Musk’s Twitter still violates FTC security pact, says new whistleblower


A new Twitter whistleblower has emerged who backs last year’s startling statement about the company’s dire state of privacy and says the company continues to breach its legal obligations under new owner Elon Musk.

The former employee has told members of Congress and Federal Trade Commission employees that any Twitter engineer can turn on an internal program called “GodMode” and tweet from any account today, three months after Musk’s acquisition.

The allegation was also made in a complaint that was filed in October by the nonprofit law firm Whistleblower Aid at the FTC, which continues to interview former employees. A congressional staffer shared the complaint with the Washington Post.

The company’s current trust and safety director, Ella Irwin, did not respond to an email seeking comment on the new claims. Parag Agrawal, who was chief executive for a year before Musk fired him in October, did not respond to a Twitter message asking for comment.

Concerns about Twitter’s security increased after an incident in 2020 when teenagers hacked into Twitter’s internal systems and when Musk, Barack Obama and others tweeted. Twitter executives in 2020 said They had fixed the glitchesbut the whistleblower denies this.

“Following the 2020 hack that allowed teens to tweet as any account, Twitter publicly stated that the issues were resolved,” the complaint reads. “However, the existence of GodMode is another example that Twitter’s public statements to users and investors were false and/or misleading.”

“Our client has a reasonable belief that the evidence in this disclosure demonstrates violations by Twitter,” the new complaint reads.

The whistleblower spoke to staffers on the Senate Judiciary Committee on Friday after previously meeting with the House Energy and Trade Committee and the FTC. The whistleblower spoke to The Post on condition of anonymity because of threats and harassment to other former employees.

In that interview, the new whistleblower said that engineers changed its name to “privileged mode” after internal objections to the program. The whistleblower said the purpose of the program is to allow Twitter employees to tweet on behalf of advertisers who couldn’t do it themselves.

The whistleblower said he was motivated to come forward by testimony from Peiter Zatko, the former Twitter security chief whose sweeping claims The Post published in August. Zatko was also represented by Whistleblower Aid.

Zatko, who was hired by Twitter co-founder and then-CEO Jack Dorsey after the 2020 debacle and fired by Agrawal, Dorsey’s successor as CEO, said poor access controls are one of several ways Twitter violated its 2011 FTC consent decree that followed serious violations.

An FTC complaint at the time said far too many Twitter employees could access internal systems and user data, and the company agreed to put in place a “comprehensive information security program reasonably designed to protect the security, privacy, confidentiality, and integrity of Protect non-public consumer information.”

When Zatko testified in Congress that no such plan existed, a third engineer who was still with the company told Twitter security officials that a program to tweet like others was still in widespread use and that he had tried years before turn off or restrict. This issue has been revisited, according to the complaint, leading to the discovery of even deeper access that would also allow deleting tweets or restoring deleted tweets – something regular users can’t do with their own accounts.

Although Twitter executives at the time said the number of people who had access to such powerful tools had been reduced in 2020, the new whistleblower complaint says the GodMode code remains on every engineer’s laptop who wants him. All they would have to do is change one line of code from FALSE to TRUE and run it from a production machine, which they could reach using an easily accessible communications protocol called SSH.

“Twitter is unable to log whether and which engineers use or abuse GodMode,” the complaint reads.

The complaint includes screenshots of the code in question. The line of code that allows a GodMode user to delete tweets includes the capitalized one Comment: “Think before you do that.”

The document also includes photos of electronic conversations between the whistleblower and his colleagues at the time. In a discussion, he suggested a technique that an engineer could use to deploy the crafted code, and a colleague replied that there was an easier way.

“It’s one of those scenarios where nobody tried to break into the car through the sunroof because the window was cracked and the keys were in the visor lol,” he told the whistleblower.

The congressional staffer who filed the complaint said it supports that of Zatko, who has objected to executives’ public claims that powerful tools have been restricted. “It is not true that: a. “Access to these tools is strictly restricted” b. ‘[w]We have zero tolerance for misuse of credentials or tools,'” Zatko’s complaint reads.

Prior to Musk’s acquisition, Twitter said it improved security after Zatko left. But several recently-departed security officials said in interviews with The Post that the situation has gotten much worse under Musk.

The whistleblower said in the interview that someone who gains unauthorized access to an engineer’s computer would have the same authority to tweet as anyone else, and that engineers have a history of being hacked. Additionally, Zatko’s complaint stated that Twitter directly employed several agents from other governments.

“They have written to the public and regulators saying they have closed all loopholes,” the new whistleblower said. “That’s a lie.”

“They removed this from an interface, but it still existed in another way. They just changed the lock on one of the many front doors.”

Another former safety engineer told the Post that when they left late last year, they were aware of the issue and that improvements were afoot somewhere.

Zatko’s complaint sparked a wide-ranging investigation by the FTC, which continued after Musk took over. The commission has said it is concerned about the subsequent departures of the top security and privacy officers who served after Zatko’s departure, including some who were responsible for maintaining FTC compliance.

The new whistleblower and another former employee spoke to several FTC staff this month. The former employee told the Post that officials seemed most interested in privacy and security controls and the process by which executives make changes. This former employee also spoke on condition of anonymity over the acrimony surrounding Musk’s leadership, which has reduced the company’s workforce from 7,500 to fewer than 2,000 employees.

Some people who have been in regular contact with the FTC believe the agency could fine the company $1 billion or more if it concludes that the company has consistently violated the FTC’s executive order .

Cat Zakrzewski contributed coverage to this article.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button