Whistleblower says Twitter's security flaws are a risk to users and national security
ARI SHAPIRO, HOST:
Twitter's former head of security is now blowing the whistle on the company. Peiter Zatko, also known by his hacker name Mudge, filed complaints with several government agencies. He accuses Twitter of serious security flaws that he says pose a risk to the platform's users, shareholders and national security. The complaint was obtained by CNN and The Washington Post. Joseph Menn is a technology reporter for The Post. Welcome to ALL THINGS CONSIDERED.
JOSEPH MENN: Thanks for having me.
SHAPIRO: So you spoke with Peiter Zatko, former Twitter head of security. What did he tell you his reasons were for filing this whistleblower complaint with the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission?
MENN: Well, he was very frustrated during his short time at Twitter. He was there for 15 months and brought in because - after a particularly embarrassing series of hacks in 2020. So he was brought in because of his reputation to fix the place. And then he basically wasn't able to do so. He was fired after a change in CEO in January. And he told me that he sees this whistleblower complaint as an extension of his work trying to make Twitter safer for people. If the company won't do it, then he's basically inviting regulators to come in and make them do it.
SHAPIRO: Can you explain what, in his view, the threat to national security is?
MENN: Well, he says they were warned that there was more than one intelligence agency with people inside the company. He says that he believes that there was an agent of the Indian government inside the company. So there's that, there's the insider threat stuff, but also just what he describes as egregious failings in protecting user data, which can include phone numbers, location data, real emails. That's super risky because - maybe not for you and me, but in, you know, in many countries, dissidents are using Twitter to communicate. And they're at great risk, and they can be exposed this way. In fact, there was an insider threat in San Francisco. There was just a conviction this month of somebody who was accused of working for the Saudi government inside Twitter and turning over information about dissidents. So that's the national security issue.
SHAPIRO: Peiter Zatko has an interesting background. Tell us a little bit more about him.
MENN: Well, Mudge Zatko, as he's known, is actually one of the most famous hackers in the country, has been for a long time. In the 1990s, he was one of the first people to publish details of security flaws in software. So at that point, if you're probably a business and you bought some software - this was the early '90s - Mudge and others would find the flaws in them. Instead of just exploiting them by themselves and breaking into people's computers who were using that software, they would publish findings that said, this is the problem or that's the problem.
SHAPIRO: OK. So back to this whistleblower complaint. How has Twitter responded to this?
MENN: They say that it's exaggerated. It's out of date. There's inaccuracies in it. They say it's a - Zatko is a disgruntled former employee who was fired for poor performance and poor leadership.
SHAPIRO: And this comes as the ownership of the company is in question. Elon Musk is trying to back out of a deal to buy Twitter. Do you expect this to have an impact?
MENN: It's certainly going to have some impact. The question is, how much? And I think we're going to know that soon. Mudge Zatko can be subpoenaed. And he's very likely to be subpoenaed by Musk's team. Musk has already sort of alluded today to the complaint. Musk is trying to get out of the deal and do it for free on a couple of grounds. One is that Twitter radically underestimated the number of bots and spammers on its site, and they've done it by so much that it's a material adverse event to get down to the actual number of bots to find out what that is, and Zatko agrees. And part of his complaint is - there's a section titled "Twitter Lies To Musk About Bots."
And the second thing is that in the deal that was struck with Musk, Twitter stood by its SEC filings and said that everything in them is true. Zatko says otherwise, says that by hiding these really serious security deficiencies, it was, among other things, violating an 11-year-old agreement with the Federal Trade Commission to do better and have a decent security program. And that is a material omission to shareholders. And if Musk picks up on that, he could argue that Twitter, attesting to the veracity of its statements to shareholders, was fraud and breach of contract.
SHAPIRO: Are there larger implications here for cybersecurity beyond Twitter?
MENN: There are. So I've covered cybersecurity for 20 years or so, and I'm hearing from a lot of people today both that Twitter is an outlier, that it's got exceptionally bad security historically, but also that it is kind of a symbol of how bad a lot of tech companies are at security, you know, behind the scenes. It's super rare to have a whistleblower this high rank with this kind of reputation come forward. But you shouldn't really be shocked if similar things are happening at other companies that we don't know about.
SHAPIRO: That's Joseph Menn, a technology reporter for The Washington Post. Thanks a lot.
MENN: Thanks for having me. Transcript provided by NPR, Copyright NPR.