On August 23, Washington Post published a redacted version of the complaint filed by the former head of security at Twitter. Peiter Zatko, a widely known hacker known by his nickname “Mudge,” had worked for Twitter for a long time, but his services were terminated in January 2022 owing to ‘poor performance and ineffective leadership. In his 84-page long complaint, Mudge accused Twitter of security problems, cyber-security negligence, allegedly allowing foreign government agents to get employed at the company with full access to user data, and more.
Here are the key takeaways from the complaint.
‘India had government agent inside Twitter, ‘ said the whistleblower
First, let’s talk about the accusation laid down against the Indian government. On page 38 in Section 72 of the complaint with the title ‘Penetration by Foreign Intelligence & Threats to Democracy,’ Mudge accused Twitter of allowing foreign agents to have full access to the user database.
Mudge named three countries, India, China, and Nigeria, for managing to get their hands on sensitive user information. Furthermore, Mudge claimed that Twitter’s CEO Parag, at one point, had suggested to “consider ceding to the Russian Federation’s censorship and surveillance demands” when he was CTO of the company.
As per the disclosure report, the Indian government “forced” Twitter to hire specific individuals who were government agents. These alleged agents had access to the sensitive information on Twitter “because of Twitter’s basic architectural flaws.” It reads, “Twitter’s transparency reports purported to quantify the number of government data requests from the Indian government, but the company did not, in fact, disclose to users that it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll. By knowingly permitting an Indian government agent direct unsupervised access to the company’s systems and user data, Twitter executives violated the company’s articulated commitments to its users.”
In the footnote, it was mentioned that further details of the incidents, though unclear how much more information about allegations against India was provided, were submitted to the relevant agencies. Interestingly, the document did not mention when these incidents happened. Mudge came to know about the alleged incidents over the course of 2021.
It is notable that the key phrase that needs attention here is “it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll.” Was there no concrete proof of the accusations against the Indian government that the document uses the word “believe”? OpIndia tried to find more details and check additional documents provided by Washington Post in its report but could not find any.
About the specific allegation, the Washington Post read, “He [Mudge] believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country.” It further quoted an “unnamed source” on Twitter familiar with the matter who “agreed that the employee was “probably” an agent.” Again, keywords like “believed” and “probably” were used, throwing very vague allegations. Unless there is more proof in public, it is hard to believe that a company that went to extremes to stop the Indian government from getting information about the users that the Indian security agencies believe could harm the harmony and democratic processes in the country will allow such unrestricted access to a ‘govt agent’.
Furthermore, it is noteworthy that Twitter did everything to avoid hiring a compliance officer from India in accordance with the new IT laws. The Indian government had and still struggling to get rid of the anti-India elements on Twitter. The company took months to take action on legal demands by the Indian government and even sued the Indian government to skip complying with legal demands.
There have been multiple protests, some of them gone violent, in the past three years in India, which were triggered by social media posts. If, by all means, the Indian government had agents inside Twitter, it would have been easier for the security agencies to nab the anti-India elements provoking people and put a stop to the violence much before they went out of control. It is hard to digest that a government that has worked extensively to ensure a good image on the international platform let protests happen against itself even though it allegedly had so much sensitive information at its disposal.
Allegations against China and Nigeria
Further, in the same section, Mudge alleged that though Twitter was banned in China, the company accepted funds from Chinese entities. He alleged that after Twitter received money from the Chinese entities, there were concerns within the company that the information possibly provided to them would allow the Chinese agencies to “identify and learn sensitive information about Chinese users who successfully circumvented the block and other users around the world.”
“Twitter executives understood this constituted a major ethical compromise. Mr. Zatko was told that Twitter was too dependent upon the revenue stream at this point to do anything other than an attempt to increase it,” the document read.
In the case of Nigeria, Mudge alleged that despite being aware of the misinformation being spread by the Nigerian government about being in conversation with Twitter executives following the ban on the platform in the country, Twitter did not try to correct them. The inaction of Twitter led to negotiations in favour of Nigeria.
Twitter was allegedly forced to hire locals for leverage
In Section 74 of the document titled ‘Squeezing Local Staff,’ Mudge alleged that India, Nigeria, and Russia had sought and succeeded to a varied extent to “force Twitter” to hire local full-time employees that “could be used as leverage.” If the allegation is understood correctly here, Mudge is claiming that the countries where Twitter has physical offices “forced” the company to hire locals.
Mudge claimed that “There was the physical safety of the employees to consider. The threat of harm to Twitter employees was sufficient to cause Twitter to seriously consider complying with foreign government requests that Twitter would otherwise fundamentally oppose.” Basically, the complainant wants to impose the idea that in countries including India, there was a risk of physical harm to the Twitter employees thus the company bent to the “forceful hiring of the local staff.” The company that was not even ready to hire a local compliance officer was claimed to have been “arm-twisted” in hiring local employees is not something that is easy to digest, especially when the “additional documents” that the complaint disclosure talked about are not in the public domain.
The allegations over lack of security practices at Twitter
Mudge was hired by Twitter after the embarrassing situation where some of the most famous accounts were hacked, including that of former President of the US Barack Obama and then-presidential candidate Joe Biden by a teenager from Florida who ran a cryptocurrency scam on those accounts.
In his complaint, he mentioned that there was a long list of security failures at the company, including a lack of server updates, inadequately configured employees’ computers, and more. Mudge claimed that the lapses in security were in violation of a previous settlement with the Federal Trade Commission.
Furthermore, Mudge alleged Twitter claimed to care about addressing spam, but the reality is completely different. He claimed that there were no bonuses to tackle spam for the employees, but on the other hand, they could fetch bonuses up to $10 million for an increase in user base without caring if they are real users or fake accounts or bots.
The document came as a blessing for tech billionaire Elon Musk who recently said he might not buy Twitter as the company failed to give out details about the spam accounts. In a Tweet, Musk said, “Give a little Whistle,” followed by another tweet where he shared a screenshot from a WaPo report and said, “So spam prevalence *was* shared with the board, but the board chose not to disclose that to the public.”
So spam prevalence *was* shared with the board, but the board chose not disclose that to the public … pic.twitter.com/lXk48TFZL1
— Elon Musk (@elonmusk) August 23, 2022
Musk had quoted the part of WaPo’s another report on the same case that read, “Four people familiar with the company’s processes for spam detection, who like others spoke on the condition of anonymity to describe sensitive internal matters, told The Post that the company keeps several internal tallies of spam and bots — known as “prevalence” — across the service beyond the number supplied to Wall Street. The Post also obtained an internal document, which was redacted to hide the numbers, showing that “spam prevalence” was a number shared with the board. The document was supplied to the board at a meeting Zatko attended, according to two of the people.”
It is noteworthy that Mudge has categorically denied any coordination with Musk before filing the complaint. However, a lawyer at Whistleblower Aid, the law firm representing Mudge, informed WaPo that he would reply to a subpoena that, according to Musk’s lawyer Alex Spiro, had already been issued.
Poorly tracked access to user information
Mudge alleged in his complaint that he had warned his colleagues that the servers were running out of date. He further claimed that the lack of proper updates was leading to vulnerabilities in the software. He claimed that the executives withheld the facts about the number of breaches into the servers and the lack of protection of user data. Instead, they submitted “feel good” charts of unimportant changes.
He further claimed that thousands of the employees at Twitter had poorly tracked internal access to the core software, and it led to embarrassing hacks over time. He alleged that Twitter’s CEO lied in his tweet in May, where he had claimed that the company was “strongly incentivized to detect and remove as much spam as we possibly can.”
Parag’s internal letter to employees rejected allegations
After Washington Post’s reports got published, Parag sent an internal letter to the employees suggesting the allegations were false. In his letter, he said that his team was reviewing the redacted claims that have been published, “but what we’ve seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context.”
NEW: First time Twitter CEO @paraga weighs in on whistleblower story.
— Donie O’Sullivan (@donie) August 23, 2022
Sending this message to staff this morning. pic.twitter.com/WY4TCqbA5q
He further added that the allegations do not take away from “the important work you have done and continue to do to safeguard the privacy and security of our customers and their data.” He further said, “Given the spotlight on Twitter at the moment, we can assume that we will continue to see more headlines in the coming days – this will only make our work harder. I know that all of you take a lot of pride in the work we do together and in the values that guide us. We will pursue all paths to defend our integrity as a company and set the record straight.”
While the allegations are still being reviewed by the experts, without further details and disclosures, it is hard to assess how much of the complaint is based on truth. Mudge is a reputed name in the cybersecurity sector. His work in the past has given him a cult following that would believe in anything and everything he would say. The next few weeks will be interesting, especially for Musk, who has a hearing scheduled in October this year in the matter related to the acquisition of Twitter.
