Today’s newsletter is late because Substack was down for an hour so. Sorry!
I.
On January 21, a moderately surprising headline hit the New York Times: in one of his first official acts as Twitter CEO, Parag Agrawal had fired the company’s chief information security officer, Rinki Sethi, and its head of security, Peiter Zatko. It was the latter firing that surprised; Zatko, who is known within cybersecurity circles as “Mudge,” is a veteran hacker who had previously worked at DARPA, Google, and Stripe.
Zatko joined the company in 2020 after being recruited personally by then-CEO Jack Dorsey, after a deeply embarrassing hack in which teenagers temporarily took over the accounts of Barack Obama, Joe Biden, Elon Musk, and other celebrities. Agrawal told employees little about his rationale for firing Zatko and Sethi, saying only that the “nature of this situation” prevented him from saying more, the Times reported. Zatko maintained his public silence for eight months — and then showed up on Tuesday throwing bombs.
In an 84-page complaint filed with the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission, Zatko alleges severe negligence on the part of Agrawal and other company executives in protecting user data, misleading government officials, and violating a 2011 consent decree with the FTC.
In preparing the complaint, Zatko worked with Whistleblower Aid, the same group that assisted Frances Haugen when she blew the whistle on Facebook last year; Whistleblower Aid worked with Zatko to secure prominent coverage of his complaint in CNN and the Washington Post.
The Post’s Joseph Menn, Elizabeth Dwoskin and Cat Zakrzewski lay out some of the details:
Among the most serious accusations in the complaint, a copy of which was obtained by The Washington Post, is that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan. Zatko’s complaint alleges he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes.
The complaint — filed last month with the Securities and Exchange Commission and the Department of Justice, as well as the FTC — says thousands of employees still had wide-ranging and poorly tracked internal access to core company software, a situation that for years had led to embarrassing hacks, including the commandeering of accounts held by such high-profile users as Elon Musk and former presidents Barack Obama and Donald Trump.
A few things to say up front: I don’t know Zatko myself, and am only passingly familiar with his work. Some people I know deeply respect and trust him, and many of them tweeted tributes to him today. Other people I know who worked with him had a lesser opinion of his work; these people spent today sending me messages that began with something along the lines of “Here is a story about Mudge that you can’t use.” (A few, though, did tweet their criticisms publicly.)
What I took from these conversations is that Zatko is a polarizing figure, and like many coworkers, how you feel about him probably depends a lot on the circumstances under which you worked with him.
A second thing to say is that Zatko makes a lot of allegations here. His complaints go on for dozens of pages, and have a kitchen-sink quality reminiscent of a jilted husband suing for custody of a child. These complaints cannot properly be assessed in a single column, even if we did have all the necessary data and supporting exhibits, which we don’t. It will be up to the government agencies who received the complaint, along with Congress, to determine what, if anything, is worth pursuing here legally.
Of course, Congress knows red meat when it sees some, and given the never-ending discourses around data, privacy, censorship, Big Tech, and so on, both Republicans and Democrats both leaped to say that they will be taking Zatko extremely seriously. Here’s Zakrzewski again in the Post:
Reps. Frank Pallone Jr. (D-N.J.) and Cathy McMorris Rodgers (Wash.), the chair and top Republican on the House Energy and Commerce Committee, said if the whistleblower’s allegations are true, they “reaffirm” the need for Congress to pass consumer privacy legislation to safeguard Americans’ data. The committee is “assessing next steps,” they said in a joint statement.
Sen. Richard Blumenthal (D-Conn.), head of the Senate Commerce panel focused on consumer protection, on Tuesday wrote a letter to the Federal Trade Commission, calling for the agency to investigate Zatko’s claims and bring “enforcement actions," including fines, against Twitter where appropriate.
Four more lawmakers say they’ll also be looking into the claims before the story ends. Zatko will reportedly be briefing them this week.
II.
Now, I just said that we can’t properly evaluate Zatko’s claims with what we know so far. But after talking with some folks at Twitter today, I think we can at least begin to group the more high-profile allegations in terms of what seems plausible and worrisome; what seems plausible and overblown; and what seems likely wrong.
Plausible and worrisome. The complaint alleges that about half of Twitter’s employees had access to critical systems that enabled them to make harmful changes or collect sensitive data. Historically that was true, I’m told, but began to change starting around 2018, and now access is more limited and audited more regularly. Notably, even before 2018 all this data access was logged, so if an employee was doing something terrible with Twitter’s code there should have at least been a trail for investigators to follow.
Still, no one can deny the long and mortifying history of Twitter security issues. In addition to the teenage takeover of 2020, there was the accidental suspension of Dorsey’s Twitter account in 2016, and the contractor who briefly disabled Donald Trump’s account in 2017. As recently as May, the company had to pay a $150 million fine for using the phone numbers people had given it for two-factor authentication purposes to target them with personalized ads.
Zatko was the chief security officer, and it should be no surprise that a security officer found in the course of his job a bunch of security problems. This is particularly true given that he was fired after a relatively short time on the job; I’m sure Zatko had a list of projects he planned to work on before Agrawal canned him.
Twitter told the press that it has since addressed many of the issues Zatko raised, and found that many others were overstated or false. (In an email to employees, Agrawal called the whole thing a “false narrative” and disparaged Zatko’s job performance.) I find it likely that there are probably at least some legitimate security issues here, though. We’ll see.
Plausible and overblown. One reaction I heard to Zatko’s allegations, particularly from Twitter employees, was that the hacker seemed a little too shocked to find himself working for a for-profit corporation. For example, in the provocatively titled section “Lying about bots to Elon Musk,” Zatko’s lawyers note that ”senior executives earn bonuses not for cutting spam, but for growing mDAU.”
I do think that Twitter incentivizes executives to grow the number of users it can show ads to, rather than reduce the number of spam bots by some arbitrary amount. What of it?
Zatko professes to be extremely concerned about bots; he wishes that Twitter counted up all of the bots it can find and report that figure publicly. Instead, the company attempts to identify the portion of bots and spam accounts within the group of users that it monetizes by showing ads. Zatko is entitled to his opinion, but I find it difficult to understand what the alleged crime is here.
Asked why he cares about bots so much by CNN, he can offer only word salad:
But Zatko told CNN he thinks there would still be value in attempting to measure the total number of spam, false or otherwise potentially harmful automated accounts on the platform. "The executive team, the board, the shareholders and the users all deserve an honest answer as to what it is that they are consuming as far as data and information and content [on the platform ... At least from my point of view, I want to invest in a company where I know what's actually going on because I want to invest strategically in the long-term value of an organization," he said.
Why do we “deserve” an answer about how many bots are on the platform? What does it have to do with “the long-term value” of Twitter? We already know how much money the company makes. What do bots have to do with anything?
Likely wrong. The allegation that stopped me in my tracks when I read it in the Post was this one:
“Zatko’s complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence. Another person familiar with the matter agreed that the employee was probably an agent.”
Given that a former Twitter employee was just found guilty of being an agent of the government of Saudi Arabia, this is an extremely serious and worrisome charge. The Saudi agent used his access to internal systems to obtain data about dissidents and report it back to the government, enabling the government to spy on them.
But Twitter told me that this “agent” was not placed there by the government. Rather, Twitter was meeting its obligations under the new (and terrible) IT Rules of India, which require tech platforms to appoint local representatives that can be intimidated into doing the government’s bidding. Twitter has hardly rolled over for India here; I wrote here last month about the lawsuit the company filed to prevent the government from ordering the takedown of various tweets.
If Zatko’s “agent” is just the legally required grievance officer that Twitter and every other platform like it is required to have, it would significantly damage the credibility of his allegations overall, at least in my eyes.
III.
Of course, the main reason all this is interesting is not that Twitter might someday have to pay a fine over all this, even though the Post speculates that the amount could be in the billions. (I’m skeptical, though; the agency’s average fine is much lower.)
Instead, the question is whether all this will be useful to Elon Musk in his effort to get out of the binding $44 billion contract he signed to buy Twitter. And it’s too soon to say: we don’t yet know which of these claims might be substantiated, or whether any of the claims here might be considered material by the chancery court judge.
Certainly it offers some fresh material to Musk and his legal team; they say they have subpoenaed Zatko. I imagine they’ll find him a cooperative source: a large section of his complaint is written essentially as a direct address to his lawyers, performing a deep read on Agrawal’s tweets back and forth with Musk about bots and attempting to make the case that Twitter lied. Musk likes to say that Twitter lied too, of course, but Matt Levine notes that what the men are accusing Twitter of is very different:
Musk’s claim is that Twitter counts spam bots in its mDAU numbers. Zatko’s complaint says, no, obviously Twitter doesn’t do that — that’s just a thing that Musk made up to get out of the deal — but the spam bots exist and are annoying. Twitter does a good job of excluding them from its count of monetizable users, he says, but not of getting rid of them entirely. That’s not fraud; it’s just a thing that annoys Zatko (and Musk).
Zatko’s lawyer said he had begun his whistleblower preparations before Musk moved to buy Twitter. Still, Musk’s bot complaints are quite prominent in the complaint, coming ahead of seemingly much more consequential issues including the 2011 FTC consent decree, a section titled “Mudge Discovers Egregious Deficiencies, Negligence, Willful Ignorance, and Threats to National Security & Democracy,” and another named “New CEO Enables Fraud.”
I know why Elon Musk pretends to care about bots. But why is Zatko spending so much time talking about bots, when he can’t even identify a harm? Why is his case focused on proving that Twitter is lying to its potential acquirer, rather than attempting to demonstrate that these alleged lies have any effect on its user base? And why did these claims arrive less than two months before Musk goes to trial on the issue, in an effort to save him $44 billion?
Maybe there’s an innocent explanation. But you don’t have to be a conspiracy theorist to find it all rather suspicious.
Elsewhere in Twitter: Employees were warned they may get only half their annual bonuses this year. The company threatened to revoke API access to Bot Sentinel, whose CEO recently cast doubt on the company’s bot detection efforts. Twitter is testing a way to identify people who have verified their phone numbers on their profiles, helping to distinguish them from bot accounts. And the company banned the account of a Florida Republican who encouraged violence against federal agents.
Governing
After a man took photos of his naked toddler for the doctor, Google investigated his account and terminated him for having CSAM on his phone. Super important story that I hope to be able to write about at length later this week; in the meantime Ben Thompson raises some salient points. (Kashmir Hill / New York Times)
A security researcher warned that TikTok’s in-app browser can monitor your keystrokes, raising a mild furor over the weekend. Well, that’s the last time I write up an edition of Platformer using TikTok’s in-app browser. (Richard Nieva / Forbes)
Meta learned that the Federal Trade Commission would sue the company to block its acquisition of Within via a tweet. This is apparently considered rude in the rarefied world of antitrust litigation. (Alex Barinka, Leah Nylen, and Sarah Frier / Bloomberg)
The United Kingdom’s home secretary, Priti Patel, wrote an op-ed criticizing end-to-end encryption and supporting client-side scanning of user devices. (James Vincent / The Verge)
Facebook and Instagram removed the account of Robert Kennedy Jr.’s nonprofit for repeatedly spreading vaccine misinformation. (Sheera Frenkel / New York Times)
NSO Group’s CEO stepped down. Bye!!! (Reuters)
An investigation into Reddit finds large, active communities of people buying and selling nudes. (Monika Plaha / BBC)
YouTube became the latest platform to remove the account of Andrew Tate, a self-described misogynist whose commentaries have been widely criticized. (Cecilia D'Anastasio and Davey Alba / Bloomberg)
Binance’s head of communications said hackers had created a deepfake of him to set up meetings with companies eager to list their coins on the service. The nature of the scam remains unclear, but the implications are wild. (Sergio Goschenko / Bitcoin.com)
A look at how alternative video platforms like BitChute and Odysee have become popular places to post misinformation and hate speech. (Andrew R.C. Marshall and Joseph Tanfani / Reuters)
Delhi police say they will use facial recognition in criminal investigations when the likely match is 80 percent or higher, a relatively low number that has alarmed civil liberties advocates. (Varsha Bansal / Wired)
Industry
Mark Zuckerberg responded to the avalanche of viral tweets making fun of his low-fi metaverse selfie by posting a much more detailed cartoon selfie. (Patricia Hernandez / Kotaku)
YouTube will start adding watermarks to Shorts videos when a creator downloads them, making their origin obvious when uploaded to TikTok or other platforms. (Mia Sato / The Verge)
Yelp is adding a prominent notice to listings for crisis pregnancy centers to explain that they do not provide abortion care. Y’know, if Yelp did stuff like this more than once every 10 years maybe they would be more competitive with Google generally. (Ina Fried / Axios)
Reddit’s removals of content under the Digital Millennium Copyright Act surged 15,000 percent in five years. (Ernesto Van der Sar / TorrentFreak)
Twitch will begin letting its partners stream to Facebook and YouTube as well, after a period of demanding exclusivity. The move comes as the platform has lost some top streamers to competitors. (Ash Parrish / The Verge)
Nike leads all brands online with $185 million in recorded NFT sales to date. (Nicholas Kitonyi / NFTGators)
Meet the young denture influencers of TikTok. (Jessica Lucas / Input)
Those good tweets
Talk to me
Send me tips, comments, questions, and whistleblower complaints: casey@platformer.news.
Very weird how musky the complaint is. Feel it is very hyperbolic and assumes intent quite a lot. Funnily enough it now makes me feel the takeover won't happen, rather than help the manchild. It doesn't help his case and anyone who has a grievance will now go to the sec. Twitter will be ok, he won't. He has already told everyone what he wants to do (create a super app) so they can just leapfrog him lol Twitter has always seemed like 2 companies in 1. The mDAU base and everyone else. Guessing that they will draw the boundary around the former (free and paid via T Blue) and sweep the rest of us onto whatever bluesky turns out to be. Easier than trying to fix all these problems.
Great article Casey, the way you broke down in simply parts the Peiter Zatko story is very helpful