The Washington Post on Peiter ‘Mudge’ Zatko’s Whistleblower Report on Twitter Security

Joseph Menn, Elizabeth Dwoskin and Cat Zakrzewski, reporting for The Washington Post, which received the same redacted copy of Zatko’s whistleblower report that CNN did. The Post has published copies of the original redacted documents as webpage-embedded PDFs, too. From their story:

Overall, Zatko wrote in a February analysis for the company attached as an exhibit to the SEC complaint, “Twitter is grossly negligent in several areas of information security. If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.”

Zatko’s complaint says strong security should have been much more important to Twitter, which holds vast amounts of sensitive personal data about users. Twitter has the email addresses and phone numbers of many public figures, as well as dissidents who communicate over the service at great personal risk.

Remember too that Twitter DMs are not end-to-end encrypted. They are stored on Twitter’s servers in a form that Twitter can read. The phone numbers and email addresses of anonymous dissidents are very sensitive, but I’d argue that the contents of DMs are the most sensitive information Twitter holds.

You should never put anything in a Twitter DM that you wouldn’t print on a postcard sent in the mail. But we all do it, to some extent. But without question, many Twitter users put incredibly sensitive information into DMs. (I welcome DMs on Twitter, but if the contents are truly sensitive, I encourage readers to contact me via Signal.)

This month, an ex-Twitter employee was convicted of using his position at the company to spy on Saudi dissidents and government critics, passing their information to a close aide of Crown Prince Mohammed bin Salman in exchange for cash and gifts.

Zatko’s complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence. Another person familiar with the matter agreed that the employee was probably an agent.

I don’t think there’s any way to overstate how damning Zatko’s allegations are. He describes a criminally corrupt company and board.

Wednesday, 24 August 2022