A former security chief of Twitter has alleged that the Indian government forced to put one of its “agents” on the payroll of the social media company, The Washington Post reported on Tuesday.
The “agent” was given access to user data when the government was facing “intense protests”, Twitter employee-turned-whistleblower Peiter Zatko has alleged in a complaint.
It is not clear which protests Zatko referred to but the Narendra Mod-led Union government had directed Twitter to withhold around 250 handles that were tweeting with the hashtag #ModiPlanningFarmerGenocide during the farmers’ protest in February last year.
The accounts, including those of Caravan magazine and Kisan Ekta Morcha, a joint front representing the farmers who were at the time protesting against agricultural laws, were among those that were withheld. Although Twitter restored the accounts later, the Centre had served the company a notice for not complying with its directions.
In his whistleblower complaint accessed by The Washington Post, Zatko said that the government agents had access to vast amount of sensitive data due to Twitter’s “basic architectural flaws”. He added that Twitter executives “violated the company’s articulated commitments to its users” by letting an Indian government agent have unsupervised access to its systems and data.
“Twitter’s transparency reports purported to quantify the number of government data requests from the Indian government, but the company did not in fact disclose to users that it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll,” Zatko alleged.
‘Twitter deceived federal regulators about security’
The whistleblower also alleged that that Twitter executives deceived regulators, the public, and its board of directors about the deficiencies it had in protecting its users and systems from hackers and reducing spam, according to The Washington Post.
Zatko, an ethical hacker, also alleged that he had warned his colleagues that half of the company’s servers were using “out-of-date and vulnerable software” and that executives withheld facts from directors about the number of breaches and lack of protections for user data.
“Twitter is grossly negligent in several areas of information security,” he alleged, according to the newspaper. “If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.”
Zatko’s disclosure was sent to the US Congress and federal agencies in July, reported CNN, which also had access to the report.
Zatko was fired by Twitter in January for his poor performance, the company said. He said that he turned a whistleblower after he tried to flag the security concerns to Twitter’s board of directors. He is being represented by Whistleblower Aid, the same group that represented Facebook whistleblower Frances Haugen.
In his disclosure, the whistleblower alleged that Twitter does not always delete users data after they have cancelled their accounts, according to CNN. He claimed that this was because in some cases, Twitter had lost the track of information. Zatko alleged the company also misinforms about the users data.
‘Twitter not motivated to find bots’
The whistleblower also claimed that Twitter does not have enough resources to fully understand the number of bots it has on its platform and was not motivated to do it too.
He alleged that Chief Executive Officer Parag Agrawal lied when he tweeted in May that the company was “strongly incentivized to detect and remove as much spam” as the company can possibly can.
This allegation holds significance given the recent attempt by billionaire Elon Musk’s to take over Twitter but later backing out due to a disagreement over bots and spam accounts on the social media platform.
Musk had announced on July 9 that he was terminating the deal to buy Twitter, claiming that the microblogging platform had breached the buyout agreement on multiple counts. The Tesla CEO said that he took the decision as Twitter did not provide enough information about the number of spam and fake accounts on its platform.
On May 13, Musk had tweeted that the deal was on hold “pending details supporting calculation that spam/fake accounts do indeed represent less than 5% of users”.
After Musk backed out of the $44 billion deal (over Rs 3,36,910 crore) to buy the social media company, Twitter sued the billionaire on July 12.
In its filing on August 4 before the Delaware court that will hear the lawsuit, Twitter had dismissed claims by Musk.
Meanwhile, John Tye, founder of Whistleblower Aid and Zatko’s lawyer, told CNN that his client has not been in contact with Musk. He told the news channel that Zatko began the whistleblower process before there was any indication about Musk’s deal with Twitter.
Security, privacy priorities for company, says Twitter
Twitter responded to the allegations levelled by Zatko saying that security and privacy are longtime priorities for the company.
The company spokesperson told CNN that that it has clear tools to control user privacy and that it has workflows that ensure that when users cancel their accounts, Twitter informs them the acocunts will will be deactivated.
On Zatko, the spokesperson told the news channel that he was fired for “poor performance and ineffective leadership”.
“While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context,” the spokesperson said.
He added: “Mr Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”