The pressure on Twitter to talk publicly about how it monitors and removes spam accounts continues to mount.
Reports from CNN and The Washington Post reveal an 84-page whistleblower complaint alleging that Twitter isn’t motivated to track the true number of spam accounts and hid security vulnerabilities from federal regulators.
The complaint comes from Twitter’s former security chief, Peiter Zatko. Zatko is a well-known ethical hacker with the alias “Mudge.” He told the Post that he “felt ethically bound” to report his serious concerns to government agencies. He alleges that he was fired for pushing disinclined Twitter executives to address major security problems—which his complaint suggests “pose a threat” to Twitter “users’ personal information, to company shareholders, to national security, and to democracy.”
Zatko alleges that Twitter execs were more invested in covering up those vulnerabilities, including cherry-picking and misrepresenting data on spam accounts and security threats to regulators and Twitter’s board members. “Executives stood to win individual bonuses of as much as $10 million tied to increases in daily users, the complaint asserts, and nothing explicitly for cutting spam,” the Post reported. These security risks, CNN reported, “could allegedly open the door to foreign spying or manipulation, hacking, and disinformation campaigns.”
How US government is responding
The Federal Trade Commission is now reviewing Zatko’s complaint, which was filed in July to the FTC, the Securities and Exchange Commission, and the Department of Justice. A Senate Intelligence Committee spokesperson, Rachel Cohen, told CNN that the committee is also taking the complaint seriously and has set up a meeting to discuss Zatko’s allegations.
Zatko’s lawyer at Whistleblower Aid, John Tye, told CNN that Zatko has not been in touch with potential Twitter buyer Elon Musk. That doesn’t mean, however, that Musk won’t benefit from these reports.
The Post notes in a separate report that Zatko’s complaint may give Musk the “ammunition” the Tesla CEO needs in his legal battle over terminating his Twitter buyout. Musk’s lawsuit hinges partly on Musk’s claims that the social media company misled Musk to pay more for Twitter than it’s worth by vastly misreporting the total number of spam accounts. A chunk of Twitter’s valuation comes from advertising sales based on promised exposure to legitimate users. Therefore, the number of spam accounts matters to Musk as much as it does to regulators tracking Twitter security risks.
Twitter questioned whether Zatko’s motivations were ethical or perhaps reflected some malicious intent. “Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers, and its shareholders,” a Twitter spokesperson told CNN. “Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Twitter, Musk, Musk’s legal team, and the DOJ did not immediately respond to Ars’ requests for comment. The FTC and SEC declined to comment to Ars.
One of Musk’s attorneys, Alex Spiro, told CNN that Musk has already issued a subpoena for Zatko, noting that Musk’s legal team found Zatko’s dismissal from Twitter earlier this year “curious” when considered “in light of what” they’ve found since filing the lawsuit.
Twitter isn’t being completely forthcoming. CNN submitted more than 50 questions to Twitter, which only answered some. Addressing the complaint overall, however, a Twitter spokesperson told CNN that Zatko’s complaint was pushing a false “narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context.”
Zatko’s legal team rejected Twitter’s characterization of the complaint.
“Mudge stands by everything in his disclosure, and his career of ethical and effective leadership speaks for itself,” Tye told Ars. “The focus should be on the facts laid out in the disclosure, not ad hominem attacks against the whistleblower.”
In total, Zatko’s disclosure spans 200 pages. The Post linked to redacted copies of the disclosure, which include Zatko’s final report to Twitter that describes all the security issues that he alleges that Twitter leadership willfully overlooks.
CNN reported that Twitter risks billions in FTC fines if discovered to be, as Zatko alleges, violating a 2010 FTC agreement to address federal regulators’ security concerns.