Twitter has hidden negligent security practices, misled federal regulators about its safety, and failed to properly estimate the number of bots on its platform, according to testimony from the company’s former head of security, the legendary hacker-turned-cybersecurity-expert Peiter “Mudge” Zatko. The explosive allegations could have huge consequences, including federal fines and the potential unraveling of Tesla CEO Elon Musk’s bid to buy Twitter.
Zatko was fired by Twitter in January and claims that this was retaliation for his refusal to stay quiet about the company’s vulnerabilities. Last month, he filed a complaint with the Securities and Exchange Commission (SEC) that accuses Twitter of deceiving shareholders and violating an agreement it made with the Federal Trade Commission (FTC) to uphold certain security standards. His complaints, totaling more than 200 pages, were obtained by CNN and The Washington Post and published in redacted form this morning. (…)
Zatko’s disclosures to the SEC contain many damning reports and accusations, but these are some of the most significant:
- Indiscriminate access. A significant part of Twitter’s vulnerability is that too many employees have access to critical systems, claims Zatko in his complaint. It states that around half of Twitter’s 7,000 or so full-time employees have access to users’ sensitive personal data (like phone numbers) and internal software (to alter how the service works) and that this access is not closely monitored. He also alleges that thousands of laptops contain complete copies of Twitter’s source code.
- Misleading the FTC. In 2010, Twitter settled charges with the FTC that it failed to protect consumers’ personal information — a significant and early example of government regulators reining in Big Tech. Zatko’s complaint claims Twitter has repeatedly made “false and misleading statements” to users and the FTC, violating this agreement.
- Ignoring bots. Twitter has repeatedly claimed that less than 5 percent of its monthly daily active users are bots, fake accounts, or spam. Zatko’s complaint says Twitter’s method of measuring this figure is misleading and that executives are incentivized (with bonuses of up to $10 million) to boost user counts rather than remove spam bots.
- Government agents. Twitter is a key tool for sharing news and organizing protests, making it a ripe target for governments looking to crack down on dissent. Zatko’s complaint states that he believes the Indian government forced Twitter to hire a government agent, who then had “access to vast amounts of Twitter sensitive data.”
- Failure to delete. The complaint states that Twitter has, in the past, failed to delete users’ data when requested because such records are spread too widely among internal systems to be properly tracked. A current employee told The Washington Post that the company just completed a project, known as Project Eraser, to ensure proper deletion of user data.
Read the complete article on theverge.com