Mudge's lawyer: 'Whistleblowing is a growth industry'
Twitter’s former chief security officer, prominent hacker Peiter “Mudge” Zatko, sent shockwaves through the tech scene last month when his complaints to Congress and federal agencies alleging major security issues at the company came to light.
Twitter has framed Zatko as a disgruntled former employee and disputed his claims that the company put users and national security at risk. Nonetheless, he is set to testify about his allegations before the U.S. Senate Judiciary Committee later this month and has been subpoenaed in the ongoing lawsuit over Elon Musk’s attempt to get out of buying Twitter.
John Napier Tye, the founder and chief disclosure officer of nonprofit Whistleblower Aid, is representing Zatko. He raised the alarm about a National Security Agency surveillance program nearly a decade ago before founding the group with a lawyer who represented him.
Tye spoke to The Record, declining to comment on the content of Zatko’s complaint in light of ongoing legal actions, but addressing its context — including Zatko’s career in and outside of government, and how whistleblowing is becoming a substitute for regulatory action as the tech industry speeds ahead of the rules that govern it.
“I do think that because of the growth of information technology and the internet and mobile phones, the structural importance of whistleblowing is going up and we will see more and more whistleblowers from these privileged positions inside the companies,” Tye said.
This interview has been lightly edited for length and clarity.
Andrea Peterson: What role do chief security officers typically play in corporate accountability at this level?
John Napier Tye: Obviously, Twitter is one of the largest, most important platforms on Earth for political discourse and news and all kinds of things. Information security is at the core of what Twitter needs to be doing for its users, for its employees, for other stakeholders, including investors. Obviously, there's just vast amounts, petabyte-level data in terms of user tweets and direct messages.
There's information security of the thousands of employees who work at the company, the thousands of contractors who work for the company. Information security is at the core of Twitter's work and other large internet platforms, other social media companies, other data companies.
AP: One of the concerns I've heard about folks in top-level security roles is that they sometimes end up being sacrificial lambs. Is that something that you have seen play out in the larger context?
JNT: I don't have enough data points from enough companies to speculate about what you said, nor am I going to go into details about Mudge's disclosure, but what I can say is that Mudge was brought in personally by Jack Dorsey, who was then the CEO, to address longstanding security and privacy and other issues inside the company that hadn't been dealt with in over a decade.
He worked hard to get the truth on all of these things. He worked hard to report that up to the CEO and the board of directors. As has been disclosed in the disclosure, after he worked to correct inaccurate information that went to the board of directors and replaced it with accurate information to the board of directors, he was soon thereafter fired by the new CEO.
I'm not going to go into further details than that but I think you can infer an answer to your question.
AP: How did Mudge's work history inform his decision about submitting complaints?
JNT: One of the things about him is that for nearly 30 years, he's been at the forefront of security, but also ethically disclosing security vulnerabilities. He's always followed the law. He's always done things lawfully and ethically. He helped to pioneer the ethical disclosure movement going as far back as Microsoft Windows. He found security problems there that the company was unwilling to address. He looked for creative, lawful, ethical ways to confront the company with that and force them to change. This really is part of a pattern with what he's been doing for almost 30 years.
I will also say, he's unusual in that he has credibility both with the community of ethical hackers from which he came in the early 1990s and the U.S. national security and intelligence community. He took a senior position at DARPA, the Defense Advanced Research Projects Agency. He held all these top-secret clearances, special compartment, special access programs.
He was part of cutting-edge research on both defensive and offensive cyber capabilities for U.S. intelligence agencies. He stayed close with his friends and colleagues from that period of his life. He is respected not just in the hacker community, but in the intelligence community, and that's quite significant. He's been doing this stuff for decades.
He's one of the best in the world in it.
AP: How does that position him versus other whistleblowers?
JNT: As we saw over a decade ago at this point, some of the very prominent whistleblowers, number one, they weren't necessarily talking to lawyers or getting good legal advice. They ended up in prison, fleeing the country. We are clearly here to try to help people do things lawfully in a safe way.
But also, some of those early previous whistleblowers were quite young, in their 20s, even teens, when they were making decisions. Part of that is they didn't have mortgages to pay. They didn't have children or longstanding careers... They were able to take risks that most people aren't able to take.
It is quite significant that Mudge is someone with all of this credibility who's been doing this for many years, who was making plenty of money at a job. He nevertheless took the risk to try to bring these issues forward while he has a family — he has two children, one with complex, difficult medical needs.
It's quite significant that someone of his stature and seniority would decide to proceed with something like this.
AP: How did your own experience with whistleblowing in a government program affect your approach to this case?
JNT: I was a whistleblower myself back in 2014. From 2011 to 2014, I worked at the State Department. I had a top-secret clearance and my job was promoting internet freedom worldwide. That's freedom of expression and privacy rights worldwide. I was involved after the Snowden disclosures came out in June of 2013. I was involved in the diplomatic response to that at the U.N. General Assembly in New York, the Human Rights Council at Geneva, bilateral discussions with Germany and Brazil and other countries in response to the Snowden disclosures.
For that whole year after the disclosures, I realized that there hadn't been a single article on the main legal authority that the National Security Agency uses to collect Americans' data. That's called Executive Order 12333. I decided to become a lawful whistleblower. I believed then and I believe now that NSA activities violate the Fourth Amendment.
I hired two lawyers to help me be a lawful whistleblower, Mark Zaid and another lawyer. I paid them $13,000. I went through the lawful whistleblowing process, which means I first met with the State Department and then the NSA Inspector General offices. Then I met with the House and the Senate Intelligence Committee staff. And then finally, I went through the pre-publication review process. So I wrote up an op-ed describing my concerns. I submitted it to the State Department and the NSA for review to ensure it didn't contain classified material and then it was ultimately published in the Washington Post. That happened in 2014.
I was lucky that I was a lawyer. I knew a bunch of lawyers. I found lawyers to help me. I could pay them. I realized that there was a big need to help people in that situation. So in 2017, I launched Whistleblower Aid based on that experience with one of my lawyers, Mark Zaid.
We have handled a whole bunch of big cases over the last five years, including our lawyers representing the anonymous CIA officer whose disclosures led to the first impeachment of President Trump. We represented a Facebook whistleblower from a year ago, and a whole bunch of other cases from the U.S. government.
Our clients' evidence has blocked multiple presidential nominees in the U.S. Senate before they were able to be confirmed. We had disclosures about Jeffrey Epstein, about Harvey Weinstein. So we've done a whole lot of cases on different issues.
AP: You were talking about some of the earlier or younger whistleblowers. Who are you speaking about particularly, and what advice do you wish they had gotten?
JNT: Some of the big names that have come out 10 years ago, more than 10 years ago. We started Whistleblower Aid so that future whistleblowers could get the help they needed to stay safe so that they wouldn't have to go to prison, they wouldn't have to flee the country. We could help them follow the rules so that they weren't having to ruin their careers, their lives, to become whistleblowers.
We wish we had been around when other people were facing those choices. They were put in tough situations where it's hard to know what to do. We're here to help our clients stay safe, get the word out in a lawful and ethical and safe way.
We do all of our cases pro bono unless we win money for the client. If we win money, then we might take a part of it as a fee, but that's pretty rare. Almost all of our cases, we've never received a penny for. We're a public charity.
AP: How has the expansion in commercial surveillance, as well as government surveillance, changed the calculus for potential whistleblowers?
JNT: Surveillance is a huge issue and it's affecting life in so many ways now and so there's governments that are sucking up every bit of information they can get about every person on Earth. There are corporations sucking up every bit of information they get about every person on Earth. They have different goals. The governments, of course, have their own national interests that they're pursuing. Corporations are typically focused on profits. Then there's different legal regimes governing these things.
Every government has their own legal regime and so, for instance, the Chinese government is, of course, trying to suck up every bit of information they can get on every person on Earth, and really, so is the U.S. government. But the U.S. government is bound by the rule of law, and China, as we know, is not a democracy bound by the rule of law. They present different risks to users.
Of course, corporations are, at least in theory, bound by the laws where they operate and are incorporated. But often, there are fewer constraints on corporations collecting data than, for instance, the U.S. government. The U.S. government is under more constraints in collecting many people's data – at least legal constraints – than big companies like Facebook and Twitter and Google.
The internet, mobile phones, the impact on economies and individual privacy, those issues are running ahead of where the governments are at.
We're just now starting to reckon with how social media affects the mental health of teenagers years after millions and millions of teenagers started using these things on a daily basis. That's just one example of how the technologies are racing ahead of the government's ability to understand and regulate.
AP: Given that, do you think we could see more whistleblowers particularly coming from a security background?
JNT: Yes, the control and the manipulation of information — the value of that is going up. Meanwhile, the number of people who really know the truth about those things is still relatively small, and often it is the chief information security officer or another small group at some of these companies that are really seeing what's happening.
I do think that because of the growth of information technology and the internet and mobile phones, the structural importance of whistleblowing is going up and we will see more and more whistleblowers from these privileged positions inside the companies.
We would never learn a lot of these things without the whistleblowers, about what's really happening with the data. They are playing a crucial role.
AP: What's the next area that you think we'll be seeing whistleblowers focus on beyond security?
JNT: There's so many. I was a whistleblower on privacy and surveillance issues. Our lawyers represented a whistleblower related to abuses by President Trump. We have whistleblowers from 10 different U.S. agencies. We have whistleblowers related to sexual harassment and violence. We have whistleblowers on, obviously, data protection and security issues.
We have whistleblowers on just straight-up fraud and lying type things. I would say whistleblowing is going to continue. We're going to see it across all those things. I wouldn't be surprised if we see some from the criminal justice system, from finance.
Whistleblowing is a growth industry.
AP: What's the advice that you personally have to whistleblowers in terms of securing themselves?
JNT: Number one, I always tell people the safest thing is to go home and not be a whistleblower.
You should really think about it long and hard. Number two, talk to a lawyer before you do anything else — a lawyer you trust who hopefully has experience in these issues. We're here, we can help, but there's other law firms out there that do great work as well.
Don't talk to your boss. Don't talk to your colleagues. Don't talk to your spouse or your friends. Talk to a lawyer first. Next, secure the evidence lawfully. Don't steal anything. Don't hack anything. Don't break any passwords. Don't get unauthorized access.
Don't collect more than what's relevant – collect what's relevant, evidence, and do it on a personal phone, taking photographs or something like that. Again, lawfully. Follow the rules about making recordings.
Every case is different, every jurisdiction is different, so it's hard to give advice. But I would say avoid email. Email's always insecure. Use the Signal app to communicate — the best is in person, but if you need to call the lawyer, call them on Signal. If you are taking photos of evidence, use your personal phone, not a work phone.
But really, the most important thing is… talk to a lawyer before you do anything else.
Andrea Peterson
(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.