Will a Twitter whistleblower end up vindicating Elon Musk? Perhaps, but that may be the least of Parag Agrawal’s headaches after his former security chief has started blowing the whistle on a wide range of issues at the social media platform. Peter “Mudge” Zatko, who began his career as an “ethical hacker,” alleges that Twitter and especially Agrawal have defied an FTC order to improve its security, allowed foreign intel agencies to penetrate it, and that its system lacks even the basic security and encryption necessary to protect customer data.

Oh, and Agrawal and Twitter are lying about its bot problem too, as CNN notes:

The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

The whistleblower, who has agreed to be publicly identified, is Peiter “Mudge” Zatko, who was previously the company’s head of security, reporting directly to the CEO. Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk’s attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk’s claims).

The full scope of Zatko’s disclosures to Congress makes the apparent vindication of Musk’s claims a second-tier legal issue for Agrawal, but it’s not irrelevant. Twitter sued Musk for his allegedly disparaging claims after Musk pulled out of their deal on the basis of a lack of transparency on the bot issue. Zatko’s whistleblowing claims put that shoe very much on the other foot, with a picture emerging of Twitter perhaps attempting to defraud Musk and its other investors on the company’s value and its internal investments.

CNN reports that a copy of Zatko’s voluminous disclosures — complete with exhibits — went to the Securities and Exchange Commission. That portends a lot more blowback than a failed sale to Musk. Musk may have erred in signing the sale agreement without fully conducting due diligence on the issue of bots (among other points), but Zatko claims that Agrawal and his team had been misleading the SEC on bots for a long time anyway:

The company has repeatedly reported that less than 5% of its mDAUs are fake or spam accounts, and a person familiar with the matter both affirmed that assessment to CNN this week and pointed to other investor disclosures saying the figure relies on significant judgement that may not accurately reflect reality. But Zatko’s disclosure argues that by reporting bots only as a percentage of mDAU, rather than as a percentage of the total number of accounts on the platform, Twitter obscures the true scale of fake and spam accounts on the service, a move Zatko alleges is deliberately misleading.

Zatko says he began asking about the prevalence of bot accounts on Twitter in early 2021, and was told by Twitter’s head of site integrity that the company didn’t know how many total bots are on its platform. He alleges that he came away from conversations with the integrity team with the understanding that the company “had no appetite to properly measure the prevalence of bots,” in part because if the true number became public, it could harm the company’s value and image.

How much does this help Musk? It certainly doesn’t hurt him. If Twitter filed misleading claims with the SEC about  — well, apparently a wide range of things — they could have opened themselves up to a countersuit from Musk on the basis of stockholder fraud. And Musk might get a lot of company in such a lawsuit.

But that’s speculative, and it’s not Twitter’s primary risk at the moment. The Washington Post report from the same set of disclosures makes the biggest risk clear:

Among the most serious accusations in the complaint, a copy of which was obtained by The Washington Post, is that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan. Zatko’s complaint alleges he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors withrosy charts measuring unimportant changes. …

After Zatko joined the company, he found it had made little progress since the 2011 settlement, the complaint says. The complaint alleges that he was able to reduce the backlog of safety cases, including harassment and threats, from 1 million to 200,000, add staff and push to measure results.

But Zatko saw major gaps in what the company was doing to satisfy its obligations to the FTC, according to the complaint. In Zatko’s interpretation, according to the complaint, the 2011 order required Twitter to implement a Software Development Life Cycle program, a standard process for making sure new code is free of dangerous bugs. The complaint alleges that other employees had been telling the board and the FTC that they were making progress in rolling out that program to Twitter’s systems. But Zatko alleges that he discovered that it had been sent to only a tenth of the company’s projects, and even then treated as optional.

If Zatko’s allegations are proven, the company could face substantial penalties — potentially in the hundreds of millions of dollars — said David C. Vladeck, who was director of the FTC’s bureau of consumer protection at the time of the settlement.

With all of this going on, does Agrawal really want to ask a court to enforce the sales agreement with Musk?

Let’s not forget the allegations of foreign-intel penetration on a platform where world leaders and important figures in business mix. One former employee has already been convicted of espionage for Saudi Arabia, and Zatko suspects other employees are moles for other services. His complaint specifies one suspected mole for India, which Twitter hired allegedly under pressure from that government in order to conduct business in the country. Zatko also accuses Agrawal of at least considering compliance with a demand from Russia to open an office in Moscow and allow Russia access to internal data in exchange for commercial operations there. Zatko is certain that the problem of espionage from within the company is not insignificant — and one has to figure that the FBI, CIA, and NSA may take a particular interest in that aspect of Agrawal’s operations.

Finally, users may believe that their information is protected by Twitter and is deleted when the accounts get canceled. Wrong, Zatko alleges; Twitter doesn’t destroy the information from former users, and it uses all of this data for marketing purposes, sometimes in defiance of FTC regulations. That will no doubt weigh on the share prices over the next few days as users react to those allegations.

Maybe the smartest move Agrawal could make at this point is to offer Musk a buyout at a significantly discounted share price and hand the whole mess to him. Agrawal may need to act fast; those share prices may drop soon, hard, and rather permanently. Musk might end up getting Twitter much cheaper than he thought. Assuming Musk still wants it, that is.