A former Twitter director has filed a complaint against the company, revealing "severe inadequacies in every area of delegation" of the social media network, including privacy, digital and physical security, platform safety, and content moderation, according to U.S. media reports. The complaint was filed last month with the Securities and Exchange Commission (SEC) and was disclosed on Tuesday by former security chief Peter Zatko, who was fired earlier this year.
The SEC declined to comment on a request from the Wall Street Journal. A similar complaint has also been submitted to the Federal Trade Commission and the Department of Justice, both of which have refrained from commenting. Zatko alleges that Twitter executives, including current CEO Parag Agrawal, deliberately endangered Twitter users and employees in pursuit of short-term growth, from receiving funds from unreliable Chinese sources to acquiescing to Russian censorship demands.
Zatko's complaint claims that the U.S. government provided specific evidence to Twitter shortly before his dismissal, indicating that at least one employee, and possibly more, was working for another government intelligence agency. The complaint does not clarify whether Twitter acted on U.S. government advice or whether the implication was credible.
Zatko believes that the Indian government deliberately pressured the company to hire at least one employee who had access to "vast amounts of sensitive data on Twitter," as shown in the complaint. The Indian Embassy in Washington did not respond to the Wall Street Journal's request for comment.
In the months leading up to Russia's invasion of Ukraine, Agrawal — then Twitter's chief technology officer — appeared willing to make significant concessions to the Kremlin, according to Zatko. Agrawal suggested to Zatko that Twitter comply with Russian demands that could lead to extensive censorship or surveillance, Zatko claims.
The complaint does not provide details about exactly what Agrawal proposed. However, last summer, Russia enacted a law pressuring tech platforms to open local offices in the country or face potential advertising bans, a move that Western security experts said could grant Russia greater leverage over U.S. tech companies.
CNN attempted to obtain detailed responses from Twitter on more than 50 questions regarding this issue. Twitter did not respond to CNN's inquiries regarding foreign intelligence risks, but a company spokesperson stated that Zatko's claims are generally "full of contradictions and inaccuracies and lack important context."
Earlier this month, a U.S. jury convicted a former Twitter employee of espionage for Saudi Arabia by passing private information about users who criticized the kingdom in exchange for hundreds of thousands of dollars while he worked at the company from 2013 to 2015.
Twitter's shares fell 7.3% on Tuesday to their lowest closing price in nearly a month. This new complaint adds a new dimension to the lawsuit regarding billionaire Elon Musk's intent to back out of acquiring the company, according to Charles Elson, founder and director of the John L. Weinberg Center for Corporate Governance at the University of Delaware.
Elson told the Wall Street Journal: "He argues that he was misled by Twitter," and the complaint indicates the same. He added that Zatko will be brought in as part of the discovery process, and the judge will determine whether the allegations have a material impact on Musk's case.
In 2011, Twitter reached an agreement with the Federal Trade Commission to maintain stringent security, including limiting the number of employees who could access key security and privacy controls. Zatko claims the company violated this agreement with the government agency.
Zatko's disclosures, derived from Twitter's internal cybersecurity dashboards, show that four out of ten employee devices — representing thousands of laptops — did not have basic protections enabled, such as firewalls and automatic software updates. The statement notes that employees can also install third-party software on their devices with few technical restrictions, leading on many occasions to employees installing unauthorized spyware on their devices at the request of external entities.
In its response to CNN, Twitter stated that employees use devices supervised by IT and other security teams, capable of preventing the device from connecting to sensitive internal systems if operating on outdated software.
