The Securities and Exchange Commission, Federal Trade Commission, and Department of Justice have received complaints saying that Twitter has "severe, egregious shortcomings" in terms of privacy, security, and content moderation.
The allegations, which CNBC was able to receive, were made by Whistleblower Aid, a non-profit law firm that represents Peiter "Mudge" Zatko, the former security chief of Twitter. The documents' veracity was confirmed with CNBC by Whistleblower Aid, which also represented Facebook leaker Frances Haugen. Shares of Twitter were down by more than 5% in morning trading.
In a complaint with the SEC, Zatko alleges that he “witnessed senior executive engaging in deceitful and/or misleading communications affecting Board members, users and shareholders” on multiple occasions in 2021, during which CEO Parag Agrawal asked Zatko to provide false and misleading documents.
According to the whistleblower materials, Zatko said that Twitter misrepresented four significant issues to the board in his final report before being fired: outdated software with no fundamental security safeguards, “Gross problems” in who could access or control systems and data, problematic internal processes and a “volume and frequency of security incidents impacting a large number of users’ data that is frankly stunning.”
In the study, Zatko claimed that more than half of Twitter's 500,000 servers were running outdated software and that more than a quarter of employee PCs had updates that could have offered crucial security upgrades prohibited. He said Twitter’s alleged practice of granting broad access to the platform’s production environment was “unheard of in a company the age and importance of Twitter, where nearly all employees have access to systems or data they should not.”
Government regulators might determine that Twitter broke the terms of its 2011 settlement with the FTC if they discover that it deceived customers about its security measures. Twitter was at the time prohibited for 20 years from deceiving customers about how it safeguards their security and personal information. In accordance with the agreement, Twitter was also obligated to establish and maintain an extensive information security programme that would be examined every 10 years by an outside auditor.