A Twitter whistleblower is alleging “extreme, egregious deficiencies by Twitter” related to privacy, security and content moderation, according to complaints filed with the Securities and Exchange Commission, Federal Trade Commission and Department of Justice.
The complaints, obtained by CNBC, were filed by nonprofit law firm Whistleblower Aid, which is representing Twitter’s former head of security, Peiter “Mudge” Zatko. Whistleblower Aid, which also represented Facebook whistleblower Frances Haugen, verified the authenticity of the documents with CNBC.
Shares of Twitter were down more than 5% in morning trading.
In a complaint with the SEC, Zatko alleges that he “witnessed senior executive engaging in deceitful and/or misleading communications affecting Board members, users and shareholders” on multiple occasions in 2021, during which CEO Parag Agrawal asked Zatko to provide false and misleading documents.
In his final report for Twitter after he was terminated, according to the whistleblower documents, Zatko charged that the company failed to accurately represent four key issues to the board: out-of-date software that lacked basic security measures, “Gross problems” in who could access or control systems and data, problematic internal processes and a “volume and frequency of security incidents impacting a large number of users’ data that is frankly stunning.”
Zatko alleged in the report that more than half of Twitter’s 500,000 servers were running out-of-date software and more than a quarter of employee computers have disabled software updates that can provide important security patches. He said Twitter’s alleged practice of granting broad access to the platform’s production environment was “unheard of in a company the age and importance of Twitter, where nearly all employees have access to systems or data they should not.”
If government regulators were to find Twitter misled consumers about its security protocols, that may be considered a violation of its 2011 agreement with the FTC. At the time, Twitter was barred for 20 years from misleading consumers about how it protects their security and private information. The agreement also required Twitter to create and maintain a comprehensive information security program to be evaluated by an independent auditor for 10 years.
A spokesperson for the Senate Select Committee on Intelligence said in a statement that the panel has also received the complaint “and is in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously.”
The whistleblower complaint mentions misrepresentations by Twitter to Elon Musk, who is locked in a legal battle seeking to back out of a deal to purchase the social media company, over the Tesla CEO’s “doubts on the accuracy of Twitter’s claim in legal findings that <5% of accounts are ‘bots,’ or automated spam accounts.”
A lawyer representing Zatko said the former Twitter employee has had no contact with Musk, who in July said he was withdrawing his $44 billion bid to acquire the company.
“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” Musk attorney Alex Spiro of Quinn Emanuel told CNBC.
Musk and Twitter will meet in court in October where Delaware Court of Chancery Chancellor Kathaleen McCormick will determine if Musk is still on the hook to acquire the company.
Zatko alleges that a tweet by CEO Agrawal on May 16, which said the company is “strongly incentivized to detect and remove as much spam as we possibly can, every single day” was “a lie.” He said Twitter executives are not incentivized to detect bots and “senior management had no appetite to properly measure the prevalence of bot accounts” because “if accurate measurements ever became public, it would harm the image and valuation of the company.”
Zatko further alleged that the company didn’t have proper security controls in place. According to The Washington Post, about 7,000 Twitter employees had “wide access to the company’s internal software and that access was not closely monitored.”
In a memo to staff posted to Twitter by CNN correspondent Donie O’Sullivan, Agrawal described Zatko as “a former Twitter executive who was terminated in January 2022 for ineffective leadership and poor performance.”
“We are reviewing the redacted claims that have been published, but what we’ve seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context,” Agrawal wrote, according to CNN. A Twitter spokesperson confirmed the legitimacy of the content of the memo to CNBC.
“Given the spotlight on Twitter at the moment, we can assume that we will continue to see more headlines in the coming days — this will only make our work harder,” Agrawal said. “I know that all of you take a lot of pride in the work we do together and in the values that guide us. We will pursue all paths to defend our integrity as a company and set the record straight.”
Correction: An earlier version misspelled the name of CNN correspondent Donie O’Sullivan.