Twitter is in crisis mode — and that could mean trouble for its plans to fend off dangerous misinformation and foreign influence in the midterm elections.
The company was already battling Elon Musk over his efforts to back out of a planned takeover, a corporate soap opera that has left Twitter’s stock price battered. Then on Tuesday, Twitter was hit by public disclosure of accusations from its former security chief that it had violated a government privacy settlement and knowingly left its data open to hackers and spies.
Leaders of multiple congressional committees promised investigations and called on federal agencies to do the same, including urging the Federal Trade Commission to open a probe.
That’s a lot for a social media company to tackle less than three months before the November vote. And multiple Republican and Democratic lawmakers say they’re concerned that the latest revelations are leaving Twitter unprepared and understaffed to combat that expected flood of election-related misinformation around the midterms.
The complaint filed by former Twitter security chief Peiter Zatko includes details that suggest Twitter is more vulnerable than previously known to foreign misinformation campaigns, despite purported efforts to improve security and combat mistruths after Russian-state backed meddling in the 2016 elections. He also alleged that Twitter was pressured by the Indian government into hiring at least one of their officials, which Twitter has denied.
House Homeland Security Chair Bennie Thompson (D-Miss.) said in a statement that the allegations “raise serious questions about Twitter’s commitment to securing user data – whether that means keeping it out of the hands of disgruntled employees, hackers, or foreign dictators.”
“Our adversaries have a history of exploiting social media to disrupt our elections – and with the midterms only three months away, there is no time to waste,” Thompson said.
The committee’s top Republican, New York Rep. John Katko, said in an email: “These allegations could have serious national security, privacy and election security implications.”
Zatko also shared a draft report written by misinformation research consulting agency Alethea Group that was commissioned by Twitter, which found that the company’s site integrity team was under-resourced and understaffed, with only two employees dedicated to addressing misinformation in 2021.
The 24-page draft report — published by The Washington Post — concluded that “organizational siloing, a lack of investment in critical resources, and reactive policies and processes have driven Twitter to operate in a constant state of crisis that does not support the company's broad mission of protecting authentic conversation.”
The report continues, “As a result, Twitter is constantly behind the curve in actioning against disinformation and misinformation threats.”
In an email to POLITICO late Tuesday, Twitter didn’t respond to a request about how many employees now work to combat misinformation. The company said it has rolled out proactive security reminders for users, such as suggestions to use strong passwords and set two-factor authentication, and plans to roll out more measures before the midterms.
But this November’s vote was already shaping up to be a massive challenge for social media companies that faced criticism in 2020 for acting too slowly to curb dangerous lies pushed by former President Donald Trump and his supporters claiming that he had won the election. Those falsehoods helped fuel the deadly attack on the Capitol on Jan. 6, 2021.
Twitter rolled out a midterm election strategy earlier this month, in which it pledged to do more to get ahead of misinformation with state-specific election hubs offering authoritative information and by preventing users from recommending misleading posts. But political analysts say the company is still largely following its hodgepodge playbook from the 2020 presidential election.
“The fact that the complaint has surfaced just as Twitter and other companies are announcing with great earnestness, ‘here are our policies for 2022,’ there's really a sharp contrast there,” said Paul Barrett, the deputy director of New York University’s Center for Business and Human Rights who researches the interplay of social media and democracy. “They want you to think that ‘we’re on top of it,’” but he said they are in reality just putting out one fire after another.
The various security vulnerabilities flagged by Zatko showcase ways that Twitter users’ data could be used by bad actors, including “extreme, egregious efficines” in user privacy, physical and digital security, and content moderation, according to the complaint. Twitter had hired Zatko in late 2020 to confront these kinds of risks after reports emerged earlier that year that hackers had hijacked accounts of more than 100 users, including U.S. officials and politicians such as Trump and former President Barack Obama.
Zatko — a well-known hacker and security expert also known as Mudge — said in his complaint that he had alerted Twitter’s board to the security vulnerabilities, along with alleged violations of a 2011 settlement with the FTC that legally obligated the company to protect individual users’ data. The consent agreement remains enforceable by the FTC, with each violation resulting in a fine of up to $16,000.
Twitter has rebutted Zatko’s claims as “riddled with inconsistencies and inaccuracies” and said it had fired him in January 2022 for “ineffective leadership and poor performance.” The company also said it was in compliance with the FTC settlement, saying it was audited biannually by external auditors, and Zatko was not part of the process.
Katko said Zatko’s charges “must be aggressively investigated,” a sentiment echoed by Sen. Chuck Grassley (R-Iowa), the top Republican on the Senate Judiciary Committee, and Senate Judiciary Chair Dick Durbin (D-Ill.).
Sen. Richard Blumenthal (D-Conn.), who chairs the Commerce Committee’s Consumer Protection, Product Safety and Data Security panel, urged the FTC on Tuesday to investigate the allegations and enforce its consent decree if it were in fact violated.
Zatko submitted the complaint in July to the Securities and Exchange Commission, Justice Department, FTC and committees in Congress, according to copies of the documents and reporting first published by CNN and The Washington Post.
The Senate Judiciary Committee, Senate Intelligence Committee and House Energy and Commerce Committee all confirmed to POLITICO that they had received the complaint.
Leaders of the House panel — Chair Frank Pallone (D-N.J.) and ranking member Cathy McMorris Rodgers (R-Wash.) — seized upon the allegations of lax data security as another reason to pass the American Data Privacy and Protection Act, H.R. 8152 (117), a bipartisan federal data privacy bill that advanced out of the committee in July.
Zatko is represented by Whistleblower Aid, the nonprofit law firm that represented former Facebook employee Frances Haugen when she filed complaints with the SEC and Congress last fall alleging multiple abuses by Meta and its platforms. Those included allegations that Instagram knew its algorithms pushed unhealthy body images to young girls.
The newest whistleblower complaint could complicate the lawsuit that Twitter is waging against Musk after he attempted to break off his agreement to buy the company for $44 billion. Musk has alleged that the company has severely undercounted the number of spam and bots on the platform. Zatko said in the complaint that current Twitter CEO Parag Agrawal was “lying” when he tweeted that the company was incentivized to find and take down spam as possible. Musk’s attorney did not respond to a request for comment.
John Tye, Zatko’s lawyer at Whistleblower Aid, told CNN that Zatko was not working behind the scenes with Musk’s team. Whistleblower Aid did not respond to a request for comment.
The SEC and FTC declined to comment. The DOJ didn’t respond to a request for comment.
Eric Geller contributed to this report.
