Meet the whistleblower

His background: Peiter “Mudge” Zatko started his career as an ethical hacker—who used his skills to expose security holes to help companies and governments safeguard themselves. In his early years, he was part of a collective that “promoted human rights by spreading information and fighting censorship and surveillance.” He’s worked for the Pentagon in the past—and testified in front of Congress. His personal motto: “Make a dent in the universe.” So his credentials are impeccable—as far as the public record is concerned.

His Twitter job: Zatko was working as the head of security for the payment platform Stripe—when he was poached by Twitter founder and CEO Jack Dorsey in 2020. Zatko says he took the job “to improve the health of the public conversation” after someone hacked the verified Twitter accounts of political leaders that year: “There was no way I wasn’t going to step up to the plate and take some swings.” As the new security chief, Zatko’s first task was to analyse the platform’s “serious security issues.”

His Twitter exit: Jack Dorsey quit his job in November, 2021—and was replaced as CEO by Parag Agrawal. And that’s when things went sour for Zatko—who reports directly to him. While Zatko was frustrated by Dorsey’s lack of communication—which became an issue for the board—his relationship with Agrawal was tense and confrontational. 

The last straw was a presentation of Twitter’s security problems prepared for Agrawal’s first meeting with the board. Zatko blocked the presentation, insisting the data it contained was false—but Agrawal still sent it to the board’s risk committee. Then this happened:

“On January 4, Zatko reported internally that the Risk Committee meeting might have been fraudulent, which triggered an Audit Committee investigation. Agrawal fired him two weeks later.”

The SEC complaint: Zatko then filed complaints with the Securities and Exchange Commission, Federal Trade Commission and Department of Justice. FYI: these were filed by nonprofit law firm Whistleblower Aid, which previously represented Facebook whistleblower Frances Haugen. This 200-page or 84-page document—which contains damning allegations—has now been accessed by various media outlets. Hence, Twittergate.

Zatko’s four big reveals

Here are the most egregious allegations contained in his filing:

One: Back in 2011, Twitter signed an agreement with the US government promising it had a solid plan to fix all of its gaping security problems. It did not. According to Zatko:

• Half of the company’s 7,000 employees have “wide-ranging and poorly tracked internal access” to core company software—the reason why the platform is often easily hacked. 
• The company claims such access is responsible for only 7% of hacking attempts. Zatko puts that number at 60%.
• Half of the company’s 500,000 servers are using unencrypted software and 40% of employee laptops are not protected from hacking. 
• In fact, 30% of these computers even blocked software updates with necessary fixes. Worse: these laptops also have access to Twitter’s source code—giving any hacker access to its mainframe.

Point to note: Violating the government deal could have serious consequences for Twitter. The reason: “Under the terms of that [2011] agreement, the company was barred for 20 years from misleading consumers about the steps it takes to protect their information and honour their privacy choices.”

Two: Zatko also alleges that the company prioritises user growth over cracking down on spam or bots. Executives could earn bonuses of as much as $10 million for increasing daily users—but received nothing for fixing spam. Hence, Agrawal was “lying” when he claimed that the company was “strongly incentivized to detect and remove as much spam as we possibly can.”

Three: In its quarterly SEC filings, Twitter dutifully insists that fewer than 5% of its users are bots. Zatko alleges that the company deliberately does very little to track the real number:

“Twitter executives are not incentivized to detect bots and ‘senior management had no appetite to properly measure the prevalence of bot accounts’ because ‘if accurate measurements ever became public, it would harm the image and valuation of the company.’”

In fact, the company deliberately uses a measurement called monetizable daily active users, or mDAUs—which are accounts that can be shown a Twitter ad, for instance. This automatically excludes all bots and spam accounts. And that 5% is a percentage of mDAUs—not the total number of Twitter accounts.

Point to note: This is an early Christmas bonanza for Elon Musk—who is being sued by Twitter for walking away from the deal he inked to buy the company. The agreement includes a pledge by Twitter that its shareholder filings are accurate. Musk’s lawyers argue that he is not bound by the deal because Twitter is lying about the number of bots on its platform. They have already subpoenaed Zatko as a witness. And here’s what Musk tweeted soon after his allegations went public—with the words with the words “Give a Little Whistle”:

Four: One of the most damning allegations centre on Parag Agrawal—who Zatko represents as someone who deliberately hid the facts and misled the board:

“According to the disclosure, Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter's security problems to the company's board of directors. The company's executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company's security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko's back to have a third-party consulting firm's report scrubbed to hide the true extent of the company's problems.”

All of those are sackable offences for any employee, leave alone a CEO.

The India revelation: According to the Washington Post, Zatko’s complaint alleges that the Indian government "forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country.” TIME magazine offers a little more detail:

“His disclosures allege that Twitter executives hired two people whom he believes were Indian government agents and put them in positions with ‘direct unsupervised access’ to internal Twitter data and information. This was just one example of Twitter’s ‘negligence and even complicity with respect to efforts by foreign governments to infiltrate, control, exploit, surveil and/or censor’ the platform, its staff and its operations, Zatko alleges.”

We don’t know the exact timing since we’ve seen many “intense protests” lately.

Twitter’s response: In a staff memo, Agrawal described Zatko as “a former Twitter executive who was terminated in January 2022 for ineffective leadership and poor performance.” He also said:

“We are reviewing the redacted claims that have been published, but what we’ve seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context.”

The fallout of the big reveal

As we said before, Musk will certainly be celebrating—since Zatko may have freed him from the Twitter-sized albatross around his neck. US government agencies will have to investigate Zatko’s allegations—which, if proved right, will have serious consequences for Twitter. While the company may not be shut down, it will have to agree to a drastic restructuring to survive. 

Irony alert! Those reforms may, in fact, push Twitter out of India—or at least that’s what some Indian experts speculate: 

“The US will try to clean up Twitter, given how it has affected elections there, and clean bots…This will lead to lesser hate speech or harmful content in India as well. India may block Twitter if it loses control as a result of the action the US may take. There is a huge demand to encrypt DMs (direct messages) which are currently not encrypted (and can hence be accessed by security agencies).”

The bottomline: No revelation about any social media company can shock us any more.

Reading list

CNN and Washington Post (splainer gift link) have the most details on Zatko’s allegations. Slate offers a more succinct version. The Post also has a profile of Zatko.  New York Times looks at the likely fallout for Twitter, while The Telegraph has the India angle. Read Agrawal’s memo to his staff here. You can also check out our Big Stories on Agrawal, Musk v. Twitter and the Indian Government v. Twitter.