Twitter has been blamed for security & privacy lapses by the company’s former Head of Security who alleges their actions amount to a national security risk.
A recently discovered 84-page whistle-blower filed with the US Govt. by Twitter’s former Head of Security Peiter “Mudge” Zatko last month attacks his former employer for its alleged ‘shoddy security practices’ & being out of compliance with an FTC order to protect user data.
Disgruntled Employee
Twitter has responded by alleging that Zatko is a “disgruntled employee” who was fired for inferior performance & leadership. In a letter to employees Twitter’s CEO Parag Agrawal suggests that Zatko’s claims are a “false narrative that is riddled with inconsistencies & inaccuracies & presented without important context.”
A succinct overview of the allegations & Twitter’s reaction:-
Allegations
Zatko, a ‘respected white-hat hacker’ who served as Twitter’s head of security for about 15 months – 2020-2022, accused Twitter of a number of poor security & privacy practices that together were a ‘national security risk.’
Accusations include:
- Twitter is a ‘mismanaged company’ & gives too many of its staff access to sensitive security & privacy controls without adequate oversight.
- One or more Twitter employees may be working for ‘undisclosed foreign intelligence services. Says Zatko, this changes his concerns to a matter of national security.
- Almost half of Twitter’s servers lack basic security features, e.g. data encryption, because software running on them is either outdated or unpatched.
- Twitter executives have ‘prioritised growth over security’ as they have pursued huge bonuses, as big as $10m, as incentives for the company’s fast expansion.
Out of Compliance
- The company is ‘out of compliance’ with a 2010 FTC order to protect users’ personal information. Also, the company has ‘lied’ to independent auditors of an FTC mandated “comprehensive information security program” tied to the 2010 order.
- Twitter does not action user requests to delete their personal data, because of ‘technical limitations.’
- When Zatko tried to bring these & many other security & privacy issues to Twitter’s board, management ‘misrepresented his finding‘ and/or tried to ‘hide the report.’
- Twitter allowed some foreign Govts. “… to infiltrate, control, exploit, surveil and/or censor the ‘company’s platform, staff, & operations,” according to the redacted whistle-blower report submitted to congress.
- Twitter does not have the ‘resources or capacity; to accurately establish the real no. of fake (or bot) accounts on the platform. This issue is central to an Elon Musk’s attempt to back-out of buying the company for $44b.
Muted Response
The majority of Twitter’s response to Zatko is that he is a disgruntled employee, bad at his job & scapegoating Twitter for his failures. It points out that it has addressed & continues to aggressively address many of the IT security issues pointed out by Zatko.
An alleged response by Twitter’s CEO Parag Agrawal sent internally to Twitter employees was posted online.
