Whistleblower’s allegations could mean trouble for Twitter

Note: This was originally published as the daily newsletter for the Columbia Journalism Review, where I am the chief digital writer

On Tuesday, the Washington Post and CNN simultaneously published stories alleging that Parag Agrawal, the CEO of Twitter, and other senior executives deliberately misled federal regulators about how secure the company’s operations were, and also that these executives gave foreign agents access to the Twitter data of individual users. The allegations came from Peiter Zatko, the former head of security at Twitter, in a lengthy document that was shared with both the Post and CNN. The document was also sent to several members of Congress, the Federal Trade Commission, the Securities and Exchange Commission, the Justice Department, and the Senate Intelligence Committee. The Post says the complaint “depicts Twitter as a chaotic and rudderless company beset by infighting, unable to properly protect its 238 million daily users, including government agencies, heads of state, and other influential public figures.”

Rebecca Hahn, a Twitter spokesperson, told the Post that Zatko was fired after 15 months, for “poor performance and leadership,” and that his allegations were “riddled with inaccuracies.” She added that Twitter has tightened up its security processes since 2020, and that it also has rules about who can access company systems and data. Hahn said that Twitter removes more than a million spam accounts every day, and that the company “fully stands by” its SEC filings. According to the Post‘s report, “a person familiar with Zatko’s tenure said the company investigated Zatko’s security claims during his time there and concluded they were sensationalistic and without merit.” Zatko is being represented by Whistleblower Aid, the same nonprofit legal organization that represented Frances Haugen, the former Facebook staffer turned whistleblower. In an interview with the Post, Zatko said he “felt ethically bound” to blow the whistle on Twitter because of the potential security implications of the company’s behavior.

According to CNN’s report, Zatko, 51, is a well-respected hacker and security expert who “led an influential cybersecurity grantmaking program at the Pentagon, worked at a Google division for developing cutting-edge technology, helped build the cybersecurity team at fintech firm Stripe, and advised US lawmakers and officials on how to plug security holes in the internet” before he joined Twitter. The Post says that by the time he was 30, Zatko had “written one of the most powerful tools for cracking passwords, testified to Congress under his hacker handle about the susceptibility of the internet to drastic hacks, and co-founded one of the first hacking consultancies backed by venture capital.” Jack Dorsey, the co-founder and former CEO of Twitter, hired Zatko in late 2020 after a hacker gained access to the Twitter accounts of famous users such as Barack Obama.

Zatko’s allegations cover a wide range of behavior, from under-counting spam—the same kind of accusation that is at the core of Elon Musk’s ongoing legal battles over his $45 billion acquisition of the company—to “negligence and even complicity with respect to efforts by foreign governments to infiltrate, control, exploit, surveil and/or censor the company’s platform.” Casey Newton writes in his technology newsletter, Platformer, that the complaints “go on for dozens of pages, and have a kitchen-sink quality reminiscent of a jilted husband suing for custody of a child.” On the topic of Zatko’s credibility, Newton writes that some people he knows “deeply respect and trust him, and many of them tweeted tributes to him,” but others had a lesser opinion of him, and some of those tweeted their thoughts as well (a Twitter staffer who worked with Zatko told the Post: “he’s a total savant, but also a bit of a bull in a china shop”).

Newton argues that Zatko’s allegations fall into several categories, including plausible, worrisome, and wrong. The fact that Twitter’s security seems lax is believable, Newton says, given other events such as  the accidental suspension of Dorsey’s Twitter account in 2016, and the contractor who briefly disabled Trump’s account in 2017. One thing Newton questions, however, is whether the “foreign agents” in India that Zatko refers to are just the local Twitter employees required by the country’s new information laws. “If Zatko’s ‘agent’ is just the legally required grievance officer that Twitter and every other platform like it is required to have, it would significantly damage the credibility of his allegations,” Newton writes. The details of those and other accusations are likely to come out during investigations by the Senate Intelligence Committee or other hearings with Senate and House representatives, which are already in the works.

Given the similarities between Zatko’s complaint that the company doesn’t properly count spam and bots, and Musk’s lawsuit alleging something similar, much of the speculation following the release of Zatko’s document has focused on whether it will help Musk’s case or not. Matt Levine argues in his Bloomberg column that it probably will not. The central issue in the Musk case, he says, “is whether Twitter has been lying in its securities filings when it says that it estimates that fewer than 5% of its ‘monetizable daily active users’ are spam or bot accounts. And Zatko is pretty unambiguous that, no, Twitter’s numbers are correct.” Zatko’s complaint is that Twitter doesn’t discuss how many spam and bot accounts there are outside of the “monetizable daily active users” figure, whereas Musk is arguing there are too many accounts like that inside the estimate of MDAU.

One potentially serious implication of Zatko’s whistleblowing is that Twitter could be found to be in breach of an FTC consent order it agreed to in 2011, after accusations that it mishandled users’ private information, and allowed too many employees to have access to Twitter’s controls. Under the order, Twitter promised to create and maintain “a comprehensive information security program.” Zatko alleges that the company has never been in full compliance with the order, which could lead to a significant fine if the FTC agrees. That would be yet another blow for the company. As Issie Lapowsky of Protocol wrote: “Twitter employees have already been through the ringer over the last year: The CEO switch. The on-again, off-again takeover bid by the platform’s biggest, richest troll. Executive firings. The mass staff exodus.” As the company tries to defend itself against Zatko’s accusations, she says, “the worst may be yet to come.”

Here’s more on Twitter:

Attack template: Nirit Weiss-Blatt, a researcher and former fellow at the University of Southern California’s Annenberg School for Communication, wrote for Tech Policy Press about how Twitter’s response to Zatko’s accusations and Meta’s response to France Haugen’s both follow a “template for attacking whistleblowers.” This template, Weiss-Blatt argues, includes five key elements, including: claiming the whistleblower is pushing a “false narrative” and the documents are taken out of context; suggesting it is frustrating to read accusations that distract from the company’s “important work”; and deligitimizing and discrediting the former employee turned whistleblower.

Next steps: Frank Pallone Jr., the Democratic congressman from New Jersey and chair of the House Energy and Commerce Committee, and Cathy McMorris Rodgers, a member of Congress from Washington and the top Republican on the committee, said in a joint statement that if the whistleblower’s allegations are true, they “reaffirm” the need for Congress to pass consumer privacy legislation to safeguard Americans’ data, the Post reported. “Richard Blumenthal, the Democratic senator from Connecticut and head of the Senate Commerce panel focused on consumer protection, wrote a letter Tuesday to the Federal Trade Commission, calling for the agency to investigate Zatko’s claims and bring enforcement actions, including fines, against Twitter if appropriate.”

Health products: Twitter is combining the team that works on reducing toxic content and the team that deals with spam bots, according to a staff memo sent Tuesday that was seen by Reuters. “The social media company will combine its health experience team, which works on reducing misinformation and harmful content, with the Twitter service team, which is responsible for reviewing profiles that users report and taking down spam accounts,” the wire service reported. “The new group will be called Health Products and Services (HPS), according to the email to employees.”

Uncertainty: Twitter recently warned its employees that they might receive only half of their typical annual bonuses this year, as the social media company grapples with economic uncertainty, the New York Times reported. “Twitter, which is fighting a legal battle to complete a $44 billion sale to Elon Musk, made the announcement in an email to employees and blamed its financial performance for the potential bonus cut,” the paper wrote. “When the company reported quarterly earnings last month, its revenue declined for the first time since 2020 and it swung to a net loss.”

Other notable stories:

Emily Maitlis, a former host of Newsnight on the BBC, called a BBC board member an “active agent of the Conservative party,” who is trying to shape the broadcaster’s news output by acting “as the arbiter of BBC impartiality,” according to The Guardian. Maitlis made the comments about Sir Robbie Gibb, who was appointed to the BBC’s board last year by Boris Johnson, and previously worked as director of communications for Theresa May, the former leader of the Conservative party and a former prime minister. Gibb also helped to found the rightwing GB News channel.

Researchers at the Stanford Internet Observatory collaborated with Graphika to analyze a large network of accounts that were removed from Facebook, Instagram, and Twitter for violating the terms of service of those platforms. It was an organized operation that the Observatory says likely originated in the United States and targeted a range of countries in the Middle East and Central Asia. “Our joint investigation found an interconnected web of accounts on Twitter, Facebook, Instagram, and five other social media platforms that used deceptive tactics to promote pro-Western narratives,” the report states.

Jigsaw and YouTube are planning to distribute a series of video ads in Poland, Slovakia, and Czechia that are designed to help people identify and refute derogatory tropes about migrants, Protocol reported. “The campaign, which will run for a month across several social media platforms, including YouTube, is expected to garner at least 55 million impressions — roughly equal to the population of those three countries combined,” Issie Lapowsky wrote. “But the videos are more than just a marketing push to burnish YouTube’s reputation. They’re part of a years-long research project at Jigsaw on the efficacy of using video to ‘inoculate’ people against misinformation on social media.”

Dan Misener, co-founder of a podcast marketing company, analyzed all of the episodes of all the podcasts that Spotify recommends on various top 100 and other lists, and then used those to generate more recommendations, until he had hundreds of thousands of recommendations. Looking at the most popular showed an unsurprising tendency to suggest Spotify originals, but Misener also found that among the top recommendations are shows that play soothing music designed to help listeners relax. This phenomenon “may be a contributing factor to the success of so-called “white noise podcasters,” a trend identified by Ashley Carman in June 2022,” he wrote.

Twitter has restored the account belonging to David M. Stone, a senior adviser to the president of Columbia University who wrote for CJR recently about having his account suspended after he tweeted about the executions of Julius and Ethel Rosenberg in the context of the FBI search of Trump’s residence at Mar-A-Lago. According to the note Stone received from Twitter, Stone was guilty of “abuse and targeted harassment.” After he wrote the piece, Stone says he got a note from the company saying his account had been restored and “it looks like we made an error.”

Capitol Music Group said Tuesday it has dropped FN Meka, a virtual “robot rapper” powered partly by artificial intelligence, who has more than 10 million followers on TikTok, the New York Times reported. “The company had previously teased the project—the first augmented reality artist to sign to a major label, it said—as ‘just a preview of what’s to come,’” the Times wrote. “Yet after growing backlash to what skeptical observers said amounted to digital blackface—including content that seemed to trivialize incarceration and police brutality—Capitol said it had severed ties with the FN Meka project.”

iHeartMedia, the radio-station conglomerate, says it has launched a virtual music venue called iHeartLand that is part of Fortnite, a massively multiplayer video game, according to The Hollywood Reporter. iHeartMedia announced plans earlier this year to launch its own branded virtual worlds on platforms like Roblox, another popular multiplayer video game, as part of the radio giant’s larger “Web3” strategy. “Wednesday’s launch of iHeartLand in Fortnite marks the first unveiling of iHeartMedia’s virtual world and will serve as the testing ground for future iterations of iHeartLand on other world-building games,” executives told The Hollywood Reporter.

Leave a Reply

Your email address will not be published. Required fields are marked *