Twitter executives are having a bad week after its former head of security, Peiter “Mudge” Zatko, who left the company in March 2022, filed a damning whistleblower report about the company’s practices. In his report, Zatko emphasizes that not only does the organization have gaping security flaws, but it is deliberately violating privacy and data protection laws — and hiding it.
Twitter management is no stranger to privacy-related fines. Ireland’s Data Protection Commission (DPC) recently fined the company €450,000 for failing to immediately declare and properly document a data breach under the EU’s GDPR regulation.
This latest scandal has made authorities across the globe sit up and take notice, with both the US Congress and two European watchdogs currently investigating Zatko’s claims.
Who is Twitter Whistleblower Peiter Zatko?
Twitter hired Peiter Zatko (also known as the hacker “Mudge”) in November 2020 as its new security lead. Zatko was given the responsibility of fixing major security and privacy vulnerabilities on the platform.
Authorities are Jumping on the Whistleblower Claims
First reported by The Washington Post, the 84-page document is framed as a complaint and was sent to federal regulatory agencies and the Department of Justice (DOJ). It has since also been picked up by two national data protection authorities in the EU.
Ireland’s DPC and France’s Commission nationale de l’informatique et des libertés (CNIL) are both currently investigating all of the claims in Zatko’s document. The US Congress has now stepped in as well, and has called on the FTC and DOJ to start looking into Twitter’s affairs.
The Whistleblower document, a redacted version of which is available on The Washington Post website, makes several alarming allegations. Many of these allegations are worrying and should be discussed at length, but for the sake of brevity, we’ll discuss two of the main points here.
What Does the Twitter Whistleblower Report Reveal?
Zatko’s report suggests a tragic story of a company riddled with privacy and security issues run by a greedy and dishonest c-suite. His report also implies that Twitter’s management is heavily influenced by foreign interests and the company poses a national security threat. The report makes damning claims that could land Twitter in some pretty hot water with international authorities due to privacy violations.
Misleading Authorities About Machine Learning
Zatko says Twitter management has deliberately misled the FTC about its practices in using data sets to train its machine learning algorithms. Apparently, there were rumors that both the DPC and CNIL were going to implement similar probes and Twitter management was planning to mislead them in the same way.
In a section called “misleading regulators in multiple countries”, Zatko says these practices involve the material Twitter uses to train its machine learning algorithms. After the FTC started enquiring about its practices, management realized the truth would “implicate the company in extensive copyright/intellectual property violations.”
To avoid that, Twitter management decided to not provide the relevant information and instead directed the FTC to “particular models that would not expose Twitter’s failure to acquire appropriate IP rights.” According to Zatko, Twitter’s management outright acknowledged this maneuver was deceptive.
the report says.
“Unless circumstances have changed since Mudge was fired in January, then Twitter’s continued operation of many of its basic products is most likely unlawful and could be subject to an injunction, which could take down most or all of the Twitter platform,”
Apparently, this wasn’t the only misleading activity Twitter engaged in. The report states the company also misled the CNIL in 2021 over its compliance with cookie privacy laws.
Misleading Cookies Usage is a Dark Omen of Twitter’s Privacy Practices
In early 2021, the CNIL ordered Twitter to sort out its practices regarding improper separation of cookie functions. Under the EU’s data retention and protection laws, data must be used for the stated (legitimate) purpose it was collected for. It also states that data cannot be bundled for different purposes.
According to Zatko, up until late 2021, Twitter lacked sufficient understanding of how it was deploying cookies and what they were used for. The report also claims that data gathered from Twitter cookies were being used for multiple purposes, bundling activities like ad tracking and security functions.
The CNIL directive also mentioned that Twitter should allow users to choose which cookies they want to allow. Zatko claims Twitter hired a new privacy engineering team that tried to disentangle cookie functions on the platform to allow “some form of user choice and control.”
Apparently, Twitter rolled out the resulting cookie fix exclusively in France at the end of December 2021 to comply with the CNIL order, even though the problem violates laws across multiple countries. Twitter immediately rolled back and disabled the update, though, after encountering a problem — which Zatko blames on management for failing to provide an adequate testing environment.
Zatko’s report also states that the engineering team managed to fix the issue in a matter of hours but management blocked it from being rolled out for another month. According to the report, they made this decision to “extract maximum profit from French users before rolling out the fix.”
Twitter Slams Back, But the Damage is Done
While the company hasn’t released an official statement regarding the report yet, Twitter did send out an internal email about its former employee. CEO Parag Agrawal wrote an email to employees in which he calls the report a “false narrative that is riddled with inconsistencies and inaccuracies” spread by a disgruntled former employee.
According to Agrawal, Twitter fired Zatko for “ineffective leadership and poor performance,” and claims he was accountable for many aspects of the systems he now portrays as flawed. Despite Twitter’s attempts to discredit the whistleblower’s allegations, it looks like the authorities are taking these claims seriously.
Along with European authorities, several lawmakers in the US have publicly stated they are currently investigating Zatko’s claims. Several have also written letters to the FTC, asking the agency to investigate. The FTC was just involved in a lawsuit with Twitter in which the authority accused the platform of using its users’ email accounts and phone numbers for targeted advertising. Twitter decided to pay a $150 million settlement in May 2022.
As for users, right now the best step may be to stop using Twitter and delete the app. At least until authorities finish investigating the company’s practices and Twitter can work out its privacy and security problems. If you feel your privacy is worth more than a 280 character tweet, you can also consider deleting your Twitter account entirely.
If you want to improve your online privacy and security, download CyberGhost VPN to encrypt your connection with our state-of-the-art 256-bit AES encryption.