August 24, 2022 – The Indian government forced Twitter to hire an “agent” who likely had access to sensitive user data, a former Twitter security chief has disclosed to US regulators in a string of explosive revelations.
The whistleblower, Peiter Zatko, has levelled alarming allegations regarding the company’s privacy policies and the way it deals with users, investors, board members, and government officials about the vulnerabilities in its security infrastructure. The complaint, filed with the US Securities and Exchange Commission (SEC), Department of Justice (DOJ) and the Federal Trade Commission (FTC) in July, was first reported by CNN and The Washington Post on Tuesday.
Zatko claims that Twitter was forced by the Indian government to employ one of its agents who, owing to basic security flaws in the social networking platform, would have access to vast amounts of sensitive user data. The complaint accused Twitter executives of violating the company’s commitments to its users by knowingly granting an Indian government agent access to the company’s internal user data and information systems.
“The company did not in fact disclose to users that it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll.”
Twitter has rejected Zatko’s claims and said that the cybersecurity expert had been fired earlier this year for “ineffective leadership and poor performance”.
“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” stated Twitter.
Experts weigh in
Hija Kamran, a digital rights expert based in Karachi, said that this is not the first time a tech company has complied with the Indian government’s demands violating users’ privacy and other rights on the platform. She cited the case of Facebook’s violation of its hate speech policy that led to mob violence in the country.
“It goes without saying that the new revelation is worrying and puts users’ online and offline safety at risk,” Kamran said while speaking to DRM. “Social media has played a crucial role in political instability in recent times, and planting an agent within critical departments on demands of an authoritarian government with a history of ongoing human rights violations points at the fact that social media companies are equally responsible for this violence.”
She stressed the need for accountability and transparency around tech companies’ privacy policies and security practices, especially when it comes to their foreign markets.
“It’s a pattern that points at the need for tech companies to be held accountable for the kind of role they play in different democracies around the world,” Kamran said. “They don’t only need to be stringent in providing needed security to their users, but also be transparent in their actions that violate their rights.”
Patrick Dennis, CEO at ExtraHop, a cybersecurity firm based in the US, remarked that security was an afterthought for Twitter’s leadership if Zatko’s allegations are true.
“It underscores the extent to which security that is treated as merely a technical issue is doomed to fail,” Dennis told Forbes. “Cybersecurity policies and practices need to have the full support of the organisation, including its board and leadership.”
Other experts believe that Zatko’s allegations deserve “serious attention”.
Zatko’s revelations, which also include accusations of Twitter’s failure to prioritise the removal of spam or bot accounts, come in the wake of Twitter’s legal battle with Tesla CEO Elon Musk, who walked away from his proposed $44 billion deal to acquire the social networking platform and take it private in April. Musk dropped the deal accusing Twitter of lying to him about the number of bots on the platform, following which the billionaire was sued by the company. The trial is set to begin in October.
