Ex-Twitter Security Chief Peiter ‘Mudge’ Zatko Files Blockbuster Whistleblower Report Over the Platform’s Security

Donie O’Sullivan, Clare Duffy and Brian Fung, reporting for CNN Business yesterday:

The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

The whistleblower, who has agreed to be publicly identified, is Peiter “Mudge” Zatko, who was previously the company’s head of security, reporting directly to the CEO. Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk’s attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk’s claims). [...]

John Tye, founder of Whistleblower Aid and Zatko’s lawyer, told CNN that Zatko has not been in contact with Musk, and said Zatko began the whistleblower process before there was any indication of Musk’s involvement with Twitter.

Zatko was fired from Twitter in January this year “for ineffective leadership and poor performance”, in the words of a Twitter spokesperson. CNN’s report is very long, and worth reading in full. If even partially true, what Zatko is alleging is extremely alarming.

One point seems clear: even if Zatko has not been in contact with Elon Musk — and I don’t see any reason to doubt Zatko’s lawyer’s clear statement that he has not — that doesn’t mean Musk hasn’t been made aware of Zatko’s whistleblower report. Anyone inside Twitter aware of Zatko’s concerns could have leaked them to Musk. Jack Dorsey, for example, personally hired Zatko and was CEO until just a few weeks before Zatko’s firing. Musk’s allegations about Twitter misreporting bot activity might be fully legitimate, not an empty pretext for backing out of his acquisition.

Wednesday, 24 August 2022