A Twitter whistleblower is alleging “extreme, egregious deficiencies by Twitter” related to privacy, security and content moderation, according to complaints filed with the Securities and Exchange Commission, Federal Trade Commission and Department of Justice and published by The Washington Post.
The complaints were filed by nonprofit law firm Whistleblower Aid, which is representing Twitter’s former head of security Peiter “Mudge” Zatko. Whistleblower Aid, which also represented Facebook whistleblower Frances Haugen, verified the authenticity of the documents with CNBC.
Shares of Twitter are down about 3.5% in premarket trading.
In a complaint with the SEC, Zatko alleges that he “witnessed senior executive engaging in deceitful and/or misleading communications affecting Board members, users and shareholders” on multiple occasions in 2021, during which CEO Parag Agrawal asked Zatko to provide false and misleading documents.
In his final report for Twitter after he was terminated, according to whistleblower documents published by the Post, Zatko charged that the company failed to accurately represent four key issues to the board: out-of-date software that lacked basic security measures, “Gross problems” in who could access or control systems and data, problematic internal processes and a “volume and frequency of security incidents impacting a large number of users’ data that is frankly stunning.”
Zatko alleged in the report that more than half of Twitter’s 500,000 servers were running out-of-date software and more than a quarter of employee computers have disabled software updates that can provide important security patches. He said Twitter’s alleged practice of granting broad access to the platform’s production environment was “unheard of in a company the age and importance of Twitter, where nearly all employees have access to systems or data they should not.”
If government regulators were to find Twitter misled consumers about its security protocols, that may be considered a violation of its 2011 agreement with the FTC. At the time, Twitter was barred for 20 years from misleading consumers about how it protects their security and private information. The agreement also required Twitter to create and maintain a comprehensive information security program to be evaluated by an independent auditor for ten years.
A spokesperson for the Senate Select Committee on Intelligence said in a statement that the panel has also received the complaint “and is in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously.”
The whistleblower complaint mentions misrepresentations by Twitter to Elon Musk, who is locked in a legal battle seeking to back out of a deal to purchase the social media company, over the Tesla CEO’s “doubts on the accuracy of Twitter’s claim in legal findings that <5% of accounts are ‘bots,’ or automated spam accounts.”
A lawyer representing Zatko said the former Twitter employee has had no contact with Elon Musk, who in July said he was withdrawing his $44 billion bid to acquire the company.
“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” Musk attorney Alex Spiro of Quinn Emanuel told CNBC.
Musk and Twitter will meet in court in October where Delaware Court of Chancery Chancellor Kathaleen McCormick will determine if Musk is still on the hook to acquire the company.
Zatko alleges that a tweet by CEO Agrawal on May 16, which said the company is “strongly incentivized to detect and remove as much spam as we possibly can, every single day” was “a lie.” He said Twitter executives are not incentivized to detect bots and “senior management had no appetite to properly measure the prevalence of bot accounts” because “if accurate measurements ever became public, it would harm the image and valuation of the company.”
Zatko further alleged that the company didn’t have proper security controls in place. According to The Washington Post, about 7,000 Twitter employees had “wide access to the company’s internal software and that access was not closely monitored.”
Twitter in a statement said Zatko was fired in January “for ineffective leadership and poor performance.”
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” a Twitter spokesperson told CNBC. “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”