According to details revealed by Twitter’s former security chief himself, the company intentionally misinformed users about the spread of accounts not attributed to real people, as well as the real level of security offered to users who choose the platform.
The revelations come from a famous hacker turned security expert – Peiter “Mudge” Zatko. If confirmed by independent analysis, the allegations could have very serious consequences for Twitter, with the company risking hefty fines and a whole slew of class-action lawsuits seeking multi-million dollar damages.
According to the same Peiter Zatko, the disclosures made are aimed solely at preserving the narrative that made Twitter successful:
- Indiscriminate access . A significant part of Twitter’s vulnerability is that too many employees have access to critical systems, Zatko argues. Roughly half of Twitter’s 7,000 full-time employees have access to sensitive personal user data (such as phone numbers) and internal software (to alter how the service works), and that access is not closely monitored. He also claims that thousands of laptops contain full copies of Twitter’s source code.
- Misleading the FTC – In 2010, Twitter was accused by the US FTC of failing to protect consumers’ personal information. Twitter allegedly repeatedly published “false and misleading statements” about users of the platform.
- Ignoring accounts run by bots – Twitter has repeatedly claimed that less than 5% of its daily active users are bots, fake accounts or spam.
- Government agents – Twitter is a key tool for distributing news and organizing protests, making it a favorite target for governments seeking to suppress dissent.
- Failure to delete Timely deletion of legitimately requested information – Twitter has failed in the past to delete user data on demand because such records are spread too widely among internal systems to be properly tracked.
In response to Zatko’s complaint, Twitter accused the former security chief of focusing on sensational news and selectively reporting information primarily aimed at undermining his former employer:
“Mr. Zatko was fired as executive director for poor performance and ineffective leadership over six months ago. While I have not had access to the specific allegations referenced, what I have seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s accusations and opportunistic timing seem designed to grab attention and cause harm to Twitter, its customers and shareholders. Security and privacy have long been company-wide priorities and we still have a lot of work ahead of us.”