Peter Zatko, who is also known as Mudge, poses for a portrait on Monday, Aug. 22, 2022, in Washington, DC.
Matt McClain | The Washington Post | Getty Images
A Twitter whistleblower alleged “outstanding, egregious deficiencies at Twitter” related to privacy, security and content moderation, according to complaints filed with the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice.
The complaints, obtained by CNBC, were filed by the nonprofit law firm Whistleblower Aid, which represents Twitter’s former security chief, Peter “Mudge” Zatko. Whistleblower Aid, which also represented Facebook whistleblower Frances Haugen, confirmed the authenticity of the documents with CNBC.
Shares of Twitter fell more than 5% in morning trading.
In a complaint to the SEC, Zatko alleged that it “witnessed senior executive involvement in fraudulent and/or misleading communications affecting board members, consumers and shareholders” on multiple occasions in 2021, during which CEO Parag Agrawal asked Zatko to provide false and misleading documents.
The news was first reported by The Washington Post and CNN.
Parag Agrawal, CEO of Twitter, and his wife Vineta Agarwal walk to a morning session during the Allen & Company Sun Valley Conference on July 07, 2022 in Sun Valley, Idaho.
Kevin Deitch | News from Getty Images | Getty Images
In his latest report on Twitter since he was terminated, according to whistleblower filings, Zatko charged that the company failed to bring exactly four key issues to the board: outdated software that lacked basic security measures, “Gross problems ” in which he could access or control systems and data, problematic internal processes, and “a volume and frequency of security incidents affecting large amounts of user data that is frankly staggering.”
Zatko claimed in the report that more than half of Twitter’s 500,000 servers were running outdated software and more than a quarter of employees’ computers had disabled software updates that could deliver important security fixes. He said Twitter’s alleged practice of providing broad access to the platform’s production environment was “unheard of for a company of Twitter’s age and importance, where almost all employees have access to systems or data they shouldn’t.”
If government regulators find that Twitter misled users about its security protocols, it could be considered a violation of the 2011 settlement with the FTC. At the time, Twitter was banned for 20 years from misleading users about how it protected their security and personal information. The agreement also requires Twitter to establish and maintain a comprehensive information security program that will be evaluated by an independent auditor for 10 years.
A spokesman for the Senate Intelligence Committee said in a statement that the panel had also received the complaint “and is in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously.”
The whistleblower’s complaint cites Twitter’s misrepresentation of Elon Musk, who is embroiled in a legal battle trying to back out of a deal to buy the social media company because of Tesla’s CEO’s “doubts about the accuracy of Twitter’s claim in legal findings that <5% of accounts are 'bots' or automated spam accounts."
A lawyer representing Zatko said the former Twitter employee had no contact with Musk, who in July said he was withdrawing his $44 billion bid to acquire the company.
“We have already issued a subpoena for Mr. Zatko and found his exit and that of other key employees to be curious in light of what we discovered,” Musk’s attorney Alex Spiro of Queen Emanuel told CNBC.
Musk and Twitter will meet in court in October, where Delaware Court Chancellor Kathleen McCormick will determine whether Musk is still on the hook to acquire the company.
Zatko claimed that a tweet by CEO Agrawal on May 16, which said the company was “highly incentivized to detect and remove as much spam as possible, every day,” was “a lie.” He said Twitter executives weren’t incentivized to detect bots and “senior management didn’t have the appetite to properly measure the prevalence of bot accounts” because “if accurate measurements ever became public, it would hurt the company’s image and valuation.” .
In addition, Zatko claims that the company does not have adequate security controls in place. According to The Washington Post, about 7,000 Twitter employees had “broad access to the company’s internal software, and that access was not closely monitored.”
IN note to staff posted on Twitter by CNN correspondent Donnie O’Sullivan, Agrawal described Zatko as “a former Twitter executive who was fired in January 2022 for ineffective leadership and poor performance.”
“We are reviewing the redacted claims that have been released, but what we have seen so far is a false narrative full of inconsistencies and inaccuracies and presented without important context,” Agrawal wrote, according to CNN. A Twitter spokesperson did not immediately respond to CNBC about the reported memo.
“Given the spotlight on Twitter right now, we can assume that we’ll continue to see more headlines in the coming days — it’s only going to make our job harder,” Agrawal said. “I know you all take great pride in the work we do together and the values that guide us. We will pursue all avenues to protect our integrity as a company and set the record straight.”
Read more from the Washington Post and CNN
Subscribe to CNBC on YouTube.
Correction: An earlier version misspelled the name of CNN correspondent Donnie O’Sullivan.