Today’s newsletter is late because Substack was down for an hour so. Sorry!
On January 21, a moderately surprising headline hit the New York Times: in one of his first official acts as Twitter CEO, Parag Agrawal had fired the company’s chief information security officer, Rinki Sethi, and its head of security, Peiter Zatko. It was the latter firing that surprised; Zatko, who is known within cybersecurity circles as “Mudge,” is a veteran hacker who had previously worked at DARPA, Google, and Stripe.
Zatko joined the company in 2020 after being recruited personally by then-CEO Jack Dorsey, after a deeply embarrassing hack in which teenagers temporarily took over the accounts of Barack Obama, Joe Biden, Elon Musk, and other celebrities. Agrawal told employees little about his rationale for firing Zatko and Sethi, saying only that the “nature of this situation” prevented him from saying more, the Times reported. Zatko maintained his public silence for eight months — and then showed up on Tuesday throwing bombs.
In an 84-page complaint filed with the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission, Zatko alleges severe negligence on the part of Agrawal and other company executives in protecting user data, misleading government officials, and violating a 2011 consent decree with the FTC.
In preparing the complaint, Zatko worked with Whistleblower Aid, the same group that assisted Frances Haugen when she blew the whistle on Facebook last year; Whistleblower Aid worked with Zatko to secure prominent coverage of his complaint in CNN and the Washington Post.
The Post’s Joseph Menn, Elizabeth Dwoskin and Cat Zakrzewski lay out some of the details:
Among the most serious accusations in the complaint, a copy of which was obtained by The Washington Post, is that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan. Zatko’s complaint alleges he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes.
The complaint — filed last month with the Securities and Exchange Commission and the Department of Justice, as well as the FTC — says thousands of employees still had wide-ranging and poorly tracked internal access to core company software, a situation that for years had led to embarrassing hacks, including the commandeering of accounts held by such high-profile users as Elon Musk and former presidents Barack Obama and Donald Trump.
A few things to say up front: I don’t know Zatko myself, and am only passingly familiar with his work. Some people I know deeply respect and trust him, and many of them tweeted tributes to him today. Other people I know who worked with him had a lesser opinion of his work; these people spent today sending me messages that began with something along the lines of “Here is a story about Mudge that you can’t use.” (A few, though, did tweet their criticisms publicly.)
What I took from these conversations is that Zatko is a polarizing figure, and like many coworkers, how you feel about him probably depends a lot on the circumstances under which you worked with him.
A second thing to say is that Zatko makes a lot of allegations here. His complaints go on for dozens of pages, and have a kitchen-sink quality reminiscent of a jilted husband suing for custody of a child. These complaints cannot properly be assessed in a single column, even if we did have all the necessary data and supporting exhibits, which we don’t. It will be up to the government agencies who received the complaint, along with Congress, to determine what, if anything, is worth pursuing here legally.
Of course, Congress knows red meat when it sees some, and given the never-ending discourses around data, privacy, censorship, Big Tech, and so on, both Republicans and Democrats both leaped to say that they will be taking Zatko extremely seriously. Here’s Zakrzewski again in the Post:
Reps. Frank Pallone Jr. (D-N.J.) and Cathy McMorris Rodgers (Wash.), the chair and top Republican on the House Energy and Commerce Committee, said if the whistleblower’s allegations are true, they “reaffirm” the need for Congress to pass consumer privacy legislation to safeguard Americans’ data. The committee is “assessing next steps,” they said in a joint statement.
Sen. Richard Blumenthal (D-Conn.), head of the Senate Commerce panel focused on consumer protection, on Tuesday wrote a letter to the Federal Trade Commission, calling for the agency to investigate Zatko’s claims and bring “enforcement actions," including fines, against Twitter where appropriate.
Four more lawmakers say they’ll also be looking into the claims before the story ends. Zatko will reportedly be briefing them this week.
Now, I just said that we can’t properly evaluate Zatko’s claims with what we know so far. But after talking with some folks at Twitter today, I think we can at least begin to group the more high-profile allegations in terms of what seems plausible and worrisome; what seems plausible and overblown; and what seems likely wrong.
Plausible and worrisome. The complaint alleges that about half of Twitter’s employees had access to critical systems that enabled them to make harmful changes or collect sensitive data. Historically that was true, I’m told, but began to change starting around 2018, and now access is more limited and audited more regularly. Notably, even before 2018 all this data access was logged, so if an employee was doing something terrible with Twitter’s code there should have at least been a trail for investigators to follow.