The Irish Data Protection Commissioner (DPC), has an “important role to play” in dealing with allegations made by a whistleblower against Twitter, according to his legal team.
Peiter Zatko, Twitter’s former head of security, is also willing to appear before an Oireachtas committee and meet data commissioner Helen Dixon about his allegations, his legal team said.
Earlier this week, Mr Zatko, a veteran hacker and security expert known as “Mudge”, made a protected disclosure in the United States to the Securities and Exchange Commission and the department of justice, as well as the Federal Trade Commission (FTC).
As part of his disclosure, he said Twitter had made “egregious and ongoing misrepresentations” to the DPC and other regulators.
Mr Zatko was hired in 2020 by Twitter co-founder and then chief executive Jack Dorsey to strengthen the company’s security after a mass hack targeted 130 high-profile Twitter accounts.
Among the most serious accusations is that Twitter violated the terms of a 2010 FTC settlement by falsely claiming that it had a strong security plan.
The whistleblower disclosure document said: “And in late 2021, Mr Zatko sent memos to executive team members arguing that, in light of the egregious and ongoing misrepresentations to the FTC, French and Irish regulators, plus the very real possibility of multibillion-dollar fines or even bans from big markets, privacy should become Twitter’s #1 priority.”
On foot of the allegations, Twitter and the DPC had a preliminary meeting on Tuesday to discuss the claims. Engagement will continue as the regulator seeks clarity on a number of points with the social media giant, said a DPC spokesman.
Speaking to The Irish Times, John Tye, the founder of Whistleblower Aid and Mr Zatko’s lawyer, who helped him make the protected disclosure, said if the DPC and any Oireachtas committee were interested in speaking to Mr Zatko he would be happy to engage, although there would be some legal requirements before he could do so.
“Of course he will comply [with any legal request to assist],” Mr Tye said. The DPC, as of Thursday evening, had not been in touch with Mr Zatko about his allegations. “We have not been in touch with the DPC, but we are open to it,” he said.
Mr Tye said Mr Zatko was also willing to speak to the Oireachtas about his allegations. “The answer is yes [to engaging]. It’s not just an informal request, it’s a formal process.”
Mr Tye said Ireland’s data protection regulator played a prominent role globally on these kinds of allegations.
“In fact, it [the DPC] was one of the regulators that the company [Twitter] was engaging the most with.”
Asked if he had any interactions with any EU regulators, Mr Tye said: “This all happened about 48 hours ago, that this became public. So in the last 48 hours, we’ve not had any interactions or anything, but we look forward to it. We expect it, we look forward to it.”
Mr Tye added: “He’s legally prohibited from sharing things except through this formal process. But assuming those requirements are met, he looks forward to supporting all of these agencies and investigations.”
Mr Tye also said that the GDPR meant EU regulators had more “flexible legal tools” at their disposal.
“It is stronger than anything we have in the United States. Everyone, including us and Mudge, perceives Europe having a big role to play in these sorts of issues.”
Speaking about Ms Dixon, Mr Tye said: “She has an important role to play, I think that is safe to say.”
Ms Dixon is one of the lead regulators for Twitter globally as the company is based in Ireland for EU data protection purposes.
Mr Tye also said that Mr Zatko had started the disclosure process in March, before Mr Musk began his now aborted purchase of Twitter. “There is no connection there, full stop.”
Twitter has rejected the veracity of the allegations. A spokesman said: “Ineffective leadership and poor performance. What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.”