DATA POLITICS

Twitter’s whistleblower problem & Elon Musk

Elon Musk points at Twitter's cybersecurity vulnerabilities to cancel $44 bn buyout-deal.

Kamayani

September 21, 2022

Elon Musk has cited whistleblower allegations of widespread negligence on cybersecurity and privacy practices as a justification for terminating the merger agreement of the Twitter buyout, as he further soughts to delay the trial at the Delaware court. In addition to his allegation against Twitter lying about bots, Musk aims to capitalize on these negotiations by using evidence of misdeeds presented by Peiter Zatko, the former head of security at Twitter, and has issued a subpoena to that effect to make his case stronger. This puts Zatko’s complaints at the center of the legal battle Musk has raged against Twitter after he attempted to buy the company and then backed out of the deal altogether. 

Zatko’s complaints are regarding the company's continued lax attitude towards cybersecurity practices and user privacy protection. The beginnings can be traced back to the summer hack of 2020 when a 17 year old gained access to several high profile prominent accounts and exposed the platform's vulnerability to data breaches, disinformation, & political & foreign interference thereby compromising user safety. Twitter decided to take action to fix its sloppy security practices by hiring Peiter Zatko, a legend in cybersecurity in 2020. In January 2022, Zatko was dismissed due to ‘poor performance & inefficient leadership’ and leaked an 84 page document to the press and the government alleging that Twitter has persistently failed to fix the very problem he was hired for, and that the company lacks both the motivation & ability to protect users from harmful security breaches.

In critiquing the very architecture of the company, Zatko argues that Twitter is extremely sloppy in its basic cybersecurity practices. Too many employees have access to critical core systems that harbor troves of sensitive user data. Users do not have updated security patches and servers continue to operate on obsolete and vulnerable software. Consequently,  information is rarely stored properly and becomes vulnerable to cyber attacks. 

These problems are not new and were addressed in the 2011 FTC order that required the company to implement security protocols to protect users, which Twitter allegedly grossly failed to comply with. In doing so, the company may have made 32 million users vulnerable to data privacy & security breaches. It has currently invited scrutiny from both the FTC and EU data protection authorities for misleading institutions, investors, and regulatory bodies. If found guilty, Twitter can expect imposition of heavy fines for violating orders. 

Amongst his more serious allegations is that Twitter has been weaponised by foreign intelligence. Twitter knowingly employed Indian government agents on its payroll, and with the gaping deficiencies in its security ecosystem, government actors having easy access to user data could be misused to target minorities, rival institutions and activists amongst others. Twitter executives knew about previous instances of foreign infiltration, however failed to  take  action against it. Twitter challenged this, stating that allegations are overstated and at least in the case of India, the company operates in accordance with the law. 

Zatko’s complaints also confirm that the discourse on mDAUs and the number of bots on the platform hinges on slippery grounds and the company executives are wary to disclose true figures due to fears of  ‘negative valuation.’ So far, Twitter has refuted most claims asserting that a false narrative without proper context is being painted regarding its platform safety systems.. It has defended its security defenses and bot numbers and asserted that Musk has no right to exit from the deal. 

For Musk, these claims may bolster his accusations as he subpoenas Zatko and attempts to break away from the deal. However, they may also reflect improper due diligence on his part before committing to the deal publicly. Regardless of whether the deal is a success for either party, the complaints point to a much larger security & corporate governance issue at Twitter, and Musk expresses little desire to revamp the business leaving a question mark on what that means for the company’s platform integrity .

Kamayani has recently graduated with a Masters in International Affairs & Public Policy from the National University of Singapore. She is currently helping build a tech start up and has previously worked in the non profit industry on diverse social impact projects in the areas of gender, healthcare, nutrition, and education.