Whistleblowing at Twitter: Mudge Spills the Beans

It must have been music to Elon Musk’s ears. Twitter, a platform he has had a patchy relationship with, has been the recipient of various blows inflicted by Peiter “Mudge” Zatko, the company’s former head of security. This was no mean feat, given the company’s reputation as being essentially indestructible. But Mudge was left with every reason to seethe; his tenure abruptly ceased at the company in January this year, allegedly for reasons of “ineffective leadership and poor performance”.

The poor performance tag would have raised a few eyebrows. Zatko has earned a formidable reputation in the field of cybersecurity, largely for being adept at undermining it. Known through the 1990s by the sobriquet “Mudge”, he probed security vulnerabilities in incipient web networks and kept company with such hacker tribes as Cult of the Dead Cow. His activities were sufficiently noteworthy to interest both the Senate and President Bill Clinton, whom he briefed about emerging vulnerabilities in the networked age.

The Twitter appointment made sense, in so far as it was intended to layer and pad security in light of the July 2020 breach which saw a teenager hijack the accounts of a number of figures, including Kanye West, Barack Obama and Joe Biden.

This month Zatko, represented by Whistleblower Aid, the same legal non-profit who represented the Facebook whistleblower Frances Haugen, filed a whistleblower complaint with the Securities and Exchange Commission, the Department of Justice and the Federal Trade Commission (FTC).

Among the suite of spicy accusations, Mudge claims that Twitter executives deceived the regulators and the company’s own board of directors about “extreme, egregious deficiencies” on the issue of hacker defences, and about “meagre efforts to fight spam”. Looming large is the prospect that Twitter might have breached the terms of its own 2010 settlement with the FTC. (In May, it was fined US$150 million for breaking its own privacy promises.)

On the security issue, Zatko insists that half of its 500,000 servers used unencrypted software while roughly 4 in 10 employee laptops were insufficiently protected from external threats. Up to 30% of computers blocked software updates that would remedy security defects. Thousands of the laptops with bare protections also had access to Twitter’s source code, the result of inadequate testing by company engineers.

As for the matter of legitimate users, the disgruntled Zatko claims that Twitter has little to no incentive to identify the true number of spam and bot accounts that populate the information ecosystem. (According to Omnicore, the number of monetizable daily active users, as the figure stood on February 21 this year, was 217 million.)

In May, Twitter spokeswoman Rebecca Hahn stated that, “Twitter fully stands by … our statements about the percentage of spam accounts on our platform, and the work we do to fight spam on the platform, generally.” In the never-ending quest to cleanse the platform, up to half a million spam and bot accounts were removed each day. In July, that number had risen to 1 million.

The accusations also went to Twitter’s approach to specific countries and their infiltration of the company. India comes in for special mention, as the “Indian government forced Twitter to hire specific individual(s) who were government agents, who … would have access to vast amounts of sensitive data”. This fact was not disclosed to users. A further claim is made that the company “received specific information from a US government source” that at least one employee was working for a foreign intelligence agency.

Twitter’s stung CEO Parag Agrawal took to the battlements, circulating an email to company employees challenging the “claims about Twitter’s privacy, security, and data protection practices”. What had been published so far was “a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context.” There was something wooden, and unconvincing, in the note. Admitting that it was “frustrating and confusing to read, given Mudge was accountable for many aspects of this work”, Agrawal would not have filled the ranks with confidence.

Attorneys presenting Zatko promptly released a statement countering Agrawal’s claims. Their client had persistently “raised concerns about Twitter’s grossly inadequate information security systems to the Company’s Executive Committee and Board of Directors throughout his tenure.” Zatko “repeatedly objected to the misrepresentations and pressed concerns about the dire state of the Company’s information security posture” to both Agrawal and Omid Kordestani, head of the Risk Committee. The Risk Committee, is it charged, preferred “information that whitewashed the problematic” nature of that information security posture.

Musk is seeking to break his agreement to buy Twitter for the value of US$44 billion, claiming that the inaccurate count on “monetizable daily” users would have a “material adverse effect”. Just to make matters even messier, the CEO of Tesla and SpaceX is countersuing the company for fraud and breach of contract.

The questionable number of legitimate Twitter users as pointed out by Zatko is being lapped up, with Musk taking delight in noting the board’s refusal to disclose the facts to the public. Alex Spiro of the law firm Quinn Emanuel representing Musk, found Zatko’s “exit and that of other key employees curious in light of what we have been finding.”

Musk’s legal team have subpoenaed Zatko and former Twitter CEO Jack Dorsey, though it is unclear whether the case will necessarily be better for it. Mudge is also wanted for questioning by the Senate Judiciary Committee. What the allegations have shown is that big tech and its manifestations are rather seedy, and that’s putting it mildly. Few heroes in this saga will be found, but there are villains aplenty to pick from.

Dr. Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge. He currently lectures at RMIT University. Email: [email protected]