Image Source: CNN
According to legal experts and ex-federal officials, former Twitter head of security’s explosive whistleblower disclosure this week exposes the company to new federal investigations and potentially billions of dollars in fines, tougher regulatory obligations, or other penalties from the US government.
Twitter faces significant legal risks as a result of Peiter “Mudge” Zatko’s whistleblower disclosure, which claims in a nearly 200-page disclosure to authorities that the company is riddled with information security flaws — and that, in some cases, its executives have misled its own board and the public about the company’s condition, if not committed outright fraud.
Twitter has accused Zatko of spreading a misleading narrative about the firm, which he worked for from November 2020 until he was sacked in January for what Twitter claims were poor performance.
Zatko is a well-known cybersecurity expert who has held prominent positions at Google, Stripe, and the Defense Department. On Tuesday, CNN and The Washington Post were the first to report his whistleblower disclosure.
Twitter may not have complied with its deal with the FTC
In his disclosure to the US authorities, Zatko claims Twitter has “egregious deficiencies” in its cybersecurity posture, has intentionally misled regulators about its handling of user data, and is failing to meet its obligations under a 2011 privacy settlement with the Federal Trade Commission — a legally binding order that requires the creation of “reasonable safeguards” to protect users’ personal information among other things. The FTC did not respond to the disclosure.
According to Zatko’s damaging admission, about half of Twitter employees, including all engineers, have excessive internal access to the company’s live product, known internally as “production,” as well as actual user data. It also claims that the corporation cannot fight against insider threats, foreign governments, and unintentional data releases.
According to CNN, Twitter’s FTC compliance record speaks for itself, citing third-party audits submitted to the agency under the 2011 consent agreement. Twitter also stated that it conforms with relevant privacy legislation and has been open with regulators about its efforts to correct any system flaws. However, according to Twitter, Zatko did not engage in the audit process and did not fully understand Twitter’s FTC requirements or how the firm was performing them.
According to the declaration, Zatko’s personnel were “intimately familiar” with Twitter’s concerns before the FTC and were the ones who informed Zatko that Twitter was never in compliance with the 2011 order and was never on pace to become compliant.
As a result of his whistleblower activities, Zatko may be eligible for monetary compensation from the US government. According to the SEC, “original, timely, and credible information that leads to a successful enforcement action” can award whistleblowers up to a 30% cut of agency fines related to the action if the penalties exceed $1 million. Since 2012, the SEC has given more than $1 billion to more than 270 whistleblowers.
Tye stated that Zatko made his report to the SEC “to assist the agency in enforcing the laws” and to get federal whistleblower protections. “The potential of a prize did not influence Mudge’s decision, and he was unaware of the award program when he decided to become a lawful whistleblower.”
The whistleblower reveal comes months after the FTC accused Twitter of violating the 2011 decree by misusing account security information for advertising reasons. In May, Twitter agreed to pay $150 million to settle those claims in a second FTC settlement.
According to Jon Leibowitz, who was chair of the FTC at the time of Twitter’s 2011 settlement, Zatko’s admission raises the specter of yet another probable breach of Twitter’s FTC agreements.
Possibility of a fresh settlement
The stakes of the disclosure might be enormous. If the FTC finds that Twitter breached its injunction for the third time, it might face the agency’s toughest fines ever imposed on the firm. Lina Khan, a strong critic of internet platforms and what she calls a “commercial surveillance” business that profits from low national privacy standards, presently chairs the FTC. Under Khan’s leadership, the FTC is considering writing broad new privacy standards that could directly impact businesses across the economy, including Twitter, and how they gather, use, and share personal data.
Former FTC officials believe that if the FTC finds a breach, it has two basic avenues for holding Twitter accountable. First, it may pursue a third settlement with the firm, sue Twitter over the existing consent orders, and demand appropriate penalties in court.