In the disclosure, Zatko alleged that the company had serious security and privacy vulnerabilities that could harm US users, investors and national security. He also alleged that Twitter executives had misled regulators and even the company’s own board about its shortcomings.
The sheer number of sharp reactions to Zatko’s disclosures from lawmakers, regulators and cybersecurity industry experts, not to mention Musk’s lawyers, raises the prospect that the claims could have significant and long-lasting implications for social media companies. Worse, it comes at a time when Twitter has been grappling with uncertainty among employees, shareholders and advertisers of its pending deal with Musk.
The disclosure – which totals about 200 pages, including supporting exhibits – was sent last month to several US government agencies and congressional committees, including the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice. CNN obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill. The SEC, DOJ and FTC declined to comment.
Twitter shares fell 7% on Tuesday following news of the disclosure. Shares of the company have already suffered amid Musk’s bid to exit a $44 billion deal to acquire the platform, and are now trading at more than half of their near-$80 all-time high last February.
The following are the immediate effects after reporting the disclosure:
MPs and regulators start asking questions
The hearing is scheduled for September 13, which happens to be the same day Twitter shareholders will vote on whether to approve Musk’s $44 billion takeover deal.
“Mr Zatko’s allegations of widespread security failures and interference by foreign state actors on Twitter raise serious concerns,” said Senators Dick Durbin and Chuck Grassley, the committee chair and Republican rankings, respectively. “If these claims are accurate, they may represent a dangerous data privacy and security risk for Twitter users around the world.”
Other US lawmakers have also weighed in on the matter.
The Senate Intelligence Committee, which received a copy of the report, took the disclosure seriously and held a meeting to discuss the allegations, according to Rachel Cohen, a spokeswoman for the committee. Senator Richard Blumenthal, who heads the Senate subcommittee on consumer protection, wrote to the FTC on Tuesday asking the agency to investigate the claims, and impose fines and individual liability on certain Twitter executives if the investigation finds them responsible for security lapses. Senator Ron Wyden on Wednesday renewed a call for Twitter to protect its users’ direct messages from prying eyes with secure end-to-end encryption.
Members of the US House Committee on Homeland Security on Thursday sent Twitter CEO Parag Agrawal a letter demanding that he address Zatko’s allegations and explain Twitter’s readiness for the 2022 midterms. And Twitter’s main regulator in Europe, the Irish Data Protection Commission, also said it was looking into information from the company in relation to the allegation.
Implications for the Twitter-Musk Trial
The whistleblower’s disclosure could have major ramifications for Twitter’s fight with Musk over their acquisition deal. But the Tesla CEO has not been uncharacteristically silent in the days since the news broke.
But while Musk doesn’t have much to say about Zatko, his lawyers are clearly interested in the former Twitter security chief. Musk’s attorney Alex Spiro told CNN Tuesday that the billionaire’s legal team had summoned Zatko in the case even before news of the disclosure was reported.
“They have an economic incentive to mislead,” Spiro said. “There is a whistleblower complaint that has now been made public speaking of false information being provided.”
(Zatko told CNN that his disclosures were not related to the acquisition, that he had no personal relationship with Musk and that he began documenting concerns that would become his disclosures before any indication of Musk’s involvement with Twitter.)
Twitter says it allows bots on its platform, such as good bots that tweet news alerts, but its rules prohibit those who engage in spam or platform manipulation. The company says it regularly challenges, suspends and removes accounts involved in spam and platform manipulation, including typically deleting more than a million spam accounts every day. It declined to answer questions from CNN about the total number of accounts on the platform or the total number of new accounts being added each day.
Twitter executives have publicly rejected the allegations, and are trying to stem the internal impact.
Agrawal on Tuesday wrote an internal memo to employees, obtained by CNN, vowing to challenge the allegations in the disclosure and seek to convince employees, calling the allegations “frustrating and confusing to read.”
In Wednesday’s meeting, Sean Edgett, Twitter’s general counsel, said the company contacted regulators and “various agencies around the world” when the company learned about the allegations made by Zatko.