Whistleblower’s allegations could mean trouble for Twitter

On Tuesday morning, the Washington Post and CNN simultaneously published stories alleging that senior executives at Twitter—including Parag Agrawal, its CEO—had deliberately misled federal regulators about how secure the company’s operations were, and gave foreign agents access to “sensitive user data.” The allegations came from Peiter Zatko, the former head of security at Twitter, in a lengthy document that was shared with both the Post and CNN, as well as several members of Congress, the Federal Trade Commission, the Securities and Exchange Commission, the Justice Department, and the Senate Intelligence Committee. The Post says the complaint “depicts Twitter as a chaotic and rudderless company beset by infighting, unable to properly protect its 238 million daily users, including government agencies, heads of state, and other influential public figures.”

Rebecca Hahn, a Twitter spokesperson, told the Post that Zatko was fired after 15 months for “poor performance and leadership,” and that his allegations were “riddled with inaccuracies.” She also said, per the Post, that Twitter has “tightened up” its security processes since 2020, and that it also has “rules about who can access company systems,” adding that Twitter removes more than a million spam accounts every day “fully stands by” its SEC filings. According to the Post‘s report, “a person familiar with Zatko’s tenure said the company investigated Zatko’s security claims during his time there and concluded they were sensationalistic and without merit.” In an interview with the Post, Zatko, who was fired in January, said he “felt ethically bound” to blow the whistle on Twitter because of the potential security implications of the company’s behavior. He is being represented by Whistleblower Aid, the same nonprofit legal organization that represented Frances Haugen, the former Facebook staffer turned whistleblower. 

According to CNN’s report, Zatko, 51, is a well-respected hacker and security expert who “led an influential cybersecurity grantmaking program at the Pentagon, worked at a Google division for developing cutting-edge technology, helped build the cybersecurity team at fintech firm Stripe, and advised US lawmakers and officials on how to plug security holes in the internet” before he joined Twitter. The Post says that by the time he was 30, Zatko had “written one of the most powerful tools for cracking passwords, testified to Congress under his hacker handle about the susceptibility of the internet to drastic hacks, and co-founded one of the first hacking consultancies backed by venture capital.” Jack Dorsey, the co-founder and former CEO of Twitter, hired Zatko in late 2020 after a hacker gained access to the Twitter accounts of famous users such as Barack Obama.

ICYMI: How commenting on Roy Cohn got me suspended from Twitter

Zatko’s allegations against Twitter cover a wide range of behavior, from under-counting spam—an accusation similar to that at the core of Elon Musk’s ongoing legal battles over his attempted-then-suspended $45 billion acquisition of the company—to “negligence and even complicity with respect to efforts by foreign governments to infiltrate, control, exploit, surveil and/or censor the company’s platform.” Casey Newton writes in his technology newsletter, Platformer, that the complaints “go on for dozens of pages, and have a kitchen-sink quality reminiscent of a jilted husband suing for custody of a child.” On the topic of Zatko’s credibility, Newton writes that some people he knows “deeply respect and trust him, and many of them tweeted tributes to him,” but others had less favorable opinions, and some of those tweeted their thoughts as well. (A Twitter staffer who worked with Zatko told the Post, “He’s a total savant, but also a bit of a bull in a china shop”).

Newton argues that Zatko’s allegations fall into several categories, including “what seems plausible and worrisome” and “what seems likely wrong.” The fact that Twitter’s security seems lax is believable, Newton says, given other such events (the accidental suspension of Dorsey’s Twitter account in 2016; the brief disabling of Trump’s account by a contractor in 2017). One thing Newton questions, however, is whether the “foreign agents” in India that Zatko refers to are just the local Twitter employees required by the country’s new information laws. “If Zatko’s ‘agent’ is just the legally required grievance officer that Twitter and every other platform like it is required to have, it would significantly damage the credibility of his allegations,” Newton writes. The details of those and other accusations are likely to come out during investigations by the Senate Intelligence Committee or other hearings with congressional representatives, which are already in the works.

Sign up for CJR's daily email

Much of the speculation following the release of Zatko’s document, which alleges that Twitter doesn’t properly count spam and bots, has focused on whether it might help the case of Musk, who halted his acquisition of the company after accusing it of providing “misleading representations” of the number of spambots on the platform. Matt Levine argues in his Bloomberg column that it probably will not; the central issue in the Musk case, Levine says, “is whether Twitter has been lying in its securities filings when it says it estimates that fewer than 5% of its ‘monetizable daily active users’ are spam or bot accounts. And Zatko is pretty unambiguous that, no, Twitter’s numbers are correct.” Zatko’s complaint is that Twitter doesn’t discuss how many spam and bot accounts there are outside of the “monetizable daily active users” figure, whereas Musk is arguing there are too many accounts like that inside the estimate of MDAU.

One potentially serious implication of Zatko’s whistleblowing is that Twitter could be found to be in breach of an FTC consent order it agreed to in 2011, after accusations that it mishandled users’ private information and allowed too many employees to have access to Twitter’s controls. Under the order, Twitter promised to create and maintain “a comprehensive information security program.” Zatko alleges that the company has never been in full compliance with the order, which could lead to a significant fine if the FTC agrees. “Twitter employees have already been through the ringer over the last year: The CEO switch. The on-again, off-again takeover bid by the platform’s biggest, richest troll. Executive firings. The mass staff exodus,” Issie Lapowsky of Protocol wrote. As the company tries to defend itself against Zatko’s accusations, she noted, “the worst may be yet to come.”

Here’s more on Twitter:

  • Attack template: Nirit Weiss-Blatt, a researcher and former fellow at the University of Southern California’s Annenberg School for Communication, writes for Tech Policy Press about how Twitter’s response to Zatko’s accusations and Meta’s response to Frances Haugen’s follow a “template for attacking whistleblowers.” This template, Weiss-Blatt argues, includes five key elements, including: claiming the whistleblower is pushing a “false narrative” and the documents are taken out of context; suggesting it is frustrating to read accusations that distract from the company’s “important work”; and delegitimizing and discrediting the former employee turned whistleblower.
  • Next steps: Frank Pallone, Jr., the Democratic congressman from New Jersey and chair of the House Energy and Commerce Committee, and Cathy McMorris Rodgers, a member of Congress from Washington and the top Republican on the committee, said in a joint statement that if the whistleblower’s allegations are true, they “reaffirm” the need for Congress to pass consumer privacy legislation to safeguard Americans’ data, the Post’s Cat Zakrzewski reports. They’re not alone; Zakrzewski also notes that “Richard Blumenthal, the Democratic senator from Connecticut and head of the Senate Commerce panel focused on consumer protection, wrote a letter Tuesday to the Federal Trade Commission, calling for the agency to investigate Zatko’s claims and bring enforcement actions, including fines, against Twitter if appropriate.”
  • Health products: Twitter is combining the team that works on reducing toxic content and the team that deals with spam bots, according to a staff memo sent Tuesday that was seen by Reuters. “The social media company will combine its health experience team, which works on reducing misinformation and harmful content, with the Twitter service team, which is responsible for reviewing profiles that users report and taking down spam accounts,” the wire service reports.
  • Uncertainty: Twitter recently warned its employees that they might receive only half of their typical annual bonuses this year, as the company grapples with economic uncertainty, the New York Times reports. “Twitter, which is fighting a legal battle to complete a $44 billion sale to Elon Musk, made the announcement in an email to employees and blamed its financial performance for the potential bonus cut,” write Kate Conger and Ryan Mac. “When the company reported quarterly earnings last month, its revenue declined for the first time since 2020 and it swung to a net loss.”


Other notable stories:

  • Emily Maitlis, a former host of Newsnight on the BBC, called a BBC board member an “active agent of the Conservative party,” who is trying to shape the broadcaster’s news output by acting “as the arbiter of BBC impartiality,” according to The Guardian. Maitlis made the comments about Sir Robbie Gibb, who was appointed to the BBC’s board last year by Boris Johnson, and previously worked as director of communications for Theresa May, the former leader of the Conservative party and a former prime minister. Gibb also helped to found the rightwing GB News channel.
  • Researchers at the Stanford Internet Observatory collaborated with Graphika to analyze a large network of accounts that were removed from Facebook, Instagram, and Twitter for violating the terms of service of those platforms. It was an organized operation that the Observatory says likely originated in the United States and targeted a range of countries in the Middle East and Central Asia. “Our joint investigation found an interconnected web of accounts on Twitter, Facebook, Instagram, and five other social media platforms that used deceptive tactics to promote pro-Western narratives,” the report states.
  • Jigsaw and YouTube are planning to distribute a series of video ads in Poland, Slovakia, and the Czech Republic that are designed to help people identify and refute derogatory tropes about migrants, Protocol reported. “The campaign, which will run for a month across several social media platforms, including YouTube, is expected to garner at least 55 million impressions — roughly equal to the population of those three countries combined,” Issie Lapowsky wrote. “But the videos are more than just a marketing push to burnish YouTube’s reputation. They’re part of a years-long research project at Jigsaw on the efficacy of using video to ‘inoculate’ people against misinformation on social media.”
  • Dan Misener, co-founder of a podcast marketing company, analyzed all of the episodes of all the podcasts that Spotify recommends via various lists, and then used those to generate more recommendations until he had hundreds of thousands of recommendations. Looking at the most popular showed an unsurprising tendency to suggest Spotify originals, but Misener also found that the top recommendations also included shows that play soothing music designed to help listeners relax. This phenomenon “may be a contributing factor to the success of so-called ‘white noise podcasters,’ a trend identified by Ashley Carman in June 2022,” he wrote.
  • Twitter has restored the account belonging to David M. Stone, a senior adviser to the president of Columbia University who wrote for CJR recently about having his account suspended after he tweeted about the executions of Julius and Ethel Rosenberg in the context of the FBI search of Trump’s residence at Mar-A-Lago. According to the note Stone received from Twitter, Stone was guilty of “abuse and targeted harassment.” After he wrote the piece, Stone says he got a note from the company saying his account had been restored and admitting that “it looks like we made an error.”
  • iHeartMedia, the radio-station conglomerate, says it has launched a virtual music venue called iHeartLand that is part of Fortnite, a massively multiplayer video game, according to The Hollywood Reporter. iHeartMedia announced plans earlier this year to launch its own branded virtual worlds on platforms like Roblox, another popular multiplayer video game, as part of the radio giant’s larger “Web3” strategy. “Wednesday’s launch of iHeartLand in Fortnite marks the first unveiling of iHeartMedia’s virtual world and will serve as the testing ground for future iterations of iHeartLand on other world-building games,” executives told The Hollywood Reporter.

ICYMI: Pakistan’s press gets caught in political tumult, again

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Mathew Ingram is CJR’s chief digital writer. Previously, he was a senior writer with Fortune magazine. He has written about the intersection between media and technology since the earliest days of the commercial internet. His writing has been published in the Washington Post and the Financial Times as well as by Reuters and Bloomberg.

TOP IMAGE: FILE - The logo for Twitter appears above a trading post on the floor of the New York Stock Exchange, Nov. 29, 2021. Startling new revelations from Twitter's former head of security, Peiter Zatko, have raised serious new questions about the security of the platform's service, its ability to identify and remove fake accounts, and the truthfulness of its statements to users, shareholders and federal regulators. (AP Photo/Richard Drew, File)