Twitter whistleblower bringing security warnings to Congress


Peiter Mudge Zatko, the Twitter whistleblower who is warning of security flaws, privacy threats and lax controls at the social platform, will take his case to Congress on Tuesday.

Senators who will hear Zatkos testimony before the Senate Judiciary Committee are alarmed by his Twitter allegations at a time of heightened concern over the safety of powerful tech platforms.

Its Zatkos second Capitol Hill appearance, and in some ways a 21st-century echo of his first. In 1998, he testified before a Senate panel along with fellow members of a hacker collective who warned about the security dangers of the then-emerging internet age.

Zatko, a respected cybersecurity expert, was Twitters head of security until he was fired early this year. He has brought the stunning allegations to Congress and federal regulators, asserting that the influential social platform misled regulators about its cyber defences and efforts to control millions of spam or fake accounts.


Sen. Dick Durbin, the Illinois Democrat who chairs the panel, has said that if Zatkos claims are accurate, they may show dangerous data-privacy and security risks for Twitter users around the world.

Zatkos accusations are also playing into billionaire tycoon Elon Musks battle with Twitter. The Tesla CEO is trying to get out of his $44 billion bid to buy the company; Twitter has sued to force him to complete the deal. The Delaware judge overseeing that case ruled last week that Musk can include new evidence related to Zatkos allegations in the high-stakes trial set to start Oct. 17.

The allegation that Twitter engaged in deception in its handling of automated spam bot accounts is at the core of Musks attempt to back out of the Twitter deal.

At the same time, many of Zatkos claims are uncorroborated and appear to have little documentary support. In a statement, Twitter has called Zatkos description of events a false narrative.

Also on Tuesday, Twitters shareholders are scheduled to vote on the companys pending buyout by Musk. The vote is something of a formality given that the deal is on hold while the court case plays out. But if the measure passes as expected, it would also pave the way for a Musk takeover should Twitter prevail in court.

Zatko also filed complaints with the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission. Among his most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.

The SEC is questioning Twitter about how it counts fake accounts on its platform. Twitter uses counts of its presumably real users to attract advertisers, whose payments make up about 90% of its revenue. The spam bots have no value to advertisers because theres no person behind them.

San Francisco-based Twitter has an estimated 238 million daily active users worldwide. The company says it removes 1 million spam accounts daily.

Zatkos 84-page complaint alleges that he found extreme, egregious deficiencies” on the platform, including issues with “user privacy, digital and physical security, and platform integrity/content moderation.

It accuses CEO Parag Agrawal and other senior executives and board members of making false and misleading statements to users and the FTC” about these issues. Twitter denies those claims and said that Zatko was fired in January for ineffective leadership and poor performance. Zatkos attorneys say the performance claim is false.

Twitter also hinted that Zatkos complaint might be designed to bolster Musks legal fight with the company. Twitter called Zatkos complaint a false narrative that is riddled with inconsistencies and inaccuracies, and lacks important context.” News of Zatkos complaint surfaced on Aug. 23, almost two months before the Twitter-Musk trial is scheduled to begin. . One of Zatkos attorneys has said hes never met Elon Musk. Doesnt know Elon Musk. They know people in common.

The company also says it has significantly tightened security since 2020.

Among Zatkos specific allegations: The company had such poor cybersecurity that it easily could have been exposed to outside attacks or attempts to siphon off its internal data.

The company lacked effective leadership, with its top executives practicing deliberate ignorance of pressing problems. Zatko described former CEO Jack Dorsey as extremely disengaged during the last months of his tenure, to the point where he wouldnt even speak during meetings on complex issues. Dorsey stepped down in November 2021.

— It makes a parallel but less detailed accusation that Twitter took funding from unidentified Chinese entities who may have gained access enabling them to access the identities and sensitive data of Chinese users who secretly use Twitter, which is officially banned in China.

Better known by his hacker handle Mudge, Zatko, 51, first gained prominence in the 1990s. He was the best-known member of the Boston-based collective L0pht, which pioneered ethical hacking, embarrassing companies including Microsoft for poor security. His work raised awareness in the computing world that forced such major companies to take security seriously. He co-founded the consultancy @Stake, which was later acquired by Symantec.

Zatko later worked in senior positions at the Pentagons Defence Advanced Research Projects Agency and Google. He joined Twitter at Dorseys urging in late 2020, the same year the company suffered an embarrassing security breach involving hackers who broke into the Twitter accounts of world leaders, celebrities and tech moguls, including Musk, in an attempt to scam their followers out of bitcoin.

(Except for the headline, this story has not been edited by The Federal staff and is auto-published from a syndicated feed.)