×

Senior Twitter executives deceived regulators — and the company’s own board — about lax security standards and its efforts to fight spam bots, according to an SEC complaint filed by the social network’s former head of security.

Twitter fired Peiter “Mudge” Zatko in January 2022, a little more than a year after he was hired in November 2020 as head of security. The exec claims his termination was in retaliation for his refusal to stay quiet about the company’s vulnerabilities.

Last month, Zatko filed a complaint with the SEC accusing Twitter of misleading shareholders, alleging it failed to disclose “extreme, egregious deficiencies” in its security practices to investors. He also alleged in an FTC complaint that the company violated a 2010 agreement with the agency to protect user data.

The allegations have implications for Elon Musk’s current legal battle with Twitter. The billionaire is now trying to back out of his $44 billion deal to buy Twitter, in large part because the company misled him about the scale of bots and fake accounts on the service, Musk alleges. Lawyers for Musk have issued subpoenas for Twitter documents from former execs, including co-founder Jack Dorsey, hoping to unearth evidence that the company understated the problem of spam bots and fake accounts, which Twitter has for years said is estimated to be under 5% of its total reported user base.

In a statement, Twitter said Zatko was fired for “ineffective leadership and poor performance.”

“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” a Twitter rep said in a statement. “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.“

Zatko’s complaints were first reported Tuesday by CNN and the Washington Post.

Among Zatko’s allegations: Twitter gives about half its employees access to users’ sensitive personal data (like phone numbers) and internal systems, and about four out of 10 devices Twitter employees fail to meet basic security standards.

Regarding Twitter’s claim that less than 5% of active users are spam bots or fake accounts, Zatko alleged that the way the company reports that estimate is deliberately misleading because it’s described in terms of Twitter’s monetizable daily active user (mDAU) total instead of as a percentage of the total number of accounts on the platform. He also asserted that Twitter executives have a financial incentivize to boost user counts — with bonuses of up to $10 million — while they aren’t rewarded for eliminating spam bots.

Moreover, according to Zatko’s allegations, the U.S. government provided specific evidence to Twitter shortly before Zatko’s firing that at least one of its employees was “working for another government’s intelligence service,” as reported by CNN.

Zatko’s FTC complaint claimed that Twitter has repeatedly made “false and misleading statements” to users and the agency, in violation of the 2010 agreement which found that “serious lapses in the company’s data security” had “allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information.” Separately, in May 2022, Twitter paid a $150 million fine imposed by the FTC to settle allegations that the social network let advertisers use private data to target specific users without informing users of the practice.