The former head of security for Twitter says that it has "egregious flaws."
The whistleblower's complaints to the Securities and Exchange Commission, the Justice Department, and the Federal Trade Commission come at a bad time for Twitter.
In a whistle-blower complaint, Twitter's former head of security says the company has "extreme, egregious deficiencies" in how it fights spam and hackers.
The former executive, Peiter Zatko, said in his complaints that problems with how security, privacy, and content moderation rules were being followed went back to 2011. Mr. Zatko is a well-known hacker who is known as "Mudge" in the security community. He started working at Twitter in late 2020 but was fired in January.
On July 6, he sent his complaints to the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission. The Washington Post and CNN were the first to report them.
According to a complaint filed with the S.E.C. and seen by The New York Times, Mr. Zatko accuses Twitter, its chief executive Parag Agrawal, and other executives and directors of "extensive legal violations." These include making misleading statements to users and investors and acting with "negligence and even complicity" when foreign governments tried to get into the platform.
A Twitter spokeswoman said that Mr. Zatko was fired in January 2022 because he was a bad leader and didn't do his job well. She said, "What we've seen so far is a false story about Twitter and how we handle privacy and data security. It's full of inaccuracies and is missing important context." "Mr. Zatko's claims and the way he chose to make them seem to be designed to get attention and hurt Twitter, its customers, and its shareholders. Security and privacy have been important to Twitter as a whole for a long time, and they will continue to be.
The accusations come at a bad time for Twitter, which is in court with Elon Musk over his plans to back out of a $44 billion deal to buy the social media company. Twitter has filed a lawsuit against Mr. Musk to force him to finish the deal. In October, the Delaware Chancery Court will hear the case.
Lawyers for Mr. Musk said they were interested in looking into the claims made by Mr. Zatko. In a statement, Mr. Musk's lawyer, Alex Spiro, said, "We have already sent a subpoena to Mr. Zatko, and we found his departure and that of other key employees strange in light of what we have found." A person who knows how the lawsuit is going said that Mr. Zatko is going to be deposed.
Some of Mr. Zatko's complaints are the same as Mr. Musk's because they both focus on the number of fake users on Twitter. Mr. Musk says that Twitter's public statements about these numbers are misleading in a very important way. If true, Mr. Zatko's claim that Twitter isn't following the settlement it made with the F.T.C. in 2011 about how it protects user information could be the most damaging. The agency had said that Twitter's data security had "serious flaws" that "allowed hackers to gain unauthorized administrative control of Twitter" and send fake tweets.
Under the terms of the settlement, Twitter agreed not to "mislead consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information," including the steps it takes to stop unauthorized access to nonpublic information and respect consumers' privacy choices.
Mr. Zatko said that Twitter "had never been in compliance" with the consent decree and was not likely to ever be in compliance.
Twitter was fined $150 million in May by the F.T.C. and the Justice Department for breaking the settlement. The agencies said that Twitter told its users that it was collecting their email addresses and phone numbers to protect their accounts, but it didn't say enough that the information was also used to help marketers target ads.
Mr. Zatko said that he saw senior executives communicate in a "deceitful" or "misleading" way "multiple times" in 2021. He said that on December 14, 2021, Mr. Agrawal, against his advice, "explicitly told Mudge to give documents that both of them knew were false." Mr. Zatko said that he started writing down what he called "evidence of fraud" in January 2022, and that Twitter's chief compliance officer started an investigation based on his claims.
In a section of the complaint called "Lying About Bots to Elon Musk," Mr. Zatko said that Mr. Agrawal's tweets about the number of fake accounts on the platform were "an example of Twitter lying." Mr. Zatko said that the way Twitter's executives measure the site's user base for advertising purposes doesn't give them a reason to accurately spot spam.
The complaint says that Mr. Zatko "learned that deliberate ignorance was the norm" among Twitter's top leaders. When he asked a fellow executive at the company in early 2021 how many fake accounts were on the platform, they said, "We don't really know," the complaint said.
In early trading, the price of a share of Twitter fell by more than 2%.