A whistleblower alleges in a complaint filed in October that there are still serious privacy and data security concerns at Twitter, according to a January 25 Bloomberg article.
The whistleblower alleges that “[a]s many as 4,000 company employees could access an internal function nicknamed ‘GodMode’ that allows them to take over private accounts and tweet – or delete tweets from them,” the article states. The whistleblower complaint “was shared with the Justice Department (DOJ), the Federal Trade Commission (FTC) and some members of Congress.” According to the article, the complaint was shared with Bloomberg by an anonymous congressional staffer.
The complaint alleges: “Twitter does not have the capability to log which, if any, engineers use or abuse GodMode.” Nonprofit law firm Whistleblower Aid filed the lawsuit on behalf of the whistleblower.
The whistleblower is remaining anonymous, but according to the article, they worked at Twitter as an engineer when they filed the complaint. They no longer work at Twitter, “according to a person familiar with the matter who requested anonymity because of sensitivities involved,” the article states. The staffer who shared the complaint with Bloomberg also said that the whistleblower “briefed a congressional committee this month about transgressions at the company that continued under [Elon] Musk.”
The complaint “includes screenshots of code” and alleges “that since 2016, about 4,000 workers could easily access individual Twitter accounts and tweet from them. To do so, they would have to download code from the social media company’s code repository, change a setting from ‘false’ to ‘true’ and then run the code, according to the whistleblower.” The whistleblower also alleges that “one engineer described use of the function as based on ‘an honor system’ and that no logs were kept of its use.”
According to Bloomberg, the whistleblower said in an earlier September complaint filed with the FTC, the DOJ, and “some members of Congress” that leadership at Twitter “does not support fixing known vulnerabilities” and discussed “major ongoing security lapses.”
“Since the complaint was filed, several top executives overseeing cybersecurity and privacy, in addition to teams responsible for government compliance, are no longer with [Twitter],” Bloomberg reports.
Both Twitter and the FTC did not respond to a request for comment. However, Representative Jan Schakowsky (D-IL) published a statement expressing concerns about the whistleblower’s allegations.”The Twitter whistleblower’s disclosures highlight that technology companies are routinely failing to protect the security and privacy of consumers’ data. I am particularly concerned about Twitter users’ data, as well as the potential impact of the debts Elon Musk owes to foreign powers.”
Rep. Schakowsky commented, “This further demonstrates the need for action from both Congress as well as regulators. The American Data Privacy and Protection Act, which passed the House Energy and Commerce Committee last Congress with overwhelming bipartisan support, required companies to ensure consumers’ data is secure and empowered the FTC to enforce the requirement.”
“The FTC has deepened an existing investigation into Twitter’s privacy and data security practices since Musk acquired the company, Bloomberg reported last month. Musk’s Twitter is still subject to FTC oversight under a consent order that runs through at least 2042, making the company’s privacy and data policies and new product offerings subject to scrutiny by the agency,” the article states.
Twitter has been no stranger to whistleblower complaints and employees speaking out about issues at the company. In the seventh hearing hosted by the Select Committee to Investigate the January 6th Attack on the United States Capitol that took place in July 2022, a former Twitter employee who remained anonymous spoke about former President Donald Trump’s behavior on the platform. Read about the hearing on WNN.
Peiter Zatko, Twitter’s former head of security, filed whistleblower complaints in August 2022 alleging “that the company deceived regulators, investors, and its own board of directors about ‘extreme, egregious deficiencies’ in its cybersecurity defenses,” prior WNN reporting states. He submitted his complaints with the U.S. Securities and Exchange Commission as well at the FTC and DOJ. In September 2022, Zatko, or “Mudge,” testified before the Senate Judiciary Committee about his allegations that the social media platform has “egregious deficiencies” in its cybersecurity defenses.
Read the Bloomberg article here.