’s scale. Zatko also alleged that “the majority of the systems” in Twitter’s data centers were running out-of-date software, which could have contained serious security vulnerabilities, and that the company lacked the tools to properly understand the scope of the problem.

Twitter’s engineers were able to manage a period of instability in the spring of 2021 that could have led to what Zatko called a “Black Swan” event — which could have taken down its services for weeks or even months — but did not take steps to correct its problems in subsequent months, according to the document.

Allegation five: Twitter violated its consent decree with the FTC

Like we said, Twitter’s getting the Facebook treatment. In 2011, following a series of breaches in 2009, Twitter reached a consent decree with the FTC, through which it promised to make substantive changes to its security and privacy protocols. But the complaint alleges that when Zatko joined Twitter in 2020, following the infamous blue check hack, he found that “Twitter had never been in compliance” with the consent decree.

Specifically, the complaint alleges that Twitter conducted marketing campaigns using phone numbers and email addresses users provided for security purposes. Twitter has already been fined $150 million for this infraction. But the complaint also suggests that when the FTC asked whether Twitter deleted the data of users who canceled their accounts, the company replied merely that the accounts were “deactivated.” Actually, the complaint claims, Twitter found that the data “couldn’t even be accounted for.”

Tom Krazit contributed to this report.

Entertainment

Inside Amazon’s free video strategy

Amazon has been doubling down on original content for Freevee, its ad-supported video service, which has seen a lot of growth thanks to a deep integration with other Amazon properties.

Freevee’s investment into original programming like 'Bosch: Legacy' has increased by 70%.

Photo: Tyler Golden/Amazon Freevee

Amazon’s streaming efforts have long been all about Prime Video. So the company caught pundits by surprise when, in early 2019, it launched a stand-alone ad-supported streaming service called IMDb Freedive, with Techcrunch calling the move “a bit odd.”

Nearly four years and two rebrandings later, Amazon’s ad-supported video efforts appear to be flourishing. Viewership of the service grew by 138% from 2020 to 2021, according to Amazon. The company declined to share any updated performance data on the service, which is now called Freevee, but a spokesperson told Protocol the performance of originals in particular “exceeded expectations,” leading Amazon to increase investments into original content by 70% year-over-year.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.
Fintech

Wall Street is warming up to crypto

Secure, well-regulated technology infrastructure could draw more large banks to crypto.

Technology infrastructure for crypto has begun to mature.

Illustration: Christopher T. Fong/Protocol

Despite a downturn in crypto markets, more large institutional investors are seeking to invest in crypto.

One factor holding them back is a lack of infrastructure for large institutions compared to what exists in the traditional, regulated capital markets.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Policy

How I decided to go all-in on a federal contract — before assignment

Amanda Renteria knew Code for America could help facilitate access to expanded child tax credits. She also knew there was no guarantee her proof of concept would convince others — but tried anyway.

Code for America CEO Amanda Renteria explained how it's helped people claim the Child Tax Credit.

Photo: Code for America

Click banner image for more How I decided series

After the American Rescue Plan Act passed in March 2021, the U.S. government expanded child tax credits to provide relief for American families during the pandemic. The legislation allowed some families to nearly double their tax benefits per child, which was especially critical for low-income families, who disproportionately bore the financial brunt of the pandemic.

Keep Reading Show less
Hirsh Chitkara

Hirsh Chitkara ( @HirshChitkara) is a reporter at Protocol focused on the intersection of politics, technology and society. Before joining Protocol, he helped write a daily newsletter at Insider that covered all things Big Tech. He's based in New York and can be reached at hchitkara@protocol.com.

Climate

This carbon capture startup wants to clean up the worst polluters

The founder and CEO of point-source carbon capture company Carbon Clean discusses what the startup has learned, the future of carbon capture technology, as well as the role of companies like his in battling the climate crisis.

Carbon Clean CEO Aniruddha Sharma told Protocol that fossil fuels are necessary, at least in the near term, to lift the living standards of those who don’t have access to cars and electricity.

Photo: Carbon Clean

Carbon capture and storage has taken on increasing importance as companies with stubborn emissions look for new ways to meet their net zero goals. For hard-to-abate industries like cement and steel production, it’s one of the few options that exist to help them get there.

Yet it’s proven incredibly challenging to scale the technology, which captures carbon pollution at the source. U.K.-based company Carbon Clean is leading the charge to bring down costs. This year, it raised a $150 million series C round, which the startup said is the largest-ever funding round for a point-source carbon capture company.

Keep Reading Show less
Michelle Ma

Michelle Ma (@himichellema) is a reporter at Protocol covering climate. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at mma@protocol.com.

Latest Stories
Bulletins