A version of this story appears in CNN’s What Matters newsletter. To get it in your inbox, sign up for free here.
This is quite the plot turn: The man brought in to make Twitter more secure has lodged an official whistleblower disclosure warning about Twitter’s security.
It was after a massive hack that compromised high-profile accounts in 2020 that Twitter’s co-founder and then-CEO Jack Dorsey recruited Peiter Zatko, a hacking legend and early evangelist for cybersecurity.
Now Zatko, who said he sees the platform as essential to democracy, has filed a whistleblower disclosure with the government that alleges Twitter’s negligence endangers users’ security and national security.
CNN and The Washington Post were first to report on the developments. Read the entire story here. It has the full context and Twitter’s side of the story.
Call him ‘Mudge’
Zatko goes by the nom de guerre “Mudge,” which he used to testify before Congress about cybersecurity in the 1990s, when he looked the part of a computer hacker out of central casting. He first appeared on CNN back in 2000.
“This is a warning from a Chuck Yeager saying, ‘I am worried about the danger of that plane,’” said Garrett Graff, a CNN analyst and contributing editor at WIRED, appearing on “New Day” on Tuesday and drawing a comparison between Zatko and Yeager, the heroic test pilot.
‘A critical task at Twitter’
Even though Zatko was fired by Twitter in January, months after Dorsey stepped down, Zatko said he is looking out for the company by filing the whistleblower disclosure.
“Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I’m still performing that mission,” Zatko said in an interview with CNN’s Donie O’Sullivan.
Zatko could also be paid a portion of penalties if they are incurred as a result of his disclosure.
How does this affect national security?
Only about a quarter of American adults (23%) reported using Twitter in a 2021 survey, and the vast majority of tweets come from a small subset of users. The content can range from useful to offensive and flat-out wrong.
But Graff argued Twitter’s security is essential to national security because misinformation can spread so fast on the platform.
“We were all really lucky that that attack was a cryptocurrency scam, and not a foreign intelligence service or a hacker trying to start nuclear war,” Graff said of the 2020 hack that led to Zatko’s hiring at Twitter. “Twitter, in many ways, is where wars can start in this moment. The information could move there faster in an attack than anyone would be able to respond to.”
Twitter and foreign agents
The security implications are more pointed when it comes to governments that have a track record of targeting dissidents.
O’Sullivan points out in his report with CNN’s Clare Duffy and Brian Fung that a former Twitter manager, Ahmad Abouammo, was convicted of spying for Saudi Arabia earlier this month. Read more about that story.
Another employee accused of accessing Twitter accounts on behalf of Saudi Arabia, Ali Alzabarah, left the United States before being charged.
Bader Al-Asaker, who prosecutors say recruited Abouammo, Saudi’s crown prince and Twitter were not among the defendants.
Separately, the whistleblower disclosure suggests the US government provided specific evidence to Twitter shortly before Zatko’s firing that at least one of its employees, perhaps more, were working for another government’s intelligence service. It’s not clear if Twitter acted on the tip.
Too many people can access Twitter’s controls
A main issue in the whistleblower filing is the allegation that Twitter gives too many of its staff access to the platform’s central controls, making it more susceptible to hacking.
From CNN’s report:
After the January 6 insurrection, Zatko was concerned about the possibility someone within Twitter who sympathized with the insurrectionists could try to manipulate the company’s platform, according to his disclosure. He sought to clamp down on internal access that allows Twitter engineers to make changes to the platform, known as the “production environment.”
But, the disclosure says, Zatko soon learned “it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did. … Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.”
Twitter told CNN that people on the company’s engineering and product teams are authorized to access the production environment if they have a specific business justification for doing so.
Hiding the problem
There’s a lot more in the roughly 200-page report. Among the chief allegations is that Twitter executives have tried to hide the security problems even from the company’s board of directors and that Zatko was pressured to misrepresent data to create the perception of progress.
Another allegation is that Twitter has misled regulators about whether it deletes users’ data as it is required to do.
The disclosure also suggests the company is unaware and unable to determine how many bots are on the platform, something that is certain to feature in Elon Musk’s ongoing attempt to back out of buying Twitter.
Why this is important
“Your whole perception of the world is made from what you are seeing, reading and consuming online, and if you don’t have an understanding of what’s real, what’s not – yeah, I think this is pretty scary,” Zatko told O’Sullivan, who asked if Zatko was nervous.
“Yeah, I am,” he said. “This wasn’t my first choice. But yeah, I just want to make the world a better place, a safer place. The levers that I have to do it are through security, information and privacy. ”
What does Twitter say?
“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” a Twitter spokesperson told CNN.
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
How did CNN see the whistleblower disclosure?
The disclosure was sent in July to an alphabet soup of government watchdogs – the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and the Department of Justice (DOJ). Lawmakers have also received the disclosure.
A Democratic aide on Capitol Hill provided the disclosure to CNN, although it has created bipartisan concern.
In May, Twitter agreed to pay $150 million in penalties after the FTC accused it of asking users for private information to secure accounts and then benefiting off the information through targeted ads. Twitter had reached an agreement with the FTC in 2011 to do more to protect users’ data and safeguard its controls.
In CNN’s report on the whistleblower disclosure, Twitter pointed to third-party audits that verify its FTC compliance.