Twitter whistleblower raises security concerns

A former security chief for Twitter has turned whistleblower and testified that the company misled users and US regulators about gaps in its security.

Peiter Zatko also claimed that Twitter underestimated how many fake and spam accounts are on its platform.

The accusations could affect a legal battle between Twitter and billionaire Elon Musk, who is trying to cancel his $44bn (£37bn) deal to buy the company.

Twitter says Mr Zatko's allegations are inaccurate and inconsistent.

It says he was sacked in January for ineffective leadership and poor performance.

In Mr Zatko's damning revelations, first revealed by CNN and The Washington Post, he accused Twitter of failing to maintain stringent security practices and "lying about bots to Elon Musk".

He filed his complaint with the Securities and Exchange Commission in July. The BBC has seen a redacted copy of the complaint shared via CBS news.

In it, Mr Zatko also criticised the way in which Twitter handled sensitive information and claimed that it has failed to accurately report some of these matters to US regulators.

Twitter has faced a number of high profile hacks with Barack Obama, Joe Biden and Kanye West all targeted.

Among his concerns Mr Zatko alleges that Twitter suffered from an usually high rate of security incidents - "approximately one security incident each week serious enough that Twitter was required to report it to regulators".

He said that so-called insider threats - security risks posed by people with malicious intent from within the company - went "virtually unmonitored".

The former security chief revealed his concern about how Twitter handled data, alleging that too many employees had access to sensitive systems and user data.

He worried that the company had no workable disaster recovery plan, and claimed that in the past, Twitter had failed to properly delete the data of people who cancelled their accounts.

Why did Musk get cold feet on Twitter?

On fake and spam accounts, he said that "deliberate ignorance was the norm" at the tech company, and accused Twitter executives of having little incentive to accurately identify how many there really are on its platform.

However, in the view of The Washington Post, he "provides little hard evidence" to back up these assertions.

Nevertheless, Elon Musk's lawyers have jumped on the comments. His legal team are currently trying to get the Tesla boss out of the deal, by arguing that Twitter has no way of verifying how many of its 229 million daily active users were actually human.

Following the publication of Mr Zatko's revelations, Mr Musk tweeted screenshots of The Washington Post's story, and tweeted an image carrying the phrase "give a little whistle".

Mr Zatko's lawyer told CNN that his client started the whistleblowing process before the takeover bid became public, and had not made contact with Elon Musk.

However one of Elon Musk's lawyers, Alex Spiro, told CNN that Mr Zatko had been subpoenaed to be a potential witness.

A former hacker, Peiter Zatko is a well-known figure in computer security circles.

Nicknamed Mudge, he was a member of computer security think-tank L0pht (pronounced "loft"), and took part in congressional hearings on cyber-security in 1998.

He has also held senior positions with Google and the US government's research and development agency, DARPA.

A Twitter spokesperson said: "What we've seen so far is a false narrative about Twitter and our privacy and data-security practices that is riddled with inconsistencies and inaccuracies and lacks important context.

"Mr Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders.

"Security and privacy have long been company-wide priorities at Twitter and will continue to be."

John Tye, of Whistleblower Aid, which is assisting Pieter Zatko, described him as a "hero" and called on agencies to investigate the allegations quickly.

SOURCE: BBC