The whistleblower claims senior executives are actively hiding the company’s security issues.
Twitter is under heavy scrutiny this week after its ex-head of security claimed the company has major security issues. The findings, he said, show that the social media company’s practices are “threats to national security and democracy”.
Peiter Zatko, the whistleblower, revealed critical allegations against Twitter. According to Zatko, many employees at the company have access to private user data.
Generally, a company should restrict access to user data to protect it. Zatko claims Twitter is extremely mismanaged to the point that these restrictions are not correctly implemented.
What are Zatko’s allegations?
In his official disclosure, Zatko shares, “it was impossible to protect the production environment. All engineers had access[…]nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.”
These poor practices can have dangerous real-life consequences.
In 2019, a Twitter employee was accused of selling confidential user information to Saudi Arabia. This included people that criticised the Saudi regime. Last month, that employee was convicted of failing to register as a Saudi spy.
This leads to another one of Zatko’s allegations: one or more current employees also work for a foreign intelligence service. Without adequate restrictions in place, users remain at risk of having their data accessed and sold by malicious employees.
Zatko also alleged that senior executives at Twitter actively attempt to cover up the company’s flawed security practices. He further accused them of hiding the number of hacking attempts from Twitter’s directors and US authorities. Zatko recounts that CEO Parag Agrawal and other members of management ordered him to mislead the board using “cherry-picked and misrepresented data”.
According to the ex-employee, deleting a Twitter account won’t necessarily wipe all the user’s data from the platform, leaving such sensitive information accessible to the company’s employees even when the user can’t access it themselves.
The whistleblower also accused Twitter of misleading the public about the number of bots on the platform. This matches earlier allegations made by Elon Musk, who backtracked on his acquisition of the social media company after also claiming that more bots exist on the platform than Twitter has revealed. Zatko claims that Twitter never accurately measured the number of bots it has, partially because such information can damage its reputation.
The tech giant seems to be in for a troubling season now, with Democratic and Republican officials sharing their concerns. In a statement to CNN, one senator shared:
“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster.”
Zatko’s hiring and firing
Peiter Zatko, known as “Mudge” in the cybersecurity community, is a white hat hacker with a history of security vulnerabilities in large companies. Before Twitter, he was a senior executive at companies such as Google and Stripe, as well as the US Department of Defence.
In 2020, Twitter suffered a major attack in which the accounts of influential figures such as Joe Biden, Barack Obama, Kim Kardashian, Bill Gates and Elon Musk were hacked. Following the embarrassing hacks, then-CEO Jack Dorsey hired Zatko to beef up the company’s security.
Zatko’s career at Twitter was filled with shock and obstacles as he tried to bring order to what he described as a chaotic company. Things started to go downhill a few months before Dorsey’s departure from Twitter. He claims that Dorsey was so absent from the company that other senior executives believed he was sick.
When the former CEO was replaced by Parag Agrawal, Zatko’s relationship with Twitter worsened. Zatko claims that Agrawal deprioritised users’ security and put growth above all.
In January, Zatko was fired from Twitter citing “ineffective leadership and poor performance”. He believes it was retaliation for raising issues to the board.
Twitter accused Zatko of sharing a “false narrative”, adding that “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders”.
While these allegations are seriously concerning, it’s important to understand the practical implications of them.
Malicious employees likely exist at every large tech company. However, Twitter’s allegedly poor data protection practices make this a much more serious issue.
Most Twitter users will likely face no issues with their data being accessible, as it’s practically impossible for every user to be monitored. It’s unlikely that anyone is reading your private tweets and DMs, but it’s worth being conscious of the fact that if someone at Twitter wanted access to your information then they might have it.
However, users partaking in political activism are likely to be extremely concerned with these allegations. To have secure conversations, be sure to use an encrypted messaging service such as Signal or Telegram.
Finally, while the vast majority of users aren’t affected by malicious employees and poor practices, it is important to hold large tech companies accountable. The collection and accessibility of such private data means that your sensitive information may be at risk in the future, maybe even years from now.
There’s no need to deactivate or delete Twitter after hearing these news, but just be mindful that private information on Twitter, and most social media companies, is not actually private.