Twitter’s former head of security accused the corporate of constructing false and misleading statements about its security practices and lying to Elon Musk about fake accounts on its platform, potentially landing the social media service in latest regulatory trouble because it tries to force Mr. Musk to finish a $44 billion deal to purchase it.
Peiter Zatko, Twitter’s head of security who was terminated by the corporate in January, said in a whistle-blower grievance that the firm had deceived the general public by misrepresenting the way it fights spam and hackers. That violated a 2011 agreement that Twitter had struck with the Federal Trade Commission, which had barred the corporate from misleading users about its security and privacy measures, he contended.
In his grievance, which was filed with the Securities and Exchange Commission on July 6, Mr. Zatko accused Parag Agrawal, Twitter’s chief executive, and other executives and directors of “extensive legal violations” and acting with “negligence and even complicity” against hackers. Mr. Zatko also sent the grievance and supporting documents to the Justice Department and the F.T.C.
Mr. Zatko said Twitter also lied to Mr. Musk, who signed a blockbuster deal to purchase the corporate in April but has been attempting to back out of the acquisition. The grievance could give Mr. Musk legal fodder as he tries to finish the acquisition, with the billionaire’s lawyers saying that they had already subpoenaed Mr. Zatko.
The whistle-blower grievance is one other strange twist for Twitter because it tries to make sure its corporate survival. The corporate, which relies in San Francisco, has been embroiled for months in a struggle with Mr. Musk, the world’s richest man, as he has blown cold and hot over owning the social media service, raising questions on its future as an independent entity. At the identical time, Twitter has been grappling with an economic slowdown and has cut costs.
The whistle-blower grievance may lead to fresh scrutiny for Twitter as regulators and lawmakers train their sights on the facility and influence of technology corporations. In 2019, the F.T.C. fined Facebook about $5 billion for violating its privacy settlement with the agency. The S.E.C. has also focused on corporations that insufficiently disclose their susceptibility to security breaches.
Each agencies, which declined to comment, are more likely to ask for added documents and speak with Mr. Zatko, experts said. In the event that they find his claims have merit, they might tremendous Twitter or require it to vary the best way it operates.
“There’s a near certainty that this can provoke a careful review by the Federal Trade Commission, perhaps other public agencies, of the operation and management of the corporate, and that’s at a moment where they’re buffeted by so many other unwelcome forces — you don’t need one other shock of this type,” Bill Kovacic, a former chair of the F.T.C., said of Twitter.
A Twitter spokeswoman said Mr. Zatko was fired in January for ineffective leadership and poor performance. She said he was spreading “a false narrative about Twitter and our privacy and data security practices.” She also suggested that he was capitalizing on the corporate’s situation with Mr. Musk “to capture attention and inflict harm on Twitter, its customers and its shareholders.”
Debra Katz, a lawyer representing Mr. Zatko, disputed the concept he was a disgruntled former worker and said he had tried to do the correct thing by raising his concerns about Twitter’s security practices. Whistleblower Aid, a company that’s working with Mr. Zatko on his grievance, said the facts within the disclosure spoke for themselves.
Mr. Musk, who didn’t reply to a request for comment, not directly referred to the whistle-blower grievance on Tuesday. He tweeted a meme of Jiminy Cricket from the movie “Pinocchio” that said “give a bit whistle.”
Mr. Zatko has not been in contact with Mr. Musk, said an individual with knowledge of the situation who spoke on condition of anonymity since the proceedings were confidential. Bur Mr. Musk’s lawyers indicated they were excited by investigating Mr. Zatko’s claims.
“We’ve already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we’ve been finding,” Alex Spiro, a lawyer for Mr. Musk, said in a press release. Ms. Katz said her client had not received a subpoena.
What we consider before using anonymous sources.
How do the sources know the data? What’s their motivation for telling us? Have they proved reliable prior to now? Can we corroborate the data? Even with these questions satisfied, The Times uses anonymous sources as a final resort. The reporter and no less than one editor know the identity of the source.
Mr. Zatko, a widely known hacker who goes by the nickname of Mudge in the safety community, joined Twitter in late 2020 after the corporate was hacked by teenagers who impersonated distinguished figures on the social media service to build up Bitcoin. He began working to document fraud at Twitter across the time of his firing, in response to his grievance, and continued to share his findings with the corporate after he departed.
Mr. Zatko said in his grievance that he quickly found that Twitter had made “little meaningful progress on basic security, integrity and privacy systems” and the corporate “suffered from anomalously high rate of security incidents.” He contended that many regulatory filings Twitter had made detailing its privacy practices were “misleading, at best.”
In February 2021, Mr. Zatko made a presentation to Twitter’s board concerning the company’s lack of preparations for a possible data center failure that would knock the service offline. He also commissioned a third-party report on Twitter’s approach to spam and commenced projects to enhance data security, the grievance said.
Mr. Zatko also said in his grievance that the Indian government had forced Twitter to rent government agents, who could access internal data, and that a U.S. official warned the corporate that a number of of its employees was working on behalf of a foreign intelligence agency.
Twitter has been infiltrated by foreign operatives prior to now. Earlier this month, a former Twitter worker was convicted of spying on users on behalf of Saudi Arabia.
In December, Twitter’s board received a briefing on security practices. In January, Mr. Zatko began voicing his concerns that the board had been presented with “fraudulent” details about his work on security. Three days later, he was fired, he said. Mr. Zatko said he later sent material to support his claims to Twitter and the board.
In May, Mr. Musk began needling Twitter over the number of faux accounts on its platform. Mr. Agrawal, the chief executive, responded by saying the corporate had a robust incentive to detect and take away spam. Mr. Zatko said Mr. Agrawal’s response was false.
In a bit of his grievance entitled “Lying About Bots to Elon Musk,” Mr. Zatko cited Mr. Agrawal’s tweets about Twitter’s number of faux accounts as an “example of misrepresentations by Twitter.” Executives are “not incentivized to accurately detect” spam due to how they measure the location’s user base for promoting purposes, Mr. Zatko said.
Mr. Zatko’s other claims concerning the weakness of Twitter’s privacy and security could give Mr. Musk latest grounds to desert the deal, legal experts said.
“If Twitter neglected things that it must have disclosed, that management knew were serious problems to the business that makes its S.E.C. filings inaccurate, because they don’t disclose material information concerning the business, that would help Musk along with his fraud claim,” said Ann Lipton, a professor of corporate governance at Tulane Law School.
(Mr. Musk has signed a binding agreement to purchase Twitter. Some legal experts have said that his original claims about misleading disclosures on fake accounts Twitter could also be a weak argument to back out of the deal because the corporate amply hedges those disclosures.)
Twitter has violated its 2011 agreement with the F.T.C. before. Under the terms of that agreement, the corporate was barred for 20 years from misleading consumers concerning the steps it takes to guard their information and honor their privacy selections.
In May, the F.T.C. and the Justice Department fined Twitter $150 million for violating the settlement after the corporate had told users it was collecting their email addresses and phone numbers to guard their accounts. The agencies said Twitter didn’t do enough to say that the data was also used to assist marketers goal ads.
Mr. Musk and Twitter are headed toward a five-day trial in October in Delaware Chancery Court over whether Mr. Musk must abide by his agreement to purchase the corporate. This month, his legal team asked Twitter to show over documents of several former Twitter executives, including Mr. Zatko, two individuals with knowledge of the proceedings said. Mr. Musk’s lawyers also sought documents from Jack Dorsey, Twitter’s former chief executive, and Kayvon Beykpour, its former head of product, in response to court filings.
In a letter to the court on Aug. 11, lawyers for Twitter argued that Mr. Zatko, whose name is redacted within the filing, oversaw security and compromised accounts but was not involved in spam-fighting efforts and subsequently was not relevant to Mr. Musk’s case. A judge ruled that Twitter should hand over Mr. Beykpour’s records but denied the request for Mr. Zatko’s records.
Ms. Katz said that although Mr. Zatko didn’t oversee spam issues directly, he was often asked to assist quantify spam and provided those results to the Twitter executives answerable for combating the problem.
“It’s a predictable human emotion to be upset about being fired whenever you’ve been fired for doing the correct thing,” she said.
Cecilia Kang contributed reporting