Pages

30 August 2022

Twitter, Meta, and Blowing the Whistle on Big Tech

STEVEN LEVY

In late 1969, Daniel Ellsberg made a brave and consequential decision. As an employee of the RAND Corporation, a US government contractor, he had access to classified documents that contradicted top officials’ promises that the Vietnam War could be won. He secretly copied the documents and for the next year tried to get them made public, first through Congress, then through the press. In June 1971, The New York Times published the first of a series of articles on what would be known as the Pentagon Papers. The government sued to suppress them, and while the case made its way through the courts, Ellsberg leaked the papers to The Washington Post. By that time the FBI was after him, though he had not publicly admitted his role as the whistleblower. He came clean just before the Supreme Court allowed the Times to continue publishing on June 30. Ellsberg was arrested and tried for theft and conspiracy, going free only because of government misconduct.

Earlier this year, Peiter “Mudge” Zatko made a decision of his own. A security expert handpicked by Twitter’s then-CEO Jack Dorsey in November 2020 to address the company’s chronic failings, he was fired last January after clashes with the current CEO, Parag Agrawal. Zatko believed that Twitter’s management wasn’t taking steps to fix its security problems—and that Agrawal was lying about those shortcomings to the board of directors, shareholders, and regulators. Like Ellsberg, he decided to go public. Unlike Ellsberg, Zatko was able to tap the services of a nonprofit, Whistleblower Aid, set up specifically to assist people like him and keep them out of legal trouble. After meeting him in March, a cofounder of the nonprofit, John Tye, agreed to work with Zatko.

Zatko and his handlers strategized and launched a coordinated campaign to expose Twitter’s alleged wrongdoing. They used a full rack of Scrabble tiles to file agency complaints … SEC, FTC, DOJ. Zatko met with the staffers of several congressional committees and is scheduled to testify. Most dramatically, he and his team broke news by orchestrating a leak of his complaints from one of the congressional committees. The recipients were The Washington Post and CNN, and their stories went live under a shared embargo on August 23. Zatko gave interviews to both organizations, which treated him lovingly. The Post photographer even captured an artsy shot of Zatko and his mirror reflection, full of oracle vibes. (In contrast, Agrawal was pictured glumly roaming the grounds of an unnamed conference in a dark hoodie.)

If this all sounds familiar, it’s because last year another whistleblower, former Meta program manager Frances Haugen, had a similar rollout of her allegations, complete with agency and congressional briefings and glam images on 60 Minutes and in The Wall Street Journal. And of course, redacted documents leaked just in time from a congressional friend. No coincidence that her whistleblower sherpa was the same as Zatko’s, John Tye.

Whistleblowers of conscience have been around as long as institutional malfeasance has existed, but it’s become something of a trend in tech. In part, this is because of recent laws that give protection to whistleblowers in certain cases, notably when it comes to reporting corporate fraud to the SEC. But the phenomenon also reflects a workforce fed up with employers who have seemingly abandoned their once idealistic principles. “Whistleblowing is a growth industry,” says Tye, who himself once blew the whistle on the NSA before cofounding his organization.

Zatko’s case, though, is not as clean as Ellsberg’s—or Haugen’s. The credibility of the latter two didn’t matter. Their revelations were contained in the documents they leaked—no framing necessary. In contrast, Zatko’s complaint was an argumentatively narrated saga of corporate wrongdoing and fraud, his charges backed by emails and a draft of an outside study of Twitter’s security. In a statement, Twitter says that Zatko’s complaint is “riddled with inaccuracies.” The company’s Rebecca Hahn told the Post, “Security and privacy have long been top company-wide priorities at Twitter.”

From what I know of Zatko, he is indeed an “ethical hacker,” as he calls himself. (Non-humble brag: That term is loaded with the DNA of the “hacker ethic,” a phrase I coined in 1984 to describe the mentality of righteous code wizards.) Rising from the ranks of hacker collectives like L0pht and Cult of the Dead Cow, Zatko has previously testified before Congress, worked for Darpa, and most recently held a key post at Stripe. The dominant thread in his messaging is an urge to improve security. “He is the most credentialed person you could ever want and super articulate about everything and just a great guy,” says Tye. But not such a great guy if he’s against you. His complaint is 84 pages of strident arguments that Twitter’s substandard practices are linked to intentional malfeasance. Predictably, some voices are now questioning Zatko’s credibility.

Then there’s the explosive Elon Musk angle. Tye denies that he or Zatko coordinated with the Tesla billionaire, who is trying to slither out of his commitment to buy Twitter. Indeed, Zatko’s whistle was lodged firmly in his lips before that drama began this April. Nonetheless, Zatko’s complaint steers straight into this minefield, with a whole section alleging Twitter’s perfidy in responding to Musk’s gripes about bot numbers. Seems gratuitous.

But that’s part of the whistleblower dynamic. We journalists will hungrily grab at any opportunity to humanize an important, but esoteric, issue. Everyone is fascinated by the truth teller, but what really matters is what truth they’re telling. I wonder whether the security issues Zatko exposed would get nearly as much attention had a dashing figure with a mysterious nom de hack not been attached to them. Frankly, it’s well known that Twitter isn’t a leader in the admittedly challenging task of keeping data safe. (Case in point: Teenagers once hacked the accounts of celebrities like Musk, Kim Kardashian, and Barack Obama.) That was why Dorsey brought Zatko in—to fix things. Zatko’s complaint sideswipes Dorsey for not speaking up much in their few meetings. But the broadside paints Twitter’s current CEO as the clear villain, thwarting Zatko’s attempts to fix the worst practices. It makes for juicy reading. But the story that really matters is poor security and why some companies are worse than others.

This doesn’t mean that whistleblowers aren’t courageous. Even with the current protections, putting yourself in the public light by exposing information you once vowed to keep secret is a risky enterprise. And powerful enemies are a guarantee. But I wonder whether Zatko’s takedown of a company he professes to love might contribute to its further erosion. After all, if Musk gets to walk away from his commitment, that would be a disaster for the company. Users might simply lose trust in the service. A weaker Twitter might have fewer resources to secure its data properly. At the very least, Zatko has caused further chaos in a company whose executives are already heading for the doors.

Nonetheless, I celebrate the public release of Zatko’s complaint, especially if his revelations spur Congress to actually strengthen computer security by passing laws with sharp teeth. It’s been pointed out that the tension between Zatko and Agrawal is a familiar one between a CEO and a security specialist. But if we had a law that made it a crime to ignore best practices in security—making top executives and board members liable—I’d bet that tension would become more of a collaboration.

Still, here’s a bet I won’t make—that Zatko’s return to Congress will deliver such legislation. It’s going to take more whistleblowers for that to happen.

Time Travel

In July 2005, I wrote a Newsweek cover story about computer security and identity theft. When discussing how companies fail to protect our data, I devoted several paragraphs to some of the same security flaws Zatko lists in his complaints about Twitter. I also discussed the prospect for security laws that Congress is still pondering 17 years later.

Millions of Americans now have a new reason to dread the mailbox. In addition to the tried-and-true collection of Letters You Never Want to See—the tax audit, the high cholesterol reading, the college rejection letter—there is now the missive that reveals you are on the fast track to becoming a victim of identity theft. Someone may have taken possession of your credit-card info, Social Security number, bank account, or other personal data that would enable him or her to go on a permanent shopping spree—leaving you to deal with the financial, legal, and psychic bills.

Deborah Platt Majoras got the pain letter last week, from DSW Shoe Warehouse. Hers was among more than a million credit-card numbers that the merchant stored in an ill-protected database. So when hackers busted in, they got the information to buy stuff in her name—and 1.4 million other people’s names. “It’s scary,” she says. “Part of it is the uncertainty that comes with it, not knowing whether sometime in the next year my credit-card number will be abused.” Now she must take steps to protect herself, including re-examining charges closely, requesting a credit report, and contacting the Federal Trade Commission to put her complaint into its extensive ID-theft database. The latter step should be easy for her, since Majoras is the FTC chair.

Nadia asks, “What is your view on the wave of layoffs we are seeing at big tech companies and startups? When is it going to hit its peak?”

Thanks, Nadia. Right off the bat, I can’t tell you when the layoffs will peak. But peak they will, and then at some later point we’ll see another cycle of hiring. Sadly, by that time some startups will have, uh, stopped. And big tech companies will find that it’s much harder to draw great new candidates than it is to give the boot to people you previously spent hundreds of hours recruiting.

I get it—there’s truth to the canard that tough times encourage necessary discipline. That goes for both startups and bigger companies. But discipline should have been there all along. The best companies know this. Never forget: When you lay people off, you are messing with their lives. If you hire a whole team of people for some weird side project, you owe it to those people to think ahead a bit. Ask yourself, “If times are tough, am I going to think that this cool little division is important enough to keep?” If the answer is no, maybe don’t lure people away from their current jobs and instead plow some money into improving your core product. Or beef up your support team so your customers can get a human being on the damn phone.

The worst is when the billionaires and billionaire wannabes start weeping as they fire employees they so deeply valued just a day before. Instead of shedding tears, they should be shedding equity to give those people bigger severance packages. Maybe then, when the hiring recommences, word will get out that the boss of this company is not an absolute jerk.

No comments:

Post a Comment