Twitter Whistleblower Peiter Zatko Has Warned of Cyber Disasters for Decades
In November 2020,
Twitter Inc.
co-founder
Jack Dorsey
picked a famed ex-hacker,
Peiter Zatko,
to solve some of his social-media company’s most pernicious problems: protecting user privacy and the security of its computer systems.
He emerged this week as a whistleblower after filing a complaint with federal regulators arguing that Twitter had, among other things, failed to protect the privacy of its users, and misled the public about its problems with spam and what are known as bot accounts. Twitter has broadly denied the allegations.
Spam accounts are at the heart of a continuing dispute between the company and
whom the company sued in July to enforce his $44 billion takeover deal. Mr. Musk has alleged Twitter misrepresented its business, particularly as it relates to the level of spam or bot accounts, which Twitter denies.
Twitter Chief Executive
Parag Agrawal,
in an all-hands staff meeting Wednesday, doubled-down on the company’s defense against the accusations made by its former head of security, according to people familiar with the comments. Mr. Zatko’s allegations were “technically and historically inaccurate,” Mr. Agrawal told employees, adding the company had never made material misstatements, the people said.
On Wednesday, Sens. Dick Durbin and Chuck Grassley announced plans to hold a hearing on the allegations Sept. 13, with Mr. Zatko scheduled to testify.
“If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” Messrs.. Durbin and Grassley said in a statement.
Over the decades, Mr. Zatko transformed himself from a hacker into a respected computer-security expert with a deep understanding of the way computer networks could be attacked. He was part of a seven-person group of hackers, known as the L0pht group, who told Congress in 1998 that they could effectively shut down the internet in as little as 30 minutes.
In the 1990s, Mr. Zatko and the L0pht group hunted for bugs in software, and then worked with the software makers to fix the problems. Sometimes companies wouldn’t fix the code until Mr. Zatko and his colleagues applied pressure by making the bugs public—a practice that was controversial 25 years ago, but is now widely accepted in the software industry.
“Mudge is respected in the policy community for bringing clear explanations of what matters in tech to policy makers,” said
Tarah Wheeler,
the chief executive of Red Queen Dynamics Inc., a security and compliance company. “He’s ethical, careful and sees the bigger picture.”
Some former Twitter employees questioned Mr. Zatko’s leadership, saying he failed to address many of the company’s security challenges.
Nearly a decade ago—after a stint at the Defense Department’s Defense Advanced Research Projects Agency, where he helped fund cutting-edge research projects—Mr. Zatko arrived in Silicon Valley. Initially, he worked on an in-house research-and-development program at
Alphabet Inc.’s
Google, called the Advanced Technology and Projects group. In 2017, he was recruited by payments company Stripe Inc., where he worked as head of security until taking the job at Twitter.
Twitter had been without a security chief for nearly a year when Mr. Zatko was hired. Smaller in size than rivals such as Google or
the company had a reputation in the industry for dysfunction, security executives said.
The company was facing a $150 million fine for violating a 2011 consent decree requiring it to protect user data. Just months earlier, a Florida teenager had broken into Twitter’s corporate network and gained access to a host of high-profile Twitter accounts by telephoning and tricking a company employee into granting access to its systems.
At Twitter, Mr. Zatko was in charge of the digital defense of an 11,000-person company. His portfolio included protecting the security of Twitter’s computers, the privacy of users and the physical safety of staff, according to Mr. Zatko’s whistleblower complaint. He was responsible for the company’s information-technology systems, Twitter’s content moderation and cutting down on spam and misuse of its network by automated bot software.
Mr. Zatko identified a host of security problems, many of which are outlined in his complaint. More than 50% of Twitter’s workforce was still able to access user information; much of the company’s software was out of date; and company executives were concealing the true state of the problems from Twitter’s board, the complaint states.
But despite the broad authority granted him by Mr. Dorsey, Mr. Zatko was unable to fix these problems on his own. He clashed with the company’s other top security executive, Chief Information Security Officer
Rinki Sethi,
according to people familiar with the issue.
Though Mr. Zatko identified the biggest security threats facing Twitter, he struggled to manage his organization and failed to get others to buy into the initiatives he wanted to give priority, one of the people said.
John Tye,
founder of Whistleblower Aid, an organization that helped file the whistleblower claims, said Mr. Zatko stands by his disclosure. “He made progress on some important security issues and the disclosure lays out in detail the challenges he faced as he tried to do more. He very much views the whistleblowing process as the next step in his work to increase safety and security,” Mr. Tye said.
In his complaint, Mr. Zatko describes Mr. Dorsey as an unengaged chief executive who attended meetings “sporadically,” the complaint states. “In some meetings—even after he was briefed on complex corporate issues—Dorsey did not speak a word.”
Mr. Zatko was fired on Jan. 19, 2022, for what a Twitter spokeswoman said was “ineffective leadership and poor performance.” Attorneys for Mr. Zatko said Twitter’s claim about the reason for his termination was false. Ms. Sethi stepped down around the same time. She didn’t respond to requests for comment.
Seven months after his termination, Mr. Zatko was again talking to the public about security problems. This time, though, the company in question was his former employer.
The former hacker was back on familiar turf. “Companies do indeed want to ignore problems as long as possible,” Mr. Zatko told Congress in 1998. “It’s cheaper for them.”
—Salvador Rodriguez and Sarah E. Needleman contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8