Whistleblowing

Twitter's case against Elon Musk will begin in October. According to CNN, Twitter's former head of security, named Peiter Zatko, had given a tip about massive security breaches and fake accounts. Part of the $44 billion deal was a truthful statement about the number of Twitter users. Elon Musk's lawyers have spoken about a violation of takeover rules by Twitter in this context. The statement had also been filed with the Securities and Exchange Commission, the SEC. This assumes that the statements by Peiter Zatko are true. Twitter has denied the allegations. The group wants to enforce the takeover agreement. The DOJ (Department of Justice) and the FTC (Federal Trade commission) are also investigating the case.

Who is Twitter's whistleblower?

Peiter Zatko, also known by the pseudonym "Mudge", appeared on CNN 20 years ago and pointed out the security problems of the internet. Back then, he already talked about how large corporations would systematically ignore these security vulnerabilities because it was more convenient for them. He has been a well-known hacker in his time and until recently was the head of security at Twitter. He is trusted even more as a whistleblower because he knows his job.

In a recent CNN interview, he talks about Twitter's security vulnerabilities. His detailed "disclosure" of 6 July 2022, the details of which are known only to investigating authorities, reportedly talks about, among other things, the fact that about half of Twitter's 10 thousand employees have access to sensitive information such as the social media giant's user accounts and control mechanisms. Mudge compares this critical access of several thousand employees to the access of passengers to the cockpit of an plane. In addition, Twitter is said to have no overview of the numerous bots and has not deleted user data in accordance with the law.

Mudge is being advised by John Tye, founder of Whistleblower Aid. The same one who represented Francis Haugen, the Facebook whistleblower. John Tye was himself a whistleblower who uncovered unlawful activities by the NSA during the Obama administration. 

Under the name "Mudge", Peiter Zatko runs his Twitter account, which he created in 2011. He now has 65 thousand followers.

But why did he uncover the issues just recently?

Many people may wonder why Mudge went public with this information just at the time of Twitter's upcoming transaction with Musk. To understand this, you have to look at the history. Twitter has had enormous problems with data leaks and hacking. Among others, two teenage hackers have gained access to Twitter's user accounts, including prominent users like Joe Biden with several million followers. Just imagine. If two teenagers could gain access to accounts, what could Putin's hackers do, for example.

In 2020, the Twitter group hired Mudge as one of the top five executives in the group. The data security leaks were supposed to end. Two years later, he is fired for alleged poor performance. His lawyer, John Tye, claims Mudge made the tip before the deal between Twitter and Musk became public.

Alex Spiro, Musk's lawyer, claims that he found the dismissal of Mudge and other key employees at Twitter strange in light of what he and his team found out and therefore called Mr Zatko as a witness.

Mudge himself claims to have been dismissed in January 2022 after making an internal tip about the above issues. Curiously, Twitter co-founder and CEO, Jack Dorsey also parted ways with the company in January 2022.

Mudge said in the CNN interview in August regarding his motivation that he wants to make the world a better place, a safer place.
Is Mudge a hero fighting for people's safety and privacy or is he waging a personal war against the social media giant? Why did a hacker who has been fighting cyber insecurity for decades take a high-paying position in a corporation like Twitter? As head of security, he could have expected to be able to reach into the very marrow of the corporation, at least in terms of security. Perfect infiltration or the work of a selfless philanthropist?

We stay tuned!

How is Mudge legally protected as a whistleblower?

As a whistleblower, he is protected by several laws in the US, such as the Sarbanes-Oxley Act, the Dodd-Frank Act, and New Jersey's Conscientious Employee Protection Act. Similar to the EU Whistleblowing Directive, the whistleblower is only protected if certain requirements are met. Following the disclosure of legal violations and related retaliation by the employer, the whistleblowing person may file a lawsuit in a competent US district court under the above laws. Mudge's counsel confirmed to relevant authorities in the 6 July 2022 "Disclosure" that the documents disclosed by Mr Zatko were carefully limited to those that were relevant and "sufficiently necessary" to prove Twitter's violations of the law. In addition, Whistleblower Aid made extensive redactions before disclosing internal Twitter information to law enforcement, and screened and filtered the documents for the legal privilege criterion. Not all documents were forwarded either. 

A whistleblower in Germany would have to do something similar and seek advice from an organisation like Whistleblower Aid in order to do everything right. However, the Whistleblower Protection Act does not provide protection for legal entities such as non-profit organisations as supporters of whistleblowers. Not only we, but also several renowned organisations such as Transparency International have criticised this deficiency in the new law.

Why are fake accounts so important on social media platforms?

Social media has become enormously important in the digital world. Whether companies want to gain B2B or B2C reach, or whether politicians are courting more voters or inciting an uprising, everything happens online on social media. We have written about this several times in our blogs. The platforms have grown extremely fast. However, the control structures and security measures have not grown proportionately. The gaps are often used, for example, to spread information with fake accounts and to gain reach for certain users. Some of the fake accounts are not created manually, but generated with the help of AI-supported methods. For example, AI-generated photos and profile data are used to make the profile as genuine and appealing as possible. For the platforms themselves, the number of user accounts is relevant. The less is known about fake accounts, the better.

In the meantime, other social media platforms such as LinkedIn have also set up further security measures against fake accounts. For example, they even ask for copies of ID when an account is created, or accounts are blocked even if there are the slightest inconsistencies. The LinkedIn algorithm is particularly attentive to red flag searches for certain origins and nationalities, according to our experience. What LinkedIn does with the personal data of more than 800 million members and whether the data is really deleted as claimed is more than questionable.