A new whistleblower has told Congress that Twitter continued to violate privacy and data security protections into the Elon Musk era, potentially risking legal action including hefty penalties.
As many as 4,000 company employees could access an internal function nicknamed “GodMode” that allows them to take over private accounts and tweet - or delete tweets from them, according to a whistleblower complaint filed in mid-October, two weeks before Musk took over the company. It’s not clear whether the problem has been resolved since the complaint was filed.
Twitter didn’t respond to a request for comment.
The complaint was shared with the Justice Department, the Federal Trade Commission and some members of Congress. A congressional staffer shared the complaint with Bloomberg News, requesting anonymity due to the sensitive nature of the anonymous complaint. The Washington Post previously reported the emergence of the new Twitter whistleblower and that person’s complaint.
“Twitter does not have the capability to log which, if any, engineers use or abuse GodMode,” reads the complaint, which was filed by Whistleblower Aid, a nonprofit law firm, on behalf of the anonymous whistleblower.
Since the complaint was filed, several top executives overseeing cybersecurity and privacy, in addition to teams responsible for government compliance, are no longer with the company.
The whistleblower was employed as an engineer at Twitter at the time of the complaint filing, but is no longer at the company, according to a person familiar with the matter who requested anonymity because of sensitivities involved. The whistleblower also briefed a congressional committee this month about transgressions at the company that continued under Musk, according to the congressional staffer who shared the complaint with Bloomberg.
A spokesperson for the FTC declined to comment, but the agency has previously said it was tracking developments at Twitter with “deep concern” and would seek compliance from the company.
Representative Jan Schakowsky, an Illinois Democrat, said in a statement on Wednesday she was concerned about Twitter users’ data following the whistleblower’s disclosures. “This further demonstrates the need for action from both Congress as well as regulators,” she said, adding proposed legislation would require companies to ensure consumers’ data is secure and empower the FTC to enforce the requirement.
The FTC has deepened an existing investigation into Twitter’s privacy and data security practices since Musk acquired the company, Bloomberg reported last month. Musk’s Twitter is still subject to FTC oversight under a consent order that runs through at least 2042, making the company’s privacy and data policies and new product offerings subject to scrutiny by the agency.
The October complaint, which includes screenshots of code, says that since 2016, about 4,000 workers could easily access individual Twitter accounts and tweet from them. To do so, they would have to download code from the social media company’s code repository, change a setting from “false” to “true” and then run the code, according to the whistleblower.
The complaint says one engineer described use of the function as based on “an honor system” and that no logs were kept of its use.
The whistleblower also said in an earlier September complaint, which was also filed with the FTC, the Justice Department and some members of Congress - and shared with Bloomberg by the congressional staffer - that the company leadership “does not support fixing known vulnerabilities” and pointed to “major ongoing security lapses.”
The congressional staffer told Bloomberg that the FTC is now facing “a sort of existential moment” given allegations that Twitter has repeatedly ignored its commitments on data security and privacy protections amid a barrage of public failings.
The whistleblower complaint is the latest in a series of setbacks or complaints about Twitter’s security.
In 2020, a Florida teenager was accused of being the mastermind of a Twitter hack that involved taking over the accounts of prominent users, including Joe Biden, Barack Obama, Jeff Bezos. Then, in August, Twitter’s former security lead, Peiter Zatko, who goes by Mudge, said the company had made misrepresentations to regulators about major security, privacy and integrity lapses, citing excessive access to accounts and weak internal controls. Zatko’s allegations, which included testifying before Congress in September that the platform was a “ticking bomb of security vulnerabilities,” triggered a major ongoing FTC investigation.