Image Courtesy: Twitter
In an explosive revelation about how the Narendra Modi government “forced” Twitter to employ an “agent” who would have “access to vast amounts of sensitive data” on the microblogging platform, famous hacker and its former security chief Peiter Zatko has alleged that company executives “deceived” US federal regulators and its own board of directors about “extreme, egregious deficiencies” in its defences against hackers.
In an 84-page whistle-blower complaint with the US Securities and Exchange Commission (SEC) last month made public by The Washington Post on Tuesday, Zatko—who was fired in January and is also known as Mudge—alleged that Twitter is unable to properly protect its 238 million daily users, including government agencies, heads of state and other influential personalities.
In a section titled ‘Penetration by Foreign Intelligence & Threats to Democracy’, Zatko alleged: “The Indian government forced Twitter to hire specific individual(s) who were government agents who (because of Twitter’s basic architectural flaws) would have access to vast amounts of Twitter sensitive data.”
Supporting information for the claim, the complaint stated, has been sent to the National Security Division of the US Justice Department and the Senate Select Committee on Intelligence. A person familiar with the matter agreed that the employee was probably an agent, The Post reported.
The Wire published an excerpt from Zatko’s complaint.
An excerpt from the whistle-blower complaint filed with the SEC. Credit: The Washington Post.
According to the allegations, which come amid Twitter’s legal tussle with the ministry of electronics and IT (MeitY) over its content blocking orders, “by knowingly permitting an Indian government agent direct unsupervised access to the company’s systems and user data, Twitter executives violated the company’s commitments to its users”.
Twitter “did not, in fact, disclose to users that it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll”, Zatko further alleged.
Zatko said that “the threat of harm to Twitter employees” in countries—for example, India, Russia and Nigeria—where the company needs to have a physical presence and full-time employees, was “sufficient to cause (it) to seriously consider complying with foreign government requests that (it) would otherwise fundamentally oppose”.
In another section titled ‘Squeezing Local Staff’, Zatko alleged that the Centre sought “with varying success” to force Twitter to hire local full-time employees that “could be used as leverage”.
Under the Information Technology Rules, 2021, notified by
MeitY last February, it is compulsory for a social media company to hire a key local nodal officer who would help law enforcement agencies in investigations, a compliance officer who would ensure compliance with the rules and a grievance officer who would resolve user complaints.
Twitter did not respond to a query by The Indian Express seeking clarification on the possibility of a link between Zatko’s allegations and the IT Rules, 2021. The MeitY didn’t answer an email sent by the newspaper.
Twitter spokesperson Rebecca Hahn countered Zatko’s allegations and “opportunistic timing” and said that they “appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be”.
Claiming that Zatko was sacked for “ineffective leadership and poor performance”, Hahn said in a statement: “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.”
Claiming that Twitter has tightened up security extensively since 2020, Hahn said that its security practices are within industry standards and that it has specific rules about who can access company systems.
A person familiar with Zatko’s tenure told The Post that when Twitter investigated Zatko’s security claims during his stint, it found them sensational and without merit. Four people familiar with Twitter’s efforts to fight spam said that the company deploys extensive manual and automated tools to both measure the extent of spam across the service and reduce it, the newspaper reported.
However, John Tye, Zatko’s representative at the legal organisation Whistleblower Aid, according to Bloomberg, said that he stands by everything in the disclosure. “His career of ethical and effective leadership speaks for itself. The focus should be on the facts laid out in the disclosure, not ad hominem attacks.”
In an interview with The Post, Zatko said that he decided to go public as an extension of his previous work exposing flaws in specific pieces of software and broader systemic failings in cybersecurity. He was hired at Twitter by former CEO Jack Dorsey in late 2020 after a major hack of the company’s systems. “I felt ethically bound. This is not a light step to take.”
Zatko’s most serious allegation is about how Twitter “violated” an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan. He had warned his colleagues, the complaint stated, that half of Twitter’s servers were running outdated and vulnerable software and that executives withheld dire facts about the number of breaches and lack of protection for user data.
The massive internal access to core company software by thousands of Twitter employees for years had led to the hacking of accounts of former US presidents Barack Obama and Donald Trump and Tesla CEO Elon Musk, Zatko alleged.
Besides, Twitter prioritised user growth over reducing spam with executives standing to win individual bonuses of as much as $10 million, according to the complaint.
Zatko alleged that CEO Parag Agrawal was “lying” when he tweeted in May that the company was “strongly incentivized to detect and remove as much spam as we possibly can”.
However, Hahn claimed that Twitter removes more than a million spam accounts everyday, adding up to more than 300 million per year.
In a February analysis of Twitter attached as an exhibit to the complaint, Zatko wrote: “Twitter is grossly negligent in several areas of information security. If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.” Twitter has vast amounts of sensitive personal data, like email addresses and phone numbers, of many public figures and dissidents who communicate on the platform at great personal risk.
A former Twitter employee was convicted this month of using his position to spy on Saudi dissidents and government critics and passing their information to a close aide of crown prince Mohammed bin Salman in exchange for cash and gifts.
Senate Intelligence Committee spokeswoman Rachel Cohen said the panel is trying to set up a meeting with Zatko. “Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” Iowa representative Charles E. Grassley, the top Republican on the Senate Judiciary Committee, said in a statement.
“The claims I’ve received from a Twitter whistle-blower raise serious national security concerns as well as privacy issues, and they must be investigated further,” Grassley added.
Courtesy: Newsclick