Twitter now has a whistleblower problem of its own. Last week, the company’s former head of security, Pieter “Mudge” Zatko, went public with an extensive whistleblower complaint detailing numerous security lapses and other issues he experienced during his tenure.
Much of the complaint details specific security problems he encountered. It also repeatedly blasts Twitter’s executives for putting user and revenue growth ahead of platform safety, and claims that in some cases executives lied to both twitter’s board and the public about these issues.
But some of the most striking claims in the documents published by The Washington Post, which include the 84-page whistleblower complaint, as well as a report on the company’s misinformation policies, are about much more than a culture of growth at all costs. They detail significant lapses in the company’s security, and executives who were either absent or unconcerned by the risk presented by these practices. They also help shed light on the company’s at times chaotic approach to countering misinformation and other safety issues.
Notably, Twitter has said little about most of these claims. The company has said the whistleblower complaint is “riddled with inaccuracies,” but hasn’t elaborated. In fact, the company has largely declined to publicly address the specific issues raised by Zatko in any way in the week since the complaint became public
But while many have focused on Zatko’s allegations that Twitter lied to Musk about the prevalence of bots, there are several other claims that merit scrutiny — none of which have been addressed by Twitter in any detail. The company didn’t respond to questions about the substance of Zatko’s claims.
Twitter might have foreign agents on its payroll
Some of the most explosive claims made by Zatko are those that talk about how Twitter’s interactions with foreign governments and organizations could be endangering national security. Among the issues he raises: Twitter could have people working for foreign governments on staff.
He states that at least one agent of the Indian government was on the company’s payroll, and claims that a U.S. government source separately warned that there was at least one employee “working on behalf of another particular foreign intelligence agency.” It’s unclear what country the source was referring to but, crucially, it wouldn’t be the first instance of a Twitter worker spying for another country.
He also raises concerns about Twitter’s ongoing financial relationship — presumably via advertising — with “Chinese entities” and how they may be able to use the company’s tools to identify people using VPNs to circumvent the country’s ban on the service. “Mr. Zatko was told that Twitter was too dependent on the revenue stream to do anything other than attempt to increase it,” the complaint says.
Jack Dorsey was ‘disengaged,’ Parag Agrawal allowed problems to ‘fester’
Throughout the complaint, Zatko describes interactions with Jack Dorsey and current CEO Parag Agrawal (Agrawal was Chief Technology Officer when Zatko first joined the company). Neither executive comes off particularly well.
The complaint notes that Dorsey personally recruited Zatko for the job as head of security, yet once he started, Zatko says Dorsey was either absent or bizarrely silent. According to the complaint, the two executives had “no more than six” one-on-one phone calls — during which Dorsey ”cumulatively spoke perhaps fifty words” — in the entire time they worked together. (Dorsey later tweeted that this was “completely false.”) Zatko, perhaps charitably, describes Dorsey’s demeanor as “disengaged,” and says the CEO was “experiencing a drastic loss of focus” in 2021. Zatko’s experience was apparently not unique either.
From the complaint:
In some meetings-even after he was briefed on complex corporate issues Dorsey did not speak a word. Mudge heard from his colleagues that Dorsey would remain silent for days or weeks. Worried about Dorsey’s health, the senior team mostly tried to cover up for him, but even mid- and lower-level staff could tell that the ship was rudderless.
Zatko also describes a strained relationship with Agrawal, both while he was CTO and later when he took over the CEO role after Dorsey stepped down. The complaint at one point notes that some of Twitter’s biggest problems “had developed under Agrawal’s watch.” He claims Agrawal was well aware of the company’s security issues, but did little to address them because “Agrawal had caused them, or allowed them to fester, in his role as CTO.” In one incident described by the former security chief, Agrawal was notified of a “huge red flag” but made no effort to look into it further.
In or around August 2021, Mudge notified then-CTO Agrawal and others that the login system for Twitter’s engineers was registering, on average, between 1500 and 3000 failed logins every day, a huge red flag. Agrawal acknowledged that no one knew that, and never assigned anyone to diagnose why this was happening or how to fix it.
More worryingly, he claims that Agrawal told him to lie to Twitter’s board of directors about how bad Twitter’s security problems were. And he says he was ultimately fired when he attempted to correct the misleading information they had been provided. (Agrawal told Twitter staffers that Zatko was fired for “ineffective leadership and poor performance.” Zatko, via his lawyers, has disputed the claim.)
Twitter’s internal security practices were shockingly lax
Zatko joined Twitter at the end of 2020 to shore up the company’s systems and practices following a high profile and extremely embarrassing hack in which teenage Bitcoin scammers were able to take over some of accounts of some of Twitter’s most influential users. So it’s not surprising that he identified several security issues soon after joining. But the complaint describes a number of “egregious deficiencies” that were clearly worse than anything Zatko had anticipated.
For example, he repeatedly points out that employee devices were poorly managed. Unlike many companies of Twitter’s size, it had no MDM (mobile device management) policy “leaving the company with no visibility or control over thousands of devices used to access core company systems.” Likewise, Zatko claims that many employee computers were also not properly maintained. According to him, more than 30 percent of employee devices had software updates disabled.
Twitter, he says, “did not actively monitor what employees were doing” on their devices. To the point that Twitter repeatedly caught employees “intentionally installing spyware on their work computers at the request of external organizations,” and that their actions often came to light merely “by accident.”
The fact that Twitter did so little to monitor employee devices was even more concerning because, according to Zatko, roughly half of the company’s 10,000 employees were “given access to sensitive live production systems and user data in order to do their jobs.” He also claims Agrawal “misrepresented the truth” when he claimed the company had tightened access following the 2020 hack.
The company told The Washington Post it had improved its security practices since 2020, but hasn’t elaborated.
Twitter’s data centers were at risk of a “company ending” failure
According to Zatko, Twitter’s data centers were in such a sorry state that there was a nonzero risk that Twitter could lose service — permanently.
From the complaint:
Mudge was shocked to learn that even a temporary but overlapping outage of a small number of datacenters would likely result in the service going offline for weeks, months, or permanently. … On top of this all engineers had some form of access to the data centers, the majority of the systems in the data centers were running out of date software no longer supported by vendors, and there was minimal visibility due to extremely poor logging.
According to Zatko, these issues were so serious they could have potentially triggered “an existential company ending event.” Later, he says that just such a scenario almost occurred in the Spring of 2021, when “Twitter engineers working around the clock were narrowly able to stabilize the problem before the whole platform shut down.”
New features like Fleets, Spaces and Birdwatch had safety issues
Twitter has been racing to create new features over the last year and a half as it’s faced pressure to grow its user base and revenue. But according to the whistleblower documents, major new features sometimes launched without adequately accounting for safety.
For example, Zatko claims that Fleets, the company’s now defunct disappearing tweets feature, “avoided undergoing security and privacy reviews before launch.” The complaint notes that Twitter engineers had to race to address privacy issues that cropped up soon after its launch. A separate report on misinformation at Twitter also raised issues with Fleets. It states that the feature was originally slated to launch prior to the 2020 election, but that the company’s safety team had to “beg” to get the launch pushed to back until after the election
Multiple interviewees reported that they had to “beg” the product team not to launch before the election because they did not have the resources or capabilities to [take] action on disinformation or misinformation on a new product during such a busy, critical time.
Zatko also alleges that another high profile new feature, Spaces, had significant issues with content moderation.
“In December 2021, an executive incorrectly told staff and Board members that Twitter’s “Spaces” product was being appropriately moderated. But Mudge researched and discovered that about half of “Spaces” content flagged for review was in a language that the moderators did not speak, and that there was little to no moderation happening.”
Smaller experiments also ran into issues. Birdwatch, the company’s collaborative fact checking feature, also a “pain point” for Twitter’s safety team, who worried QAnon-supporting accounts may join. That concern was apparently well-founded as one was discovered the night before the experiment went public.
In launching Twitter’s Birdwatch program, members of the SI [Site Integrity] team said that they were involved in the process throughout, and made suggestions as to how the product could be more secure, including specifically warning that users aligned with QAnon would likely attempt to join. However, feedback was not incorporated in an attempt to keep the product open, leading to a last-minute scramble to secure the product launch. On the evening before Birdwatch launched, Twitter realized that an overt QAnon account had been accepted into the Birdwatch program.
Twitter lacks adequate resources for addressing misinformation
These issues are further detailed in a separate document, also published by The Washington Post, addressing Twitter’s misinformation policies. The report, prepared at Mudge’s request by an outside firm, found that the company is “consistently behind the curve in actioning against disinformation and misinformation threats.” It concluded that “a lack of investment in critical resources, and reactive policies and processes have driven Twitter to operate in a constant state of crisis that does not support the company’s broader mission of protecting authentic conversation.”
The report details just how understaffed these teams are at Twitter, noting that the company relied on internal “volunteers” to staff up its misinformation efforts during the 2020 presidential election, It also repeatedly points out that the company lacks the staff or resources to effectively monitor misinformation and other threats in languages other than English. “Despite having a global mission, persistent gaps in resources, tools, and capabilities we identified means Twitter does not have the capabilities to operate globally — including in priority markets – when it comes to misinformation and disinformation,” the report’s authors write.
Zatko claims other Twitter executives attempted to “hide the findings” of the “damning independent report.”
Twitter’s internal support was at times nonexistent and ‘inappropriate’
Tracking misinformation and dealing with content moderation wasn’t the only area where Zatko says Twitter at times struggled to keep up. He reports that the @TwitterSupport account was “historically unmanned.” And that when he started there was a backlog of more than 1 million support cases including “items such as harassment, violations of various rules, and reported accounts and tweets, problems with accounts.”
While he says he oversaw improvements that substantially cut down the number of cases in the backlog. “it was historically the norm that cases in backlogs would eventually become so old that they would be silently closed, which most would agree is inappropriate support.”
Much of what happens next will be up to the government agencies investigating the claims — details were sent to the Justice Department, SEC and FTC — but it will also make things a lot more complicated for the company in the short term.
Twitter was already in the midst of a high-stakes legal battle with Elon Musk over his $44 billion acquisition, and Musk is already using the complaint to try to delay the trial and fuel his arguments for reneging on the deal. (In a statement, Zatko’s lawyers said his compliance with a subpoena from Musk was “involuntary,” and that “he did not make his whistleblower disclosures to the appropriate governmental bodies to benefit Musk or to harm Twitter, but rather to protect the American public and Twitter shareholders.”)
The disclosures have also caught the attention of Congress, and Zatko is scheduled to testify to the Senate Judiciary Committee on September 13th. “Mr. Zatko’s allegations of widespread security failures and foreign state actor interference at Twitter raise serious concerns,” committee chair Sen. Dick Durbin said in a statement. “If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world.”
Twitter, naturally, hasn’t commented on the upcoming Senate hearing, Musk’s subpoena or potential investigations by the FTC or SEC.