Twitter’s Former Security Boss Drops Stunning Whistleblower Report
from the another-day,-another-crisis dept
Both CNN and the Washington Post are running stories today about Peiter Zatko, better known as Mudge, filing whistleblower reports on Twitter’s security practices, including a few shocking claims. Twitter is denying many of the claims and, frankly, at this point it’s difficult to tell who’s correct. However, I will note that Mudge is widely respected in security circles, and much of his initial claim to fame was about finding security vulnerabilities — and part of the reason Jack Dorsey brought him in to Twitter was this history of doing whatever necessary to fix security holes. That said, Twitter is insisting that Mudge didn’t understand how its systems worked, and is misrepresenting things. Of course, there’s also the Elon Musk aspect of this that complicates matters as well.
Mudge only worked at Twitter for a little over a year — hired by Jack Dorsey in late 2020. Dorsey stepped down a year later, at which point Parag Agrawal took over. In January of this year, Agrawal abruptly fired Mudge, which raised many eyebrows in the security community (though the team still includes some top security folks).
First, though, you can read the (redacted) whistleblower reports he filed, starting with the main one, a third-party report commissioned by Mudge to assess how the company deals with misinformation, and, a final report prepared by Mudge for the board after he was fired, trying to outline all the security problems he saw at Twitter.
Plenty of attention is going to get paid to Mudge effectively trying to take Elon Musk’s side in the “bot or not” debate, but reading through the his whistleblowing document, it actually appears to confirm Twitter’s underlying claims, and undermine Musk’s (even as Mudge claims otherwise). That topic is complicated enough that I will be doing a separate follow up post to address just that, and therefore won’t address it further in this post.
Let’s do a lighting round on some of the other issues raised in the report, some of which may require deeper follow up later, as more details become clear.
Did Twitter violate its FTC consent decree? As you’re probably aware, by now basically every big internet company has a consent decree with the FTC following some sort of egregious security breach from a while back, promising to do better. It’s likely that nearly all big tech companies are somehow violating their consent decree, in part because security is fucking hard and some of the elements of the consent decree are probably close to impossible to comply with. But still… it’s not great.
In Facebook’s case, you’ll recall, the giant $5 billion fine in 2019 was really about violating its earlier consent decree. The press mostly claimed it was about Cambridge Analytica, but if you read the actual details, that was only a sideshow, and the fine was really for violating the earlier consent decree.
And that was in 2019, before the current FTC got a lot more aggressive towards internet companies. To me, this is the real biggest issue, even though it will probably get the least amount of media coverage. Already, earlier this year, the FTC hit Twitter with a $150 million fine for using its two-factor identify info for marketing (something that Facebook also got dinged for in 2019). This was a really bad security practice and its good that the FTC hit the company for it, but Mudge is now alleging that Twitter violated the consent decree in other ways.
The FTC is almost certainly going to investigate further now, and if it can show that Twitter violated the consent decree even more (which would not surprise me at all), the company could be on the hook for a decently large fine (conceivably even one that might cancel out any breakup fee that Musk might be forced to pay — assuming he is forced to pay such a fine).
For its part, Twitter strenuously denies this portion of Mudge’s claims, and says he doesn’t understand their responsibilities under the decree. That’s… quite possible? But, at this point, it’s unclear who’s right. I’m pretty sure we’ll find out eventually though — especially if Mudge is correct.
Twitter’s messy security infrastructure: Throughout the whistleblowing report, Mudge highlights many, many problems with Twitter’s infrastructure, and some of the security and uptime risk it created. Much of what Mudge reports on this is… quite believable — especially for anyone who has followed Twitter over the years. It’s also, frankly, not all that different than many internet companies that experienced rapid scaling in the last decade and a half. Outside of the biggest tech companies (Google, Meta/Facebook, Amazon, and Apple — each of which I guarantee has their own security issues, though often of a different nature, and each of which has a much more developed security process), I would guess most of what’s in Mudge’s report rings true at basically every other decently large internet company.
That’s not an excuse, and one hopes that whistleblowing like this gets more of these companies to recognize that they need better processes and security in place. And the claim that Twitter doesn’t log what engineers had access to what data is… kinda frightening. That seems like a basic thing that an organization of that size should have control over:
It was at this point when he learned that it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did. When Mudge asked what could be done to protect the integrity and stability of the service from a rogue or disgruntled engineer during this heightened period of risk he learned it was basically nothing. There were no logs, nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.
Yikes? I mean, that kind of logging feels like a pretty basic thing.
That said, some former Twitter engineers who worked with Mudge seem to be calling into question some of these claims. For example, Mudge’s report claims that there were server vulnerabilities, with many of the machines in Twitter’s data center having non-complaint kernels or operating systems and that many were unable to support encryption of the stored data (“encryption at rest”). However, a former Twitter engineer, Ian Brown, who worked on these issues claims that Mudge was actually the one who deprioritized updating these very things.
Brown also claims that Mudge wanted him to send kernel and OS reports to “a rando buddy of his in Texas” and that Brown thought it was “an obvious phishing attempt.” I’ve seen multiple other engineers (some former Twitter engineers, some elsewhere) suggesting that it’s kind of weird for Mudge to be calling out the stuff he was apparently hired to fix, as in some ways it could be read to be an admission that he was unable to do the job he was hired to do.
Again, though, Mudge has quite the reputation, and is well respected among tons of people I know and trust. And, many of these revelations do seem like serious problems within Twitter. The bigger issue is whether or not any of them create any kind of legal issues, and that seems a lot less clear.
Serious claims of foreign intelligence threats: You may recall that, back in 2019, the DOJ charged two former Twitter employees with spying for the Saudi Arabian government. Just a couple weeks ago a jury convicted one of those employees of fraud, conspiracy, obstruction and foreign agent charges. In his whistleblower report, Mudge claims that this is still happening at Twitter, and that the poor security engineering means that it’s easy for government spies to get access to all sorts of data it shouldn’t.
The details of these claims, though, are a bit more difficult to work out. Mudge notes that the US government did recently (right before he was fired) notify the company that “one or more particular company employees were working on behalf of another particular foreign intelligence agency.” That, alone seems frightening.
It certainly does seem that, following the situation with Saudi Arabia, Twitter should have done much more to avoid that kind of thing happening again. Mudge certainly suggests that little was actually done to prevent this kind of thing from happening again.
That said, the details he provides are… not entirely convincing. The one that is getting the most attention is the claim that Twitter has an agent of the Indian government on payroll. Here’s what the report says:
The Indian government forced Twitter to hire specific individual(s) who were government agents, who (because of Twitter’s basic architectural flaws) would have access to vast amounts of Twitter sensitive data. Twitter’s transparency reports purported to quantify the number of government data requests from the Indian government, but the company did not in fact disclose that it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll. By knowingly permitting an Indian government agent direct unsupervised access to the company’s systems and user data, Twitter executives violated the company’s articulated commitments to its users.
So, that seems really bad. And it would be useful if there were a lot more details. The hiring of a specific individual sounds like part of the implementation of India’s Information Technology Rules, 2021. These rules are terrible and dangerous, as we’ve discussed over the past couple of years. Many of the rules appeared to have been written with Twitter in mind, after the company refused to take down content critical of the government. In response, the government initially threatened to jail Twitter employees. Perhaps realizing that this might lead the company to remove all employees from India, part of the IT Rules were that social media companies of a certain size operating in India had to appoint local people, in India, to take on certain roles:
- Appoint a Chief Compliance Officer who shall be responsible for ensuring compliance with the Act and Rules. Such a person should be a resident in India.
- Appoint a Nodal Contact Person for 24×7 coordination with law enforcement agencies. Such a person shall be a resident in India.
- Appoint a Resident Grievance Officer who shall perform the functions mentioned under Grievance Redressal Mechanism. Such a person shall be a resident in India.
Most people read this as forcing Twitter to hire sacrificial lambs that the government could jail if it was unhappy with whatever the company was doing. And any such potential employee would almost certainly recognize that as well, likely limiting their interest in taking the job.
As such, perhaps it was inevitable that anyone would would take those jobs would somehow be connected to the government itself.
That doesn’t excuse that if it’s actually the case. But all of it does put Twitter in an incredibly awkward position if it wants to remain in business in India, one of the company’s largest markets (and also one where a local upstart competitor, which is almost a direct clone of Twitter, has been making headway). Now, in theory, Twitter could just hire that person and not give them access to anything, but that would likely create other problems as well, including having to explain why there’s a Chief Compliance Officer with no access to data to make sure compliance is happening.
That said, remember that Twitter recently sued the Indian government over some of these rules, challenging their constitutionality. Also, Elon Musk has made it an issue in his legal dispute with Twitter, worrying not about the laws or anything similar to what Mudge raised, but rather how Twitter pushing back on India might endanger one of Twitter’s key markets.
All that is to say, this shit is complicated. Obviously, Twitter should not be allowing government agents access to its data. There’s no excuse for that. In an ideal world, Twitter would note that the new regulations make it untenable to exist in India and pull out entirely. But, of course, doing so would crash the company’s stock and take away a decent source of revenue, challenging Twitter’s ongoing financial viability.
The other country concerns raised by Mudge seem less directly serious, and basically detail the very fraught current global environment in which various countries are leaning very hard on every big internet company to do things for them, and every company is facing real challenges in trying to navigate how to stay operating in those countries without violating privacy rights or fundamental values. Mudge talks about China, Russia, and Nigeria, but all of them appear to be around internal discussions about how to balance different issues and where the harm is much more speculative than real (in fact, with regards to Russia, Mudge admits that Twitter chose not to agree to Russia’s censorship and surveillance demands). On Nigeria, the only complaint was that, when the country blocked Twitter, government officials claimed they were negotiating with Twitter execs, which apparently wasn’t true. I’m not sure how that much matters. Just a couple weeks ago, by the way, a court ruled that the Nigerian ban on Twitter was unlawful.
Once again, there is context involved in all of this and Mudge’s report highlights some very clear problems, but also just how fraught and difficult many of these decisions are. And part of it sounds like Mudge wanted the company to take certain stands, and other execs came down differently on the tradeoffs. Personally, I probably agree with where Mudge comes down, and think that Twitter needs to take a hard line on many of these issues and not give in. But I also recognize that it’s not me who has fiduciary duties to shareholders and other constituents as well.
Fraud: This section is heavily redacted, so it’s difficult to tell what’s going on. Mudge appears to accuse Parag Agrawal of presenting misleading information to the Board regarding the company’s security. However, with all the redactions it is difficult to look at the details and determine how credible they are.
Again, though, if this proves accurate, that could be a lot of trouble for Twitter (and Agrawal directly).
Mudge more or less claims that he was fired for calling out the inaccuracies that were presented to the board, though again most of the details are redacted.
All in all, the whistleblowing report appears to have some pretty clear and quite credible claims of very poor security practices within the company. That isn’t necessarily a huge surprise. Though if it turns out that those security practices amount to a failure to comply with the FTC’s consent decree, the company is in for a world of hurt and probably a pretty massive fine. Especially if it comes out that the company misled the FTC about that.
There are other parts of the report that seem somewhat less interesting, and are presented without context or in a one-sided (and potentially misleading) way. That said, I’d still say that the report is pretty damning overall and it’s probably not a very good day inside Twitter, especially as they’re still fighting Elon Musk. And… I’ll close this post here, but stay tuned for a follow up post focused just on the bot/spam stuff and how it impacts the legal fight with Musk (as a preview, again, I think Mudge’s claims here, while framed in a manner to look like they support Musk, actually do the opposite).