Twitter’s Ex-Security Chief Claims That Spies from China and India Are Working for the Company

Former head of Twitter security Peiter Zatko testified in the US Senate and said that spies from China and India work on Twitter, and Twitter security problems threaten US national security.

The scandal surrounding the statements of Peiter Zatko (Peiter “Mudge” Zatko) began at the end of August this year. Then Zatko, who served as Twitter’s head of security from November 2020 to January 2022, went to the US government and filed a massive 84-page report with Congress detailing how badly he thought Twitter’s security situation was.

Let me remind you that we also reported that India Threatens Arrests to Facebook, WhatsApp and Twitter Employees, and also that Attacker Put Up for Sale the Data of 5.4 million Twitter Users.

Zatko’s statements made a splash, they were written about by the leading American media, including CNN and the Washington Post, and Twitter, around which a lot of attention is already focused because of the deal with Elon Musk, was again at the center of the scandal.

The fact is that Zatko’s revelations were practically not questioned at once for several reasons. First, he has a long and well-deserved reputation as a whitehat and ethical hacker, and has worked with the US government on many cybersecurity projects (and his wife is a former NSA employee).

Secondly, the decline in the quality of moderation on Twitter in recent months has been noticed by almost everyone. The company appears to be struggling with massive disinformation campaigns, bots, and various abuses. And many, like Zatko, believe things have taken a turn for the worse since Parag Agrawal was named Twitter CEO in November 2021.

For example, Transparency Center Twitter hasn’t posted any new reports since December last year. And the new approach to moderating messages and handling complaints has led to the fact that the platform does not even respond to death threats, calls for genocide and fraud. The issue was covered by CBS News over the summer, after US Vice President Kamala Harris received threats and insults from thousands of Twitter accounts, but no blocking or proceedings followed.

The main theses in Zatko’s report submitted to Congress are the following:

1. Twitter has no normal access control, no test environment, and most engineers have constant access to the production environment and user data.
2. Twitter does not keep logs of what engineers change in the production environment, the history of accesses.
3. About half of Twitter’s 500,000 servers run outdated software that lacks even basic security features (including data encryption) and doesn’t receive regular updates.
4. Twitter is unable to delete user data if the user requests deletion and wants to terminate his account. This is mainly due to the fact that the data is distributed through the internal systems of the company, and then it is difficult to even trace it.
5. Twitter is running out of redundant hardware and procedures to recover from potential data center outages, putting sensitive user data at risk.
6. The Indian government forced Twitter to hire agents from their country, who gained access to a huge amount of Twitter user data.
7. The current CEO of the company, Parag Agrawal, was ready to comply with the request of the Russian authorities and censor Twitter content.
8. Twitter executives have always prioritized user growth over security, as that could earn them up to $10,000,000 in bonuses. This resulted in management not being interested in measuring the number of bots on the platform, and disclosing such numbers would likely hurt the company’s stock.
9. The head of Twitter tried to disable the ROPO security feature, which puts accounts in read only mode until they go through the phone number verification process. This feature was created to combat spambots.
10. Behind Zatko’s back, Twitter executives tried to get rid of a report on active state propaganda and disinformation campaigns on Twitter, which was compiled by an outside consulting firm at the request of Zatko himself.
11. Twitter failed to comply with government requirements and lied to regulators about its security measures and ability to protect user data.

Zatko claims he was told to carefully select and distort the data to create a false impression of cybersecurity progress when it was due to report to the board of directors. Twitter management attempted to cover up or misrepresent Zatko’s reports to other board members. Zatko says he was fired after he reported the security and fraud issues to Twitter management and also complained about the violations to a compliance officer.

Zatko’s report also suggests that Parag Agrawal, who lied to regulators and to his own board of directors, did not fight bots, did not solve security problems, and allowed foreign intelligence to infiltrate the company, is mainly to blame for the troubles of the company. At the same time, according to Agrawal himself, Zatko simply didn’t do his job well and is now trying to blame Twitter for his own failures. In addition, the company emphasized that many of the problems that Zatko wrote about had long been resolved.

On September 13, Peter Zatko testified before the US Senate Judiciary Committee, and again threw a real bomb into the information space.

According to him, the company “does not even know what data they have, where it is stored and where it came from” and therefore it is not at all surprising that Twitter is not able to protect this data. Worse, it was once again emphasized that employees have virtually unlimited access to a multitude of systems and information.

In his speech, Zatko confirmed that he observed a foreign agent from India who infiltrated the company and tried to understand how Twitter handles content related to his country’s politics. He also said that about a week before he was fired, the FBI told him that at least one other Chinese intelligence agent was working on Twitter. At the same time, the company’s management was allegedly aware of suspects that there were spies among the employees, but the lack of centralized logs and the inability to understand exactly what these suspicious employees could do prevented them from taking action.