Twitter now has its own problem with whistleblowers. Last week, the company’s former chief security officer, Pieter “Mudge” Zatko, published a far-reaching whistleblower complaint detailing security flaws and other issues he encountered during his tenure.
Much of the complaint points to the express security issues it encountered. He also criticizes Twitter executives for putting user and profit expansion ahead of the platform’s security, saying in some cases, executives lied to Twitter’s board of trustees and the public about those issues.
But some of the most striking claims in the documents published through the Washington Post, which accompany the whistleblower’s 84-page complaint, as well as a report on the company’s disinformation policies, are much more than a culture of expansion at all costs. They detail significant violations in the protection of the company and managers absent or oblivious to the threat posed by those practices. They also help shed light on the company’s chaotic method of combating incorrect information and other security issues.
In particular, Twitter said little about the maximum of those claims. The company said the whistleblower’s complaint was “riddled with inaccuracies,” but gave no details. In fact, the company has largely refused to publicly address the express issues raised by Zatko in the week since the complaint became public.
But while many have focused on Zatko’s allegations that Twitter lied to Musk about the prevalence of bots, there are several other claims that deserve careful attention, none of which have been discussed in detail via Twitter. Zatko’s claims.
Some of the most explosive claims Zatko makes are those communicating how Twitter’s interactions with foreign governments and organizations can jeopardize national security. Among the problems it raises: Twitter may have other people running for foreign governments on its staff.
It claims that at least one Indian government agent was on the company’s payroll and claims that a U. S. government source was on the payroll. The U. S. Department of Homeland Security warned that there was at least one worker “working on behalf of some other specific foreign intelligence agency. “It is not known which country the source was referring to but, above all, it would not be the first example of a Twitter worker spying for some other country.
He’s also involved in Twitter’s ongoing monetary appointments, possibly through advertising, with “Chinese entities” and how they could use the company’s team to identify other people’s VPNs to circumvent the councheck out service’s ban. “Mr. Zatko was told that Twitter was too dependent on the flow of profit to do anything other than pay to build it,” the complaint said.
Throughout the complaint, Zatko describes interactions with Jack Dorsey and the current CEO, Parag Agrawal (Agrawal’s lead generation officer when Zatko first joined the company). None of the leaders are doing well.
The complaint notes that Dorsey personally recruited Zatko for the position of security chief, but once he started, Zatko says Dorsey was absent or strangely silent. According to the complaint, the two executives had “no more than six” one-on-one. phone calls, which Dorsey “accumulated maybe fifty words,” over the duration of their collaboration (Dorsey later tweeted that it was “completely wrong”). Zatko, perhaps charitably, describes Dorsey’s habit as “disconnected” and says the CEO “is experiencing a drastic loss of focus” in 2021. It is said that Zatko’s experience was also not exclusive.
From the complaint:
In some meetings, even after being briefed on the company’s complex issues, Dorsey didn’t say a word. Mudge heard from his colleagues that Dorsey would remain silent for days or weeks. , however, even mid- and lower-level staff can say that shipping has no rudder.
Zatko also describes a strained relationship with Agrawal, either when he was chief technology officer and later when he took over as CEO after Dorsey’s resignation. At one point, the complaint notes that some of Twitter’s biggest disorders “had evolved under Agrawal’s supervision. “He says Agrawal was well aware of the company’s security issues, but didn’t do much to address them because “Agrawal had caused them or let them get worse in his role as CTO. “In an incident described by the former security chief, Agrawal reported a “big red flag” but made no effort to deepen it.
Around August 2021, Mudge informed Agrawal, then CTO, and others that the Twitter engineers’ login formula recorded, on average, between 1500 and 3000 login errors each day, a massive red flag. Agrawal claimed that no one knew and never commissioned anyone to diagnose why it is failing or how to fix it.
More troublingly, he claims Agrawal told him to lie to Twitter’s board of trustees about the severity of Twitter’s security issues. And he says he finally fired him when he tried to correct the misleading data that had been provided to them. (Agrawal told Twitter staff members that Zatko fired for “ineffective leadership and poor performance. “Zatko, through his lawyers, questioned this claim. )
Zatko joined Twitter in late 2020 to bolster the company’s systems and practices following a high-profile and incredibly embarrassing hack in which teenage Bitcoin scammers took over some of the accounts of some of Twitter’s most influential users. Therefore, it is not surprising that he knew several security issues shortly after his arrival. But the complaint describes a number of “glaring shortcomings” that were obviously worse than Zatko had anticipated.
For example, he continually mentions that workers’ devices were mismanaged. Unlike many corporations along Twitter, there was no MDM (Mobile Device Management) policy “that left the company without visibility or thousands of devices used to access the core of the company. “”Similarly, Zatko claims that many workers’ computers were not well maintained. According to him, more than 30% of workers’ devices had software updates disabled.
Twitter, he says, “wasn’t actively tracking what painters were doing” on their devices. So much so that Twitter has continuously blocked painters from “intentionally installing spyware on their painting computers at the request of outside organizations,” and their movements have been revealed only “by accident. “
The fact that Twitter did so little to monitor workers’ devices is even more important because, according to Zatko, roughly some of the company’s 10,000 workers “had access to delicate live production systems and user knowledge to do their jobs. “It also claims that Agrawal “distorted the truth” when it claimed the company restricted access after the 2020 hack.
The company told The Washington Post that it has advanced its security practices since 2020, but gave more details.
According to Zatko, Twitter’s knowledge centers were in such a deplorable state that there was a non-zero threat that Twitter could lose service permanently.
From the complaint:
Mudge was surprised to be informed that even a transient but overlapping outage of a small number of data centers would likely result in the service being disconnected for weeks, months, or permanently. . . In the most sensible way, all engineers had some In the form of intermediate knowledge access, most intermediate knowledge systems ran on replaced software that was no longer supported by vendors, and visibility was minimal due to incredibly poor logging.
According to Zatko, those problems were so severe that they could have potentially triggered “an existential business termination event. “Later, he says such a situation happened in the spring of 2021, when “Twitter engineers working 24 hours a day were to narrowly stabilize the point before the full platform stopped. “
Twitter has rushed to create new features over the past year and in part because it faced pressures to grow its user base and revenue. But according to the whistleblower’s documents, the main new features are introduced without sufficient security attention.
For example, Zatko claims that Fleets, the company’s defunct tweet feature, “avoided undergoing security and privacy reviews prior to its release. “The complaint notes that Twitter’s engineers had to rush to fix privacy issues that arose some time after its launch. a separate report on disinformation on Twitter also raised issues with Fleets. It says the feature was originally intended to launch before the 2020 election, but the company’s security team had to “beg” for the launch to be postponed until after the election.
Several interviewees indicated that they had to “beg” the product team not to launch before the election because they did not have the resources or the ability to [take] action against misinformation or misinformation about a new product in such a busy and critical period.
Zatko also alleges that the new high-level feature, Spaces, had significant issues with content moderation.
“In December 2021, an executive incorrectly told staff and board members that Twitter’s ‘Spaces’ product was properly moderated. But Mudge did some studies and found that some of the content in ‘Spaces’ was marked for review in a language that moderators didn’t speak. , and that there is little or no moderation.
Small experiments also found problems. Birdwatch, the company’s collaborative fact-checking feature, was also a “hot spot” for Twitter’s security team, which feared accounts backing QAnon would join. This fear was well founded because one of them discovered the day before the publication of the experiment.
At the launch of Twitter’s Birdwatch program, members of the IS [Site Integrity] team said they were concerned about the procedure and gave advice on how the product can be safer, adding in particular the caution that users aligned with QAnon are likely to take a look to join. However, the feedback was not incorporated in an attempt to keep the product open, which led to a last-minute stampede to secure the product’s launch. The day before birdwatch’s launch, Twitter learned that a manifest QAnon account has been accepted into the Birdwatch program.
These issues are detailed in more detail in a separate article, also published through the Washington Post, dealing with Twitter’s disinformation policies. to action opposed to disinformation and threats of disinformation. “He concluded that “the lack of investment in critical resources and responsive policies and processes have led Twitter to operate in a state of constant crisis that does not help the company’s broader project of protecting the original conversations. “
The report mainly questions the understaffing of those groups on Twitter, noting that the company relied on internal “volunteers” to bolster its disinformation efforts in the 2020 presidential election. It also continually mentions that the company lacks the staff or resources to monitor disinformation and other threats in languages other than English well. “Despite its global mission, the persistent gaps in resources, teams and functions we’ve known about mean twitter doesn’t have the functions to function globally, adding markets of precedence, when it comes to disinformation and disinformation. ” write the authors of the report.
Zatko says Twitter executives tried to “hide the findings” of the “damning independent report. “
Tracking incorrect information and managing content moderation weren’t the only spaces Zatko says Twitter had trouble staying active. It reports that the account @TwitterSupport “historically had no staff. “And that when it started, there was an accumulation of more than a million cases of help, adding “elements such as harassment, violations of various rules, reported accounts and tweets, problems with accounts. “
While he says he has overseen innovations that have particularly reduced the number of instances in the order book. Traditionally, the rule was that pending instances would eventually be so old that they would be closed in silence, with which the maximum would agree. . “
Much of what happens next will depend on government agencies investigating the claims (the main points have been sent to the Justice Department, the SEC, and the FTC), but it will also make things much more confusing for the company in the short term.
Twitter was already in the midst of a high-stakes legal war with Elon Musk over its $44 billion acquisition, and Musk is already using the lawsuit to try to delay demand and fuel his arguments for reversing the deal. (In a statement, Zatko’s lawyers said his compliance with a Musk subpoena was “unintentional” and that he “failed to make his whistleblower disclosures to the appropriate government agencies to gain advantage from Musk or harm Twitter, but to protect the American public and Twitter shareholders. “)
The revelations also caught the attention of Congress and Zatko is scheduled to testify before the Senate Judiciary Committee on Sept. 13. in a statement. ” If those claims are accurate, they can show harmful dangers to the privacy and security of knowledge for Twitter users around the world. “
Twitter, of course, commented on the upcoming Senate hearing, Musk’s subpoena, or possible FTC or SEC investigations.