Twitter's recently fired head of security is alleging that the social media platform poses a privacy threat to its 238 million daily users, including government agencies and officials, constituting a national security concern.
The claim was made by Peiter "Mudge" Zatko, a computer hacker who had been hired by former Twitter CEO Jack Dorsey.
Zatko's accusations, including alleged "extreme, egregious deficiencies" in Twitter's practices to combat spam and hacking, are contained in a whistleblower document sent on July 6 to three U.S. government agencies, including the Department of Justice.
CNN and The Washington Post first reported details of the complaint Tuesday. A redacted version of the 84-page document was sent to the U.S. Congress.
Zatko "was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance," a Twitter spokesperson, who did not want to be identified by name, said in a statement to VOA.
"What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be," the statement said.
Zatko alleges Twitter violated terms of a 2011 settlement with the U.S. Federal Trade Commission by falsely claiming it had a solid security plan. Zatko said he warned colleagues that in reality, the social media company's computers were running outdated and vulnerable software and that company executives hid information from the board of directors about the lack of data protection and the actual number of security breaches.
The revelations come as Twitter finds itself in a legal battle with Tesla CEO Elon Musk, considered the world's richest person. Musk pulled out of an agreement last month to purchase Twitter for $44 billion, accusing Twitter of hiding information about its number of automated user accounts, known as bots.
"I felt ethically bound. This is not a light step to take," Zatko told The Washington Post about his whistleblower complaint. He declined to elaborate on its contents.
Zatko was fired in January by Dorsey's successor, Parag Agrawal.
Under whistleblower protection laws in the United States, Zatko is entitled to legal protection against retaliation and may be eligible to receive money as a reward if his revelations lead to successful enforcement actions by government agencies.
"The Twitter whistleblower complaint raises questions about how well the company is managing security, particularly employees' access to production systems handling user data. It also highlights the profits-before-user-privacy business model that we know has long existed at big social media platform companies and can put users in danger," the Electronic Frontier Foundation, which defends civil liberties in the digital world, said in a statement.
Zatko's allegations are "alarming," said Senate Judiciary Committee Chair Dick Durbin.
"The whistleblower's allegations of widespread security failures at Twitter, willful misrepresentations by top executives to government agencies, and penetration of the company by foreign intelligence raise serious concerns," the Democratic lawmaker said on Twitter.
Durbin added that he would continue investigating the issue because if the claims are accurate, "they may show dangerous data privacy & security risks for Twitter users around the world."
The top Republican on the committee concurred.
"Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you've got a recipe for disaster," said Senator Chuck Grassley.
"The claims I've received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further," Grassley added in a statement supplied to VOA and other news organizations.
Zatko specifically alleges that India forced Twitter to put a government agent on the company payroll, meaning the person could have access to sensitive data about users because of the platform's weak security infrastructure.
"By knowingly permitting an Indian government agent direct unsupervised access to the company's systems and user data, Twitter executives violated the company's commitments to its users," the complaint states.
The embassy of India had no immediate response to VOA's request for a comment regarding that allegation.
"If the allegations are true, one of the biggest concerns for users would be the idea that foreign intelligence services could have access to account information or messages tied to Twitter users," Steven Adair, president at Volexity, a cybersecurity firm that handles cyberespionage and digital spying cases, told VOA.
"Beyond your standard privacy concern — if this information were accessible, it could allow spying on a user's private conversations and even their physical location. In general, though, these are things I suspect Twitter strives to prevent."
Michelle Quinn in San Francisco contributed to this report.
Ex-Twitter Security Chief Claims Platform Poses Security Risks for Users