>
An ex-Twitter employee has blasted the platform for an alleged litany of poor practices, inefficiencies and lies that could risk personal data and even US security.
Peiter ‘Mudge’ Zatko, the social media firm’s former head of security, has said that Twitter’s board has been covering up ‘extreme’ and ‘egregious’ deficiencies.
These include refusing to cull the platform of bots, not deleting user data when it should, and misleading the Federal Trade Commission (FTC).
Zatko’s disclosure describes ‘egregious deficiencies, negligence, willful ignorance and threats to national security and democracy’ at Twitter.
He made the 200-page disclosure to Congress and federal agencies last month, which was obtained by CNN and The Washington Post and revealed on Tuesday.
Twitter has come back with the claim that Zatko was fired in January 2022 for ‘ineffective leadership and poor performance’.
MailOnline has spoken to experts to see exactly how Twitter’s alleged deficiencies make the platform a risk to personal privacy and national security.
Peiter ‘Mudge’ Zatko (pictured yesterday), the social media firm’s former head of security, made the bombshell disclosure to Congress and federal agencies last month
Zatko said Twitter’s board had been covering up its ‘extreme, egregious deficiencies’
TWITTER BOTS
Zatko has said Twitter executives don’t have the resources to figure out how many bots – automated Twitter accounts controlled by bot software – are on the platform.
Twitter says around 5 per cent of accounts are bot accounts, but Zatko suggests it’s likely much more than that.
While a Twitter employee, he was allegedly told by the ‘head of site integrity’ that the company actually didn’t know how many Twitter bots there are, CNN revealed.
There was reportedly no desire to properly measure the number of bots because if the true number became public it could harm the company’s value and image.
Staff at Twitter – which has 238 million daily users – have also allegedly been incentivised with bonuses of up to $10 million to increase daily user numbers, but done nothing to remove bots.
Jake Moore, a security advisor at ESET, told MailOnline that Twitter bot accounts can be ‘extremely damaging’ for disinformation.
‘Bots can alter the narrative of information online rapidly plus they have the ability to change peoples minds and perceptions of situations,’ he said.
‘They are used often to drive misinformation which can have damaging social consequences.
‘When you delete an account your data often stays on the servers of the platform and this data may be stored, analysed or sold at any time.
‘Free platforms usually profit from their user’s data and this can harm user’s privacy and even security now and in the future.’
The issue of Twitter’s bots has become central to billionaire Elon Musk’s now stalled takeover of the platform, which is heading for trial in the US in October.
Twitter is looking to force through the £37.4 billion deal after Musk backed out, claiming that Twitter had been misleading about the number fake accounts.
Elon Musk (pictured) is engaged in a bitter legal battle over his acquisition of the social network, claiming Twitter lied about the number of bots on the platform
USER DATA
Zatko, who previously worked at Google and the Department of Defense, also alleged that Twitter does not reliably delete user data after an account is cancelled.
In some cases, this is because Twitter has lost track of the information, often as it has spread too widely among the firm’s systems.
The company has also allegedly misled regulators regarding whether it deletes data of users who have left the platform.
Moore told MailOnline that data of those who have left remains a valuable commodity for tech companies.
‘When you delete an account your data often stays on the servers of the platform and this data may be stored, analysed or sold at any time,’ he said.
‘Free platforms usually profit from their user’s data and this can harm user’s privacy and even security now and in the future.’
‘INDISCRIMINATE ACCESS’
Twitter has also given thousands of staff access to central controls and the most sensitive information without adequate oversight, Zatko said.
And there’s also allegedly a general lack of transparency at Twitter around which employee has accessed what data and when.
Such data includes personal details including email addresses and phone numbers.
According to Zatko, Twitter has ‘never been in compliance’ with the FTC over a consent order that it signed in 2011.
This order was signed after a complaint that Twitter granted almost all of its employees the ability to exercise administrative control of the Twitter system.
The failure to adhere to the order means Twitter suffers an ‘anomalously high rate of security incidents’ at around one per week which are serious enough to alert the government, the ex-security chief said.
James Bore, a security consultant at Bores Group, has pointed to a recent Twitter data breach revealed earlier this month that compromised 5.4 million users.
Zatko, whose hacker alias is Mudge, is pictured testifying before the Senate Governmental Affairs hearing on government computer security in 1998
‘We know from the previous Twitter breach that, unless things have changed, they don’t keep a tight rein on staff’s ability to access and ultimately take control of even their most sensitive user’s account,’ he told MailOnline.
‘Even earlier this year another breach clearly showed that they haven’t taken precautions to protect their users, as allegedly 5.4 million users were compromised, with their emails and phone numbers exposed and offered for sale on a hacking forum.’
TWITTER SPIES?
Zatko, who reported directly to CEO Jack Dorsey and his replacement Parag Agrawal, said senior executives have been covering up the platform’s biggest vulnerabilities.
He has even claimed one or multiple employees could be working as a spy for foreign intelligence services.
The social media platform could therefore be susceptible to foreign interference or spying and hacking – a risk to national security.
Bore told MailOnline: ‘Given the data that appears to be available to Twitter staff and the influence of the platform, this isn’t a stretch of the imagination.
‘Intelligence agencies could be willing to put the effort in to place their own staff within the company to access data which could lead to identifying those objecting to regimes around the world.’
The disclosure also claims the US government provided specific evidence to Twitter shortly before Zatko left the company that at least one of its employees was working for another government’s intelligence service.
However, the whistleblower’s report does not state whether Twitter was already aware of this or if subsequent action was taken.
According to his disclosure, Zatko had a tense relationship with Twitter CEO Parag Agrawal, who took over from Jack Dorsey (pictured) in November 2021
Zatko said he had attempted to raise the alleged security lapses with Twitter’s board and claims his public whistleblowing comes after those attempts failed.
Aside from the staffing security concerns, Zatko also feared its server infrastructure made Twitter vulnerable.
He said half of its 500,000 servers use outdated software that do not support encryption for stored data or regular security updates.
Its inadequate recovery procedures from data center crashes also mean that minor outages could knock Twitter offline for good, he claims.
The tech firm said automatic checks are in place to ensure laptops running outdated software cannot access the production environment and record-keeping and review requirements are in place for any changes to the live product.
Zatko’s disclosure could lead to billions in fines for Twitter if the claims are proven or if it is found they have violated their legal obligations.
In response to the disclosure, a Twitter spokesperson told MailOnline: ‘Mr Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance.
‘What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.
‘Mr Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.
‘Security and privacy have long been company-wide priorities at Twitter and will continue to be.’