NPR’s Ari Shapiro speaks with The Washington Post’s Joseph Menn, one of the reporters to break the story of Twitter’s former security chief accusing the company of security and privacy vulnerabilities.

ARI SHAPIRO, HOST:

Twitter’s former security chief is now speaking out against the company. Peiter Zatko, also known by his hacker name Mudge, has filed complaints with several government agencies. He accuses Twitter of serious security flaws that he says pose a risk to the platform’s users, shareholders and national security. The complaint was obtained by CNN and the Washington Post. Joseph Menn is a technology reporter for The Post. Welcome to ALL THINGS CONSIDERED.

JOSEPH MENN: Thank you for inviting me.

SHAPIRO: So you spoke with Peiter Zatko, former head of security at Twitter. What did he tell you to justify filing this whistleblower complaint with the Department of Justice, the Federal Trade Commission, and the Securities and Exchange Commission?

MENN: Well, he was very frustrated during his short stint on Twitter. He stayed there for 15 months and was brought in because – after a series of particularly embarrassing hacks in 2020. So he was brought in because of his reputation to fix the place. And then he couldn’t do it. He was fired after a CEO change in January. And he told me he views this whistleblower complaint as an extension of his work to make Twitter safer for people. If the company doesn’t, he’s basically inviting regulators to step in and force them to do it.

SHAPIRO: Can you explain what he sees as the threat to national security?

MENN: Well, he says they were tipped off that there was more than one intelligence agency with people inside the company. He says he believes there was an Indian government agent inside the company. So there’s that, there’s the insider threats, but also what he describes as egregious failures in protecting user data, which can include phone numbers, location data, real email . It’s super risky because – maybe not for you and me, but in, you know, in many countries, dissidents use Twitter to communicate. And they’re at great risk, and they can be exposed that way. In fact, there was an internal threat in San Francisco. There was a conviction this month of a person accused of working for the Saudi government on Twitter and leaking information about dissidents. So it’s a matter of national security.

SHAPIRO: Peiter Zatko has an interesting background. Tell us a bit more about him.

MENN: Well, Mudge Zatko, as he’s called, is actually one of the most famous hackers in the country, for a long time. In the 1990s, he was one of the first to publish details of software security vulnerabilities. So at that time, if you’re probably a business and you bought software – it was in the early 90s – Mudge and others would find fault with it. Instead of just exploiting them on their own and breaking into the computers of people who were using this software, they would release findings saying, this is the problem or this is the problem.

SHAPIRO: Okay. So back to that whistleblower complaint. How did Twitter respond to this?

MENN: They say it’s overdone. It is no longer up to date. There are inaccuracies in it. They say it’s a – Zatko is a disgruntled former employee who was fired for poor performance and lack of leadership.

SHAPIRO: And that comes as the ownership of the company is in question. Elon Musk is trying to pull out of a deal to buy Twitter. Do you expect this to have an impact?

MENN: It’s definitely going to have some impact. The question is how much? And I think we’ll soon find out. Mudge Zatko may be subpoenaed. And it is very likely that he will be subpoenaed by Musk’s team. Musk already kind of alluded to the complaint today. Musk is trying to pull out of the deal and do it for free for several reasons. The first is that Twitter drastically underestimated the number of bots and spammers on its site, and they did so much that it’s a significant adverse event to look at the actual number of bots to find out what it is. is, and Zatko agrees. And part of his complaint is – there’s a section called “Twitter Lies To Musk About Bots”.

And the second thing is that in the deal that was made with Musk, Twitter stood by their SEC filings and said everything in there was true. Zatko says otherwise, saying that by hiding these really serious security flaws, he was violating, among other things, an 11-year-old agreement with the Federal Trade Commission to do better and have a decent security program. And this is an important omission for shareholders. And if Musk takes this up, he could argue that Twitter attesting to the truth of his statements to shareholders was a fraud and a breach of contract.

SHAPIRO: Are there any bigger implications here for cybersecurity beyond Twitter?

MENN: There are. So I covered cybersecurity for about 20 years, and I hear a lot of people today both say that Twitter is an outlier, that it has exceptionally bad security historically, but also that it’s in sort of a symbol of how serious a lot of tech companies are at security, you know, behind the scenes. It’s super rare to have such a high-ranking whistleblower with that kind of reputation. But you shouldn’t really be shocked if similar things happen in other companies that we don’t know about.

SHAPIRO: This is Joseph Menn, a technology reporter for the Washington Post. Thanks a lot.

MENN: Thanks for inviting me.

