Twitter whistleblower releases scathing report on company's security and privacy practices

An ex-Twitter executive is spilling the beans on the company's cybersecurity and privacy practices.

Peiter "Mudge" Zatko, former head of security at Twitter, spoke to CNN and The Washington Post, claiming that not only did his former company have a number of cybersecurity issues, it also deliberately misled its board of directors about them.

Among other security issues, Zatko claims the following (detailed in a 200-page disclosure sent to Congress and U.S. government agencies in July, and obtained by the news outlets):

• Twitter gave thousands of company employees access to some of its most critical controls, which made it "impossible" to adequately protect the platform.

• Twitter had minimal control over or visibility into employees' individual company computers.

• About half of Twitter's servers run on outdated software.

Perhaps even more serious are Zatko's claims on how Twitter handles privacy.

Most notably, Zatko claims that Twitter has "never been in compliance" with the demands the Federal Trade Commission (FTC) made from the company back in 2011. Twitter then settled with the FTC over a privacy complaint which has shown that the company failed to safeguard its users' private information. Under the terms of the settlement, Twitter was barred for the next 20 years from "misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information." Had Twitter failed to do so, it could result in further fines.

Specifically, Zatko alleges that Twitter does not always reliably delete a user's data after they've cancelled their account, the report says, "in some cases because the company has lost track of the information."

Zatko's claims come at a difficult time for Twitter, as the company is about to start a legal battle over Elon Musk's takeover bid. In his disclosure, Zatko touches on a topic that Musk has claimed is pivotal in this case — the number of bots on Twitter's platform. Zatko alleges that Twitter deliberately misreports the number of bots and spam accounts on its platform (which Musk also claims), and further claims that Twitter doesn't even have the proper resources to measure this number. Twitter claims "false or spam" accounts make up less than 5 percent of the platform.

John Tye, Zatko's lawyer and founder of Whistleblower Aid (an organization that assisted Facebook whistleblower Frances Haugen and is now representing Zatko), told CNN Zatko has not been in contact with Musk, and that he began the whistleblower process before Musk's takeover bid kicked off.

Zatko was fired by Twitter in January 2022. In a statement given to the news channel, Twitter said he was fired for "poor performance and ineffective leadership." As for his claims, Twitter called them "a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context."