Culture

Former Twitter security chief alleges rampant security negligence

Peiter Zatko says Twitter purposefully misled federal regulators about the platform's security measures.

MIAMI, FLORIDA - JUNE 04:  Jack Dorsey creator, co-founder, and Chairman of Twitter and co-founder &...
Joe Raedle/Getty Images News/Getty Images

Peiter Zatko, Twitter’s former head of security, says the social media company is entirely incapable of protecting its users. Zatko — who is widely known as “Mudge” — filed an extensive whistleblower complaint with the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission alleging widespread security negligence across the board at Twitter.

Zatko’s complaint, a copy of which was reviewed by The Washington Post and CNN, hits at both individual instances of negligence and much broader priority issues at Twitter. Amongst the most explosive of Zatko’s allegations is that Twitter has been purposefully misleading regulators at the FTC about the site’s security. (Twitter settled with the FTC back in 2011 over “serious lapses” in its security protocols.)

The allegations here are heavy, especially when taken in conversation with Elon Musk’s own accusations that Twitter is hiding information on spam and bot accounts. In fact, Musk’s lawyers reportedly scheduled a deposition with Zatko before the publication of his complaint — timing that could be seen as quite sketchy.

Growth above all — Many of Zatko’s allegations display a company culture focused on platform growth ahead of everything else, even security. When trying to fix these issues, Zatko claims to have found many roadblocks, including a general inability to even get in contact with then-CEO Jack Dorsey. Zatko’s complaint alleges that he’d warned his colleagues that about half the company’s servers were running outdated software that made them vulnerable to attack. Overlapping outages, he told his coworkers, could leave the company entirely unable to restart its servers.

Many of the security implementations Twitter promised in its 2011 FTC settlement were not being upheld, Zatko found. One program, called the Software Development Life Cycle program, had only been rolled out to about one-tenth of the company's projects, for example.

Overall, Zatko categorizes Twitter’s security negligence as “egregious” — which may explain why the platform has experienced significant hacks in recent years.

So how’s this affect Musk? — Zatko presents very little hard evidence about bots in his complaint, so it doesn’t help to bolster his arguments in that sense. But any allegations of lying, especially in the context of security, could be great ammunition for Musk’s case against Twitter.

Actually, it seems Musk hoped he would get more firepower from Zatko’s complaint. Another WaPo piece published today mentions that Musk’s lawyers “scheduled a deposition with Zatko” before the complaint’s publication. (To be clear, Musk’s merger agreement does not hinge on spam or bot accounts, and, in fact, Musk has publicly stated that he wanted to buy Twitter to resolve that problem.)

Zatko’s complaints are sure to be taken seriously, given his former executive rank at Twitter. The company could face severe financial penalties for its lies if proven in a larger investigation.