5 takeaways from Twitter whistleblower Peiter Zatko

SAN FRANCISCO (AP) — Startling new revelations from Twitter's former head of security, Peiter Zatko, have raised serious new questions about the security of the platform's service, its ability to identify and remove fake accounts, and the truthfulness of its statements to users, shareholders and federal regulators.

Zatko — better known by his hacker handle “Mudge” — is a respected cybersecurity expert who first gained prominence in the 1990s and later worked in senior positions at the Pentagon’s Defense Advanced Research Agency and Google. Twitter fired him from the security job early this year for what the company called “ineffective leadership and poor performance.” Zatko's attorneys say that claim is false.

In a whistleblower complaint made public Tuesday, Zatko documented his uphill 14-month effort to bolster Twitter security, boost the reliability of its service, repel intrusions by agents of foreign governments and both measure and take action against fake “bot” accounts that spammed the platform. In a statement, Twitter called Zatko's description of events “a false narrative.”

Here are five takeaways from that whistleblower complaint.

TWITTER'S SECURITY AND PRIVACY SYSTEMS WERE GROSSLY INADEQUATE

In 2011, Twitter settled a Federal Trade Commission investigation into its privacy practices by agreeing to put stronger data security protections in place. Zatko's complaint charges that Twitter's problems grew worse over time instead.

For instance, the complaint states, Twitter's internal systems allowed far too many employees access to personal user data they didn't need for their jobs — a situation ripe for abuse. For years, Twitter also continued to mine user data such as phone numbers and email addresses — intended only for security purposes — for ad targeting...