Former Twitter Exec: Company Misleads Users and Government

WASHINGTON — A former Twitter executive made a whistleblower complaint earlier this summer that the company is misleading the government and its users about security on the social media platform.

The allegations stem from a 2011 settlement Twitter made with the Federal Trade Commission that barred the social media company from misleading its users about the “extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information.”

In the decade since the settlement, Twitter has “made little meaningful progress on basic security, integrity and privacy systems” and had never been compliant with the 2011 settlement, according to the complaint filed by the company’s former security lead, Peiter Zatko.

Twitter was still not in compliance with the 2011 settlement at the time when Zatko was fired in January 2022, according to the complaint.

Zatko filed the 84-page complaint in July with the U.S. Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice with the help of the nonprofit Whistleblower Aid, according to a copy obtained by The Washington Post that was released Tuesday.

The Senate Judiciary Committee has also received a copy of the complaint.

There have been calls for investigations from members on both sides of the aisle since the complaint has been revealed.

“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” said Sen. Chuck Grassley, R-Iowa, ranking member of the Judiciary Committee, in an email statement. “The claims I’ve received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further.”

Sen. Ed Markey, D-Mass., also wrote a letter to the Department of Justice and FTC asking them to look into the complaint Tuesday.

“This blithe disregard for user data and FTC settlements cannot stand. I strongly urge the federal government to investigate Zatko’s claims and, if necessary, take strong and swift action against Twitter to ensure Twitter user data is properly protected,” Markey wrote.

Twitter told The Associated Press the complaint is “a false narrative” that is “riddled with inconsistencies and inaccuracies and lacks important context.” It said Zatko’s “allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.” 

The complaint comes at a difficult time for the company as it prepares to go to trial with Elon Musk, hoping to enforce his purchase agreement to buy the company for $44 billion. Earlier this year Twitter also made another settlement with the FTC for $150 million after being accused of improperly using consumer data to target advertisements.

Social media companies in general are facing more scrutiny over user data privacy, including the FTC looking to make stronger data privacy rules and Congress working on bipartisan bicameral privacy legislation that has passed out of committee.

The Complaint

In the complaint, Zatko tells the story of how Twitter’s CEO Jack Dorsey recruited him after teenagers hacked the accounts of former President Barack Obama, then-presidential candidate President Joe Biden and other influential people soliciting bitcoin, which “triggered a global security incident,” according to the complaint.

One of his main tasks was creating a report looking into the company’s failures.

Zatko turned into a well-regarded cybersecurity professional, working for the U.S. Defense Advanced Research Projects Agency.

The report was highly critical, warning the company could be susceptible to an “Equifax-level” hack.

Security issues lie within the “fundamental architecture” of the platform, according to the complaint. Specifically, too many Twitter staff — about half of the 10,000-plus members — are given too much access to anyone’s account, Zatko said.

That level of access granted to the social media company’s employees created an “anomalously high rate of security incidents — approximately one security incident each week serious enough that Twitter was required to report it to government agencies,” according to the complaint.

When it came time to present his findings, Zatko was met with “defensiveness and denial” from the company’s CEO Parag Agrawal, according to the complaint. Zatko also alleged that Agrawal committed fraud through various statements and failed to take the report seriously.

Zatko’s whistleblower complaint also laid out other security risks about disinformation and attempts by foreign governments to become involved with the company.

Twitter also prioritized growth over spam reduction by offering executives up to $10 million bonuses for increasing the number of daily users, according to the complaint.

The company also misled regulators in Ireland and France, Zatko alleged.

Even after he was fired, Zatko continued working on reporting the security and fraud issues outlined in the complaint with Twitter’s chief compliance officer, according to the complaint. 

Overall, he took the job because he saw Twitter as a “critical public resource” and wanted to help create better change, according to the complaint. 

However, without seeing those changes, “with a heavy heart, … [Zatko] has concluded that these lawful disclosures are his ethical obligation,” the complaint said.

Madeline can be reached at [email protected] and @MadelineHughes