Twitter’s former top security official has alleged that company executives endangered national security through “egregious deficiencies” in privacy and security and systematically misled users, members of its board, investors, and government officials about those vulnerabilities.
The former official, Peiter “Mudge” Zatko, is a famous hacker and one of the nation’s top cybersecurity experts. He served as Twitter’s security lead from Nov. 2020 to Jan. 2022, when he was fired by CEO Parag Agrawal after Zatko began documenting what he says were repeated security violations, and as he worked with the company’s compliance officer on a formal investigation based on his claims. Zatko submitted his disclosures to U.S. regulatory agencies in July, invoking federal whistleblower protections, and they were shared with members of Congress.
In 84 pages of disclosures and supporting documents, which TIME reviewed, Zatko accuses the $33 billion social-media platform’s top executives of violating the Federal Trade Commission Act and Securities and Exchange Commission regulations by misleading users, investors and board members about critical data security and privacy issues. These vulnerabilities led to frequent serious security breaches, exploitation by bad actors, and infiltration by foreign governments, Zatko alleges.
The documents shine a light on what Zatko alleges are years of basic security failings at Twitter, which he says make the platform vulnerable to abuse and even total collapse. Notably, the disclosures imply that the problems were allowed to fester under Agrawal, who was the most senior executive in charge of security issues before Zatko arrived. “If these problems are not corrected, regulators, media, and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics,” Zatko wrote in a Feb. 2022 document cited in the disclosure.
READ MORE: What the Twitter Whistleblower Bot Disclosures Mean for Elon Musk
The disclosures come just weeks before the first scheduled court date in a legal dispute over the pending sale of the company to billionaire Elon Musk, who is seeking to extricate himself from an agreement to purchase the company. Musk claims Twitter misled him and investors about the percentage of spam bots and fake accounts that make up its user base. According to internal company emails submitted as part of the disclosures, Zatko began documenting Twitter’s alleged wrongdoings months before Musk publicly announced his desire to buy the company. The trial over whether Musk must go through with his initial agreement to buy Twitter is set to start on Oct. 17 in Delaware.
Zatko accuses Twitter executives of “lying about bots” to Musk, shareholders and Twitter users, alleging that the platform has far more spam accounts than it lets on, and that executives are disincentivized to count them properly because doing so would negatively affect their bonuses.
A Twitter spokesperson said the company had not seen Zatko’s allegations in full, but rejected a description of his main allegations. “Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago,” a Twitter spokesperson told TIME. “While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.“
Zatko’s disclosures allege the social media company’s executives committed securities law violations by making “material misrepresentations and omissions” in SEC filings, and asked him to mislead the board by minimizing security vulnerabilities. Zatko also says Twitter is beset by fundamental architectural flaws that allow too many employees “God mode” access to its systems, making the platform vulnerable to hackers and to influence by foreign intelligence agencies. His disclosures allege that Twitter executives hired two people whom he believes were Indian government agents and put them in positions with “direct unsupervised access” to internal Twitter data and information. This was just one example of Twitter’s “negligence and even complicity with respect to efforts by foreign governments to infiltrate, control, exploit, surveil and/or censor” the platform, its staff and its operations, Zatko alleges.
A source close to the company says that Zatko’s claims around the time of his exit were “investigated and found to be sensationalistic and lacking merit.” “Mudge stands by everything in his disclosure, and his career of effective and ethical leadership speaks for itself. The focus should be on the facts laid out in the disclosure, not ad hominem attacks against the whistleblower,” says John Tye, of Whistleblower Aid which is representing Zatko.
Zatko’s disclosures, which were first reported by the Washington Post and CNN and which TIME obtained from a congressional source, were sent to the U.S. Securities and Exchange Commission, the Bureau of Consumer Protection at the Federal Trade Commission, and the civil and antitrust divisions of the Justice Department, and a redacted version was shared with Congress. The House Energy and Commerce Committee is reviewing the documents, which are coming to light weeks after lawmakers advanced a landmark data privacy bill and the FTC launched an effort to review data privacy protections. The Senate Judiciary Committee has also indicated it intends to investigate Zatko’s allegations, and the Senate Intelligence Committee is looking to set up a meeting with him, according to CNN. The disclosures suggest that “Twitter is disorganized and careless” and highlight the “total lack of institutional and practical controls they have,” a senior Democratic staffer tells TIME. “They show how the potential for abuse is there…and it will inform the work we’re doing on this legislation.”
Who is Peiter ‘Mudge’ Zatko?
Known by the hacker pseudonym “Mudge,” Zatko, 51, has for three decades been one of the best-known figures in the world of network security. He has been tapped by major tech companies and the federal government to uncover weaknesses in their digital security systems. He exposed vulnerabilities in the early days of the Internet, played leading roles in the hacker collectives L0pht and the Cult of the Dead Cow, and served stints at Google and the Department of Defense. Zatko has also testified in front of Congress and been brought in to advise U.S. Presidents, lawmakers, and federal intelligence agencies.
“He remains one of the best security minds on the planet today,” Kevin O’Brien, co-founder and CEO of cybersecurity firm GreatHorn, said of Zatko after Twitter hired him.
After a Twitter hack in 2020 that led to the accounts of users including Elon Musk and Joe Biden being compromised, Twitter co-founder and then-CEO Jack Dorsey gave Zatko a broad mandate as the social-media company’s “head of security.” Zatko ultimately supervised hundreds of staffers and had a mission to evaluate Twitter’s security problems, present them to company leaders, and come up with a strategy to fix them, according to his disclosures.
But his time at Twitter quickly grew fraught. Here are some of Zatko’s most serious allegations against his former employer:
Claim: Twitter knowingly undercounts spam bots
Since July, Musk and Twitter have been locked in a legal dispute that revolves around the number of spam bots on the platform. Musk has argued that the percentage of automated spam accounts on Twitter is far higher than the maximum of 5% the company has claimed for years, and that this inaccuracy gives Musk grounds to back out of a $44 billion deal to buy the company.
In allegations that will bolster Musk’s argument, Zatko’s disclosures allege that Twitter has been “lying” to Musk about bots, and that the total percentage of spam bots on Twitter is substantially higher than the maximum of 5% that Twitter claims. Zatko says that Twitter arrives at its official percentage of bots on the platform by sampling only from a subset of accounts known as “monetizable daily active users,” or mDAUs. But that subset, created by Twitter to give advertisers an idea of how many real humans are looking at their ads, already attempts to exclude bots. Zatko says that his own internal attempts to find out what percentage of total Twitter accounts were bots were met with a lack of enthusiasm.
“In early 2021, as a new executive, Mudge asked the head of Site Integrity (responsible for addressing platform manipulation including spam and botnets) what the underlying spam bot numbers were,” Zatko’s disclosure states. “Their response was ‘we don’t really know.’”
Zatko further argues that Twitter executives “are not incentivized to accurately detect or report total spam bots on the platform,” because he says that their potentially lucrative bonuses are “tied” to growing the number of mDAUs. He suggests that if the real percentage of spam bots were to become known, it would “hurt the image and valuation of the company.” And he alleges in the complaint that he once witnessed a Twitter executive telling members of the company’s board of directors that Twitter had “intentionally and knowingly deprioritized platform health” in favor of growing mDAU.
A Twitter representative did not respond to requests for comment related to mDAU.
Claim: Twitter has a ‘severe lack of security basics’
Zatko alleges that Twitter is “decades behind” competitors like Google and Facebook in its internal security protocols and that during his tenure, a serious security breach was occurring at Twitter virtually every week. He argues that this was partly because far too many employees have access to internal systems that they shouldn’t, which makes the platform vulnerable to basic phishing schemes. In July 2020, the accounts of Joe Biden, Barack Obama, and other prominent figures were hacked as part of a scam that drained more than $100,000 in Bitcoin from users. The hack was masterminded by a teenager who posed as a member of the IT department in order to gain employees’ credentials, which then allowed him access to those accounts. He was arrested and pleaded guilty to all 30 charges against him.
On Jan. 6, Zatko says, he was watching the Capitol insurrection unfold online and asked a Twitter higher-up to curtail employees’ access to internal systems. He learned that it was impossible: too many employees had irrevocable access. One rogue engineer with the right system privileges could have sabotaged the platform, sowing misinformation and discord, Zatko alleges. A few false tweets purporting to be from the account of President Trump, for example, could have escalated the violence.
A source close to the company said that employees must have a “business justification” to access internal systems and data platforms.
Zatko also says that Twitter’s data centers were a mess, running on outdated operating systems and improperly backed up. In the spring of 2021, Zatko says, the company narrowly avoided a catastrophic failure that could have knocked out all of the company’s data centers and permanently shut down the entire platform. Twitter engineers worked around the clock to fix the issues, Zatko says, and the incident never became public. A Twitter representative did not respond to a request for comment on this alleged incident. (The platform did experience widespread outages on April 16, 2021.)
Claim: Twitter misled investors and the government
Zatko alleges that an awareness of these security shortcomings is “fundamental to any proper valuation of Twitter’s business”—and that hiding these problems from investors and the board is “significantly misleading.” He further alleges that Twitter knowingly misled the government in other ways, including in its SEC filings in response to Musk’s bid to buy the company. In those filings, for instance, Twitter declares that it does not knowingly violate IP rights—but Zatko claims that Twitter never obtained the proper legal rights to the training material used to build Twitter’s core algorithmic models, and that executives misled regulators in multiple countries about owning those rights. Zatko also asserts that internal security measures Twitter promised to develop in the wake of the 2011 FTC mandate had yet to be rolled out, and that executives misled Twitter’s board about their progress in creating them. (Zatko says that when he informed the board about this situation, he received an angry call from an executive chastising him for doing so.)
A source close to the company says that Zatko did not understand the company’s agreements with the FTC and made “inaccurate claims” about Twitter’s compliance with regulatory obligations.
Claim: Twitter allowed foreign government agents access to data
Zatko says the company’s security lapses didn’t only harm individual users. He alleges they were matters of national security and geopolitical importance. Twitter was “complicit in threats to democratic governance,” he writes.
One of Zatko’s allegations is that the company hired two people that he believes were Indian government agents. Because of Twitter’s flawed internal security systems, Zatko says, the purported agents had “direct unsupervised access” to internal information. Zatko says he has filed a separate disclosure detailing this and other episodes with the Counterintelligence and Export Controls Section within the National Security Division of the Department of Justice and the Senate Select Committee on Intelligence.
A source close to the company says that the company has no knowledge of government agents working at Twitter.
Zatko alleges that Agrawal—a few months before his promotion to CEO—advocated for Twitter’s expansion into Russia, even if it meant abiding by the country’s censorship and surveillance demands. Zatko also writes that in 2022, the U.S. government told Twitter that at least one of their employees was working for a foreign intelligence agency. He does not say how Twitter responded.
Earlier this month, a former Twitter employee was found guilty of acting as an agent of a foreign government, spying on Saudi dissidents and passing personal information on to the Saudi government.
Claim: Jack Dorsey was silent for ‘days or weeks’ at a time
While Zatko tweeted in support of Dorsey in 2021, he now claims that Twitter’s co-founder and former CEO suffered from a “drastic loss of focus” in 2021. He says Dorsey attended meetings sporadically, and that rumors spread within Twitter about him remaining silent for “days or weeks.” (Dorsey is a proponent of silent vipassana meditation.)
While Dorsey, who stepped down as Twitter CEO in November and is also CEO of payment platform Block, had initially given Zatko a wide mandate, Zatko says in the whistleblower disclosure that he felt unmoored: He was receiving “little to no actual support for his task of fundamentally changing the risky behaviors of over 8,000 employees, and the entire corporate culture,” the disclosure says.
On several occasions, Zatko alleges, he was instructed to suppress the extent of Twitter’s problems in front of the board. And he says that after he solicited an independent study that highlighted Twitter’s extensive security lapses and failure to combat disinformation, senior executives “became concerned about the impact on Twitter’s reputation were the findings to become publicly known” and had the parts most damaging to the company removed.
Claim: Parag Agrawal encouraged Zatko to mislead investors
Zatko says that his relationship with Agrawal was strained from the beginning, especially given that Agrawal had been the most senior executive in charge of security issues before Zatko arrived. When Agrawal replaced Dorsey, tensions quickly escalated, according to Zatko, who says he became concerned that Agrawal was going to use the first board meeting of his tenure to diminish the severity of security issues. He wrote to Agrawal on Dec. 15, arguing that there were “numerous, and some significant, misrepresentations” in his materials for an upcoming presentation.
But Agrawal, he says, brushed him off, and the next day, the documents were presented at a high-level Risk Committee meeting. In a Jan. 4, 2022 email to Agrawal, Zatko called the documents “at worst fraudulent,” and wrote: “I was hired to achieve certain goals and to fix problems here at Twitter. In order to do that, we need to recognize the actual state of affairs at the company.”
“Zatko had every opportunity to either prevent that information from being shared or correct any inaccuracies during the meeting,” a source close to the company says. “On many occasions, Zatko was the source of inaccurate information.”
A few days after Zatko’s email, Agrawal wrote back to Zatko, saying that the company had launched an internal investigation into his allegations. Zatko was asked for a detailed report to back up his claims, which he began to pull together. But less than two weeks later, before he was able to file the report, he was fired. Publicly, Agrawal wrote that the decision stemmed from “an assessment of how the organization was being led and the impact on top priority work.”
More Must-Reads from TIME
- Where Trump 2.0 Will Differ From 1.0
- How Elon Musk Became a Kingmaker
- The Power—And Limits—of Peer Support
- The 100 Must-Read Books of 2024
- Column: If Optimism Feels Ridiculous Now, Try Hope
- The Future of Climate Action Is Trade Policy
- FX’s Say Nothing Is the Must-Watch Political Thriller of 2024
- Merle Bombardieri Is Helping People Make the Baby Decision
Write to Vera Bergengruen at vera.bergengruen@time.com and Billy Perrigo at billy.perrigo@time.com