For anyone who has felt the many frustrations of being on Twitter, from the relentless hostility to the adolescent cliques, a new set of leaks from Twitter’s former head of security should offer some consolation: at least you don’t work there. The documents, released by Peiter “Mudge” Zatko and obtained by the Washington Post and CNN, portray a terrifyingly dysfunctional state of affairs at the company largely responsible for administering online public discourse.
Zatko’s documents and testimony allege, among many other charges, that Twitter’s executives repeatedly misled its own board, to say nothing of the public, about the security of its own platform, insisting it was safe when in fact it was compromised to a terrifying degree. He alleges Twitter could not rein in bot traffic and underestimated it, the very charge Elon Musk cited as cause for breaking off his acquisition. Zatko also claimed Twitter gave into pressure from India to hire an agent of the Indian government and give them access to sensitive data, as well as giving information to the Chinese government that could have endangered Twitter users in China.
Twitter fired Zatko in January, and the company has tried to dismiss his account as the griping of an embittered ex-employee. But Zatko’s strong security pedigree and the hundreds of pages of internal documents he has provided give quite a bit of credibility to his account. Even should Zatko’s claims of Twitter being compromised by foreign agents prove inflated, his portrait of Twitter’s internal workings is so troubling that it puts into question whether Twitter in its current incarnation should be trusted with its massive authority over public discourse.
In particular, Zatko leaked a scathing external review (conducted sometime after 2020, according to sources, by the Alethea Group) of Twitter’s Site Integrity team, tasked with combatting platform manipulation and misinformation. The report found that the team lacked authority both to fix problems and find solutions, and worse, that they were focused more on enforcing policy than detecting and mitigating threats. The rest of the report depicts the teams and Twitter more generally as understaffed, disorganised, burnt out, and incapable of learning from their mistakes.
Worse yet, Zatko’s February 2022 document on Twitter security, written after he was fired, does not read like the bitter ravings of a crackpot but as a blunt assessment of technical and operational security by a man with high but not unreasonable standards. According to Zatko, around half of Twitter’s machines (servers and workstations both) run outdated, unpatched software, and Twitter has no organised plan to get them into compliance. Zatko alleges many security incidents, faulty access control over Twitter’s systems, and overall gross negligence. Moreover, he contends that none of these issues were presented honestly to Twitter’s board. He concludes, convincingly, that: “Regulators, when evaluating Twitter, will identify these as systemic issues.”
To put things into perspective: I was a software engineer for over a decade at Google and Microsoft, and saw both the good and bad of what these titans do internally. What I can say is that despite flaws, mistakes, and scandals, neither company ever allowed their operational security to fall anywhere close the level depicted in these documents. Unless Zatko is fabricating information out of thin air, his assessments raise serious questions about Twitter’s basic competence and render all judgments made by the company inherently suspect.
Neither Twitter nor Zatko’s positions should be taken at face value, and the politics of the situation will likely prove to be more complicated than they initially appear. Twitter’s value as a disseminator of information is only matched by its lack of profitability, putting it in a painful position of being set upon by all sides while lacking the resources to do much about it.
If nothing else, however, Zatko’s revelations offer a new explanation for Musk’s attempt to back out of his purchase of the company, as well as the strangely anodyne rationale he gave for the move: that Twitter had lied about its bot traffic. If Musk’s reasons were actually Zatko’s, he couldn’t have stated them. But he, or any sane person, would have had every reason not to want to end up with the hot potato that Twitter now seems to be.