A whistle-blower complaint from Twitter’s former head of security, claiming severe shortcomings in the social media company’s handling of users’ personal data, will have wide ramifications for the business.
US lawmakers have vowed to investigate, and the legal team for Elon Musk, who is seeking to abandon his agreement to acquire Twitter, was emboldened by the claims. Twitter shares fell as much as 5% on Tuesday, the biggest intraday drop in more than a month.
The former executive, Peiter Zatko, alleged “egregious deficiencies” in Twitter’s defences against hackers and other lax approaches to security, according to a copy of the complaint. Zatko said he had warned colleagues that some of Twitter’s servers were running out-of-date software and that executives had withheld information about breaches and lack of protections for user data.
US house representatives confirmed the whistle-blower complaint in a joint statement from Frank Pallone and Cathy McMorris Rodgers, the top Democrat and Republican on a house panel that received the report. “The energy & commerce committee is actively reviewing the Twitter whistle-blower disclosure and assessing next steps,” they wrote. “There are still a lot of unknowns and questions that need to be answered. Many of these allegations, if true, are alarming and reaffirm the need for congress to pass comprehensive national consumer privacy legislation to protect Americans’ online data.”
Thousands of employees also had access to core company software, which led to hacks of high-profile users, according to the report. The Washington Post, which first reported on the complaint along with CNN, said it was sent to the US Securities and Exchange Commission, the justice department and the Federal Trade Commission. The DOJ and FTC declined to comment. The SEC didn’t immediately respond to a request.
The whistle-blower document also alleged that Twitter prioritised growth over reducing the number of spam accounts, offering executives cash bonuses of as much as US$10-million tied to increasing the number of daily users. Spam and “bots” on Twitter have been a key flashpoint in the company’s dispute with Musk. Musk’s lawyers also said on Tuesday that they have issued a subpoena for Zatko to testify in the court battle. Legal experts said Zatko’s complaint bolsters Musk’s case.
Twitter pushed back. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” a Twitter spokesman said when contacted for comment. “Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Also Read: Musk subpoenas Jack Dorsey in fight over Twitter deal
Twitter said Zatko was fired in January for “ineffective leadership and poor performance.” Zatko could not immediately be reached for comment. Whistleblower Aid, which represents him, said in an e-mailed statement that Zatko and the group are unable to comment, citing legal obligations.
Musk made a reference to the claims via Twitter, with an image of the Pinocchio character Jiminy Cricket saying “give a little whistle”, a line from his signature song about listening to your conscience.
If Zatko’s claims are verified, Twitter would be in violation of a 2011 agreement with the FTC. Members of the senate judiciary & intelligence committees said the report presents serious claims that could impact user privacy and national security.
The budding investigation is reminiscent of congressional probe of whistle-blower allegations against Facebook, owned by Meta Platforms, that first appeared in the Wall Street Journal last year. Meta has lost more than half of its market value since that complaint was published and earnings reports suggested that the level of Facebook’s US users has plateaued.
Twitter had largely escaped the ire of lawmakers in this congress who have called representatives from TikTok, Snap and Meta-owned Instagram to testify. But judiciary chair Dick Durbin on Tuesday said the reports “raise serious concerns”, and he promised to “continue investigating this issue and take further steps as needed to get to the bottom of these alarming allegations”.
“If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” said Durbin, a Democrat from Illinois.
Iowa senator Chuck Grassley, the ranking Republican on the senate judiciary committee, is one of the lawmakers who has reviewed the complaint and is working with Zatko. Grassley said the whistle-blower claims “raise serious national security concerns as well as privacy issues, and they must be investigated further”. The senate intelligence committee is also looking into Zatko’s claims, said spokeswoman Rachel Cohen.
Florida senator Marco Rubio, the ranking Republican on the intelligence committee, said he and his colleagues are “treating the complaint with the seriousness it deserves and look forward to learning more”.
“Twitter has a long track record of making really bad decisions on everything from censorship to security practice,” Rubio said in a statement. “That’s a huge concern given the company’s ability to influence the national discourse and global events.”
Twitter’s 2011 settlement with the FTC barred the company for 20 years from “misleading consumers about the extent to which it protects the security, privacy and confidentiality of nonpublic consumer information”. That agreement sprang from a 2009 hack of the social media platform that allowed intruders to send out phony messages from any account, among other issues.
Also Read: Twitter strengthens teams fighting toxic content, spam bots
In May, Twitter paid $150-million to the FTC for misusing user phone numbers uploaded for security purposes to target advertising. The use of the phone numbers breached the social media company’s 2011 consent decree where it agreed to better protect users’ personal data.
Zatko’s complaint alleges further violations of the 2011 settlement, which could open Twitter to additional potential fines. A federal judge accepted the $150-million settlement in May, but the FTC could opt to re-open the case or file another complaint.
In his complaint, Zatko alleges that Twitter sales teams have continued to misuse phone numbers collected for security purposes for targeted advertising, that the data from users who deactivated their accounts wasn’t properly deleted and that executives misrepresented information to the FTC about the company’s privacy policies.
His complaint also alleged that Twitter didn’t properly monitor potential threats from insiders or take corrective actions when needed. Earlier this month, a former Twitter employee was convicted of spying for Saudi Arabia, using his access to obtain personal information about the government’s critics.