Skip to main content

The security flaws that make Twitter’s insider threat so scary

The security flaws that make Twitter’s insider threat so scary


Disclosure claims lax access controls increased impact of Indian government plant

Share this story

Illustration of a black Twitter bird in front of a red and white background.
Illustration by Alex Castro / The Verge

Peiter “Mudge” Zatko’s whistleblower disclosure contained a lot of alarming claims about Twitter — from confusing bot measurements to executive misconduct — but one of the most alarming claims was that the company was actively infiltrated by agents of the Indian government. For a platform that has always presented itself as a haven for journalists and activists, it’s a troubling claim and one that the company has not directly confronted in responses given to US media.

But the allegations are less outlandish than it seems — and part of a much larger issue for international tech platforms.

Zatko’s SEC filing claims that, in the course of his time as Twitter’s head of security, he was informed that the Indian government forced Twitter to employ one of its agents.

In a section of the report titled “penetration by foreign intelligence and threats to democracy,” the filing notes:

The Indian government forced Twitter to hire specific individual(s) who were government agents, who (because of Twitter’s basic architectural flaws) would have access to vast amounts of Twitter sensitive data.

The relationship between Twitter and the Indian government has been particularly fraught, coming to a head in a 2021 raid of the company’s office in Delhi in response to a perceived misuse of the platform’s “manipulated media” tag. Twitter’s moderation in the country is a thorny issue, as false rumors have often been used to spark mob violence against the Muslim minority population. For most speech advocates, those decisions are too sensitive to include an employee of the current right-wing government, which some see as implicitly endorsing the violence.

As Zatko told it, the operational failure that led to a government agent being employed was compounded by a basic security failure. In the SEC filing, he alleged that “half of Twitter’s 10,000 employees and growing” had access to live production systems and sensitive user data. It’s unclear whether that list included the alleged foreign agent, but such a sprawling access problem makes any mitigation efforts far harder.

As yet, details are also fuzzy on the extent to which Twitter willingly made this concession. The platform has had a troubled run in India and is currently bringing a legal challenge against the Indian government over orders to block certain content that was critical of the Modi administration. Competitor Facebook has also run into problems but of a different kind: in 2020, its India policy chief resigned after being strongly criticized for failing to tackle anti-Muslim hate speech on the platform.

The Indian press — well aware that surveillance and intimidation of journalists have steadily been increasing in the country — has treated the allegations seriously, though reporters in the country seem to have had trouble obtaining any additional information from the platform.

“At the very least, it requires an official response from the Government as also from Twitter”

“A whistle-blower’s disclosure that the Indian Government forced Twitter to hire its agent, who then got access to the platform’s user data, should alarm anyone even remotely interested in the health of democracy in the country,” read an op-ed in The Hindu, one of the nation’s largest English-language newspapers. “At the very least, it requires an official response from the Government as also from Twitter.”

Approached for comment by The Verge, a Twitter spokesperson sent a statement issued by the CEO and previously provided to press, disputing Zatko’s claims as a “false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.”

The stakes of the issue are high because of Twitter’s near-global reach and the wealth of sensitive data it protects. Though the content of tweets is public by default, direct messages function as a private backchannel between users — but one that many employees are able to intercept. In the wake of a 2020 hack in which a number of widely followed celebrity accounts were compromised, it came to light that contractors with access to Twitter’s internal tools had used them to snoop on celebrities for years, peering into DMs to read private conversations and using IP logging to track their approximate locations. Needless to say, it’s a capability that lots of repressive governments would be glad to have.

It’s not just foreign governments that might try to break Twitter’s security from the inside. Another section of Zatko’s disclosure details his attempt to lock down Twitter’s systems to defend against possible internal threats after the January 6th insurrection — and subsequent discovery that there was no way to make this happen.

In fact, Twitter has been compromised in a very similar way before. In 2019, two former Twitter employees in the US were found to be accessing the platform’s information on critics of Saudi Arabia under the direction of the Saudi government. Following their exposure, the Justice Department charged them with acting as unregistered foreign agents.

A persistent problem

National security groups have been particularly focused on this kind of insider attack in recent years. In a 2021 briefing sent to US businesses, the National Counterintelligence and Security Center warns that a growing number of state and non-state actors are targeting the United States, trying to obtain intelligence by “employing a range of illegal techniques, including insider threats, cyber penetrations, supply chain attacks, and blended operations that combine some or all these methods.”

So, for any company the size of Twitter, the question is not if they will deal with an insider threat but when. David Thiel, chief technology officer at the Stanford Internet Observatory and a former security engineer at Facebook, told The Verge that the best practice for tech companies is to assume insider threats will happen and preemptively limit their impact. Vetting personnel is an important step, Thiel said, but since it won’t catch every possible bad actor, strict access controls and sophisticated monitoring systems are crucial.

“It’s a sensitive area because you do not want to get in the situation where you’re considering everybody that works for you in a particular country to be a potential spy,” Thiel said. “So this is something that has to be done with technical controls that are applied evenly and equitably across the world.”

It’s also possible that Twitter execs felt they had no choice but to comply. Rose Jackson, director of the Democracy & Tech Initiative at the Atlantic Council’s Digital Forensic Research Lab, says that the US government has taken “a completely hands-off approach” to governance for global tech companies that are headquartered in the United States, leaving them to fend for themselves when navigating sensitive geopolitical issues.

But the result is still a chilling precedent for platforms and their users. Jackson says a hypothetical situation where the US forced companies to employ intelligence agents would still be “beyond the pale.”

“If the United States told Twitter that if it wanted to continue to operate in the United States, that a US intelligence official needed to be placed on its staff, and Twitter said ‘okay,’ then that would be a major scandal worthy of serious investigation,” Jackson told The Verge. “The national security implications, the cybersecurity implications of this — it’s an outlandish idea that that would be acceptable behavior.”