Former Twitter Executive Blows Whistle on Company's "Negligent" Cybersecurity, Stating that It Lacks Even Basic Protections for User Data and Its Personnel Includes Foreign Agents

Oh -- and he delivers Elon Musk a big sloppy kiss by revealing that Twitter is unaware of the extent of its bot problem.

And he alleges that Twitter is deliberately unaware of the number of bots on the platform. It doesn't want to know the actual number, he says, because if it knew the actual number, it would be legally required to tell stockholders that number.

Or a would-be purchaser, like Elon Musk.

Twitter has major security problems that pose a threat to its own users' personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.

The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform's central controls and most sensitive information without adequate oversight. It also alleges that some of the company's senior-most executives have been trying to cover up Twitter's serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

The whistleblower, who has agreed to be publicly identified, is Peiter "Mudge" Zatko, who was previously the company's head of security, reporting directly to the CEO. Zatko further alleges that Twitter's leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users' data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk's attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk's claims).

Zatko was fired by Twitter in January; the company claims they fired him for "poor performance."

Maybe. Or maybe he didn't do what he was told and cover up all of the security problems and put a Happy Face Bandaid on them.

...

In a statement, a Twitter spokesperson told CNN that security and privacy are both longtime priorities for the company. Twitter also said the company provides clear tools for users to control privacy, ad targeting and data sharing, and added that it has created internal workflows to ensure users know that when they cancel their accounts, Twitter will deactivate the accounts and start a deletion process. Twitter declined to say whether it typically completes the process.

...

Some of Zatko's most damning claims spring from his apparently tense relationship with Parag Agrawal, the company's former chief technology officer who was made CEO after Jack Dorsey stepped down last November. According to the disclosure, Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter's security problems to the company's board of directors. The company's executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company's security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent
cybersecurity issues, and went behind Zatko's back to have a third-party consulting firm's report scrubbed to hide the true extent of the company's problems.

...

The scathing disclosure, which totals around 200 pages, including supporting exhibits -- was sent last month to a number of US government agencies and congressional committees, including the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice. The existence and details of the disclosure have not previously been reported. CNN obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill. The SEC, DOJ and FTC declined to comment; the Senate Intelligence Committee, which received a copy of the report, is taking the disclosure seriously and is setting a meeting to discuss the allegations, according to Rachel Cohen, a committee spokesperson.

...

Sen. Chuck Grassley, the same panel's top Republican and an avid Twitter user, also expressed deep concerns about the allegations in a statement to CNN.

"Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you've got a recipe for disaster," Grassley said. "The claims I've received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further."

Regarding bots:

Zatko says he began asking about the prevalence of bot accounts on Twitter in early 2021, and was told by Twitter's head of site integrity that the company didn't know how many total bots are on its platform. He alleges that he came away from conversations with the integrity team with the understanding that the company "had no appetite to properly measure the prevalence of bots," in part because if the true number became public, it could harm the company's value and image.

...

Twitter told CNN that the claim it doesn't know how many bots are on its platform lacks context, reiterating that not all bots are bad and adding that to focus on the total number of bots on Twitter would include those the company may have already identified and taken action against. The company also does not believe it can catch every spam account on the platform, Twitter said, which is why it reports its less-than-5% figure, which reflects a manual estimate, in its financial filings.

But Zatko told CNN he thinks there would still be value in attempting to measure the total number of spam, false or otherwise potentially harmful automated accounts on the platform....

Twitter says that it allows bots on its platform, but its rules prohibit those that engage in spam or platform manipulation. But, as with all social media platforms' rules, the challenge often lies in enforcing its policies.

The company says it regularly challenges, suspends and removes accounts engaged in spam and platform manipulation, including typically removing more than one million spam accounts each day. Twitter said the total number of bots on the platform is not a useful number.

The company declined to answer questions about the total number of accounts on the platform or the average number of new accounts added on the platform daily as context around its daily bot deletion figure.

But in casting doubt on Twitter's ability to estimate the true number of fake and spam accounts, Zatko's allegations could provide ammunition to Musk's central claim that the figure is much higher than Twitter has publicly reported.

All of this seems to have started well before Elon Musk ever began talking about the possibility of buying Twitter, so this doesn't seem like a set-up.

Musk's lawyer said he will be sending a subpoena Zatko to give evidence in his lawsuit against Twitter.

This might force Twitter to either end its lawsuit against Musk or, my preference, offer him a discounted price in the purchase.

posted by Ace at 01:29 PM

| Access Comments