Twitter’s former head of security, Peiter “Mudge” Zatko, will appear in front of lawmakers in Washington on Tuesday. He is expected to give damning evidence of data and information security failings at the social media platform, having outlined a litany of concerns in a whistleblower complaint last month.
The former hacker, widely respected in his field as an information security specialist, joined Twitter on 16 November 2020 and was fired on 19 January 2022. His complaint levels allegations of incompetence and fraud at Twitter, saying that he uncovered “extreme, egregious deficiencies by Twitter in every area of his mandate”, including weak controls of employee access to user data and interference by foreign governments.
The senate judiciary committee hearing is not directly for the benefit of Elon Musk, who is trying to pull out of a $44bn (£38bn) deal to buy Twitter and has been given permission to include Zatko’s revelations as another reason for walking away. Musk’s lawyers interviewed Zatko on 9 September. But if Zatko’s actions are going to have an immediate impact, it will be at a trial in Delaware on 17 October, where Twitter is attempting to force Musk to buy the company under terms he agreed in April.
Here are some questions that Zatko might face on Tuesday.
What is the scale of the information security problems at Twitter?
This is a catch-all question that is likely to be broken down into multiple parts in terms of lawmaker questions, given the amount of detail in the allegations contained within Zatko’s complaint.
He is likely to be asked about several claims, including that Twitter mishandled user email addresses and phone numbers, that more than 50% of its 500,000 data centre servers are running software that is out of date or has other known security problems, and that employees were found to be installing spyware on their work computers at the request of external organisations.
How significant is foreign state intervention in Twitter?
Zatko’s complaint says he was aware of “multiple episodes” of Twitter being penetrated by foreign intelligence agencies or being complicit in threat to democracies. The examples used were the Indian government forced Twitter to hire government agents who had access to user data and executives allowed the platform to become dependent on revenue coming from Chinese “entities” that then might be able to access information on users in China who had circumvented a block. The complaint adds that Twitter received “specific information from a US government source that one or more particular company employees were working on behalf of another particular foreign intelligence agency.”
Lawmakers will want to know if the platform’s output, which plays a highly influential role in politics and media in multiple countries, could be manipulated as a consequence.
How significant is Twitter’s bot problem?
In a section of the complaint titled “lying about bots to Elon Musk”, Zatko raises questions over Twitter’s approach on bots, essentially arguing that the company does not have a handle on the problem. Lawmakers are expected to ask Zatko what is the true scale of the problem and how it should be tackled.
Musk cited the prevalence of bot accounts on Twitter – which are not operated by humans and are designed to disrupt and manipulate the experience of users – as a key reason for declaring his withdrawal from the takeover.
In his complaint, Zatko says Parag Agrawal, the Twitter chief executive, lied when he tweeted that Twitter execs were “incentivised to detect and remove as much spam as we possibly can”.
The Tesla chief executive claims that Twitter has deliberately miscounted the number of bots on the platform. The company has consistently said that the number of bots on its platforms is less than 5% of its monetisable daily active users (mDAU – accounts that can see adverts and are therefore commercially valuable to the company).
Zatko says there are many millions of active accounts that are not considered mDAU but are part of the average user’s experience on the platform, which makes for a poor quality experience. It does not quite fit Musk’s argument, which is that Twitter deliberately underplays the number of bots among its mDAUs. Zatko says its does not include them in its mDAU total, but just doesn’t get rid of them entirely.
Nonetheless, Zatko’s filing claims that management had no appetite to properly measure bot accounts because they were concerned that “if accurate measurements ever became public, it would harm the image and valuation of the company”. This could at least be material for a shareholder lawsuit and, as a whole, Zatko argues vociferously that Twitter cannot cope with bots because it uses “outdated” programs and “understaffed” monitoring teams.
How credible are you as a witness?
Twitter has hit back at Zatko’s allegations, saying that he was fired by Agrawal for “ineffective leadership and poor performance”. Referring to his claims, the company added: “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Nonetheless, Zatko has considerable pedigree, having made his name as an ethical hacker who helped organisations identify flaws in their systems before going on to work in senior positions at Google, the payments firm Stripe and the US Department of Defense. This long track record, and a reputation for professional rigour, led the then Twitter chief executive, Jack Dorsey, to hire him.
Is there a senior leadership problem at Twitter?
Zatko’s complaint is scathing about management standards at the company. Zatko’s allegations against Agrawal include the chief executive instructing him in December 2021 to provide documents on information security to the risk committee of Twitter’s board of directors that Agrawal knew were “false and misleading”. The complaint says that Twitter’s security problems had “developed under Agrawal’s watch”. The complaint raises concerns about the standard of leadership in general, pointing to an “extremely disengaged” Dorsey – who stepped down last year – who spoke a total of 50 words to Zatko in phone conversations over a 12-month period.
Has Twitter misled investors?
Zatko’s complaint says: “For years, across many public statements and SEC filings, Twitter has made material misrepresentations and omissions, and engaged in acts and practices operating as deceit upon its users and shareholders, regarding security, privacy and integrity.” Twitter disputes this. In terms of the complaint’s impact on the Musk takeover, Brian Quinn, a professor at Boston College Law School, says: “Twitter will likely respond that while they did not disclose that a disgruntled employee had made complaints about their security, they did disclose that data security and privacy issues were risks to the business.”