The Washington Post on Peiter ‘Mudge’ Zatko’s Whistleblower Report on Twitter Security
Joseph Menn, Elizabeth Dwoskin and Cat Zakrzewski, reporting for The Washington Post, which received the same redacted copy of Zatko’s whistleblower report that CNN did. The Post has published copies of the original redacted documents as webpage-embedded PDFs, too. From their story:
Overall, Zatko wrote in a February analysis for the company
attached as an exhibit to the SEC complaint, “Twitter is grossly
negligent in several areas of information security. If these
problems are not corrected, regulators, media and users of the
platform will be shocked when they inevitably learn about
Twitter’s severe lack of security basics.”Zatko’s complaint says strong security should have been much more
important to Twitter, which holds vast amounts of sensitive
personal data about users. Twitter has the email addresses and
phone numbers of many public figures, as well as dissidents who
communicate over the service at great personal risk.
Remember too that Twitter DMs are not end-to-end encrypted. They are stored on Twitter’s servers in a form that Twitter can read. The phone numbers and email addresses of anonymous dissidents are very sensitive, but I’d argue that the contents of DMs are the most sensitive information Twitter holds.
You should never put anything in a Twitter DM that you wouldn’t print on a postcard sent in the mail. But we all do it, to some extent. But without question, many Twitter users put incredibly sensitive information into DMs. (I welcome DMs on Twitter, but if the contents are truly sensitive, I encourage readers to contact me via Signal.)
This month, an ex-Twitter employee was convicted of using
his position at the company to spy on Saudi dissidents and
government critics, passing their information to a close aide of
Crown Prince Mohammed bin Salman in exchange for cash and gifts.Zatko’s complaint says he believed the Indian government had
forced Twitter to put one of its agents on the payroll, with
access to user data at a time of intense protests in the
country. The complaint said supporting information for that
claim has gone to the National Security Division of the Justice
Department and the Senate Select Committee on Intelligence.
Another person familiar with the matter agreed that the employee
was probably an agent.
I don’t think there’s any way to overstate how damning Zatko’s allegations are. He describes a criminally corrupt company and board.
