Whistleblowing Is Broken

Like so much else, the act of informing on bad actors for good reasons has become tainted.

A person stuck in a whistle.
Getty; The Atlantic

When the hacker turned corporate-cybersecurity specialist Peiter Zatko went to work for Twitter in 2020, he thought he could help the company improve its practices after some embarrassing breaches. But either he couldn’t help Twitter, or Twitter didn’t want his aid—less than two years later, the company fired him. Last month he issued a massive complaint against it to the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission, alleging widespread malfeasance and fraud at the social network.

Earlier this week, after The Washington Post and CNN broke news of the complaint, newspapers everywhere started calling Zatko a “whistleblower,” and I read the word so many times that it ceased to bear meaning. Zatko’s accusations are serious, but the complaint, and the reporting I’ve read about it, also makes them seem amorphous and inchoate, disconnected from real stakes. Zatko’s situation didn’t exactly have the sensibility of, say, a factory-farm foreman revealing that a major company is poisoning its chicken thighs, or a mid-level bureaucrat exposing a government perpetrating atrocities in the name of its citizens.

Tech companies are so big and so powerful and do so many bad things without consequence, it’s understandable that people may feel they have no option other than blowing the whistle on these companies, the way a civil servant might on a government. But it’s an imperfect system for meting out justice. The problem lies less with Zatko and his specific accusations—many of which look pretty bad for Twitter—and more with the erosion of the whistleblower as a concept in contemporary life. That’s a path Zatko didn’t forge, even if he’s treading it. Whistleblowers used to be underdogs, willing to ruin their lives in the pursuit of the truth, so that its revelation might serve the commons. Now they’re more like corporate-espionage influencers, whose actions put attention-seeking and material gain before, or in place of, justice.

Whistleblowing has a very long history. In 1777, during the American Revolution, 10 sailors aboard the warship U.S.S. Warren met in secret to conspire against a man much more powerful than them. Commodore Esek Hopkins, the commander of the Continental Navy, had tortured British sailors; the group wrote a petition to the Continental Congress, which, swayed by their case, suspended Hopkins. But the commander retaliated, and Warren sailors Samuel Shaw and Richard Marven were arrested and jailed. In response to that obviously corrupt outcome, Congress enacted what is considered to be the world’s first whistleblower law. It didn’t just protect righteous actors such as Shaw and Marven; it demanded that others in similar positions act similarly, decreeing that “it is the duty of all persons in the service of the United States, as well as all other inhabitants thereof, to give the earliest information to Congress or other proper authority of any misconduct, frauds or misdemeanors committed by any officers or persons in the service of these states, which may come to their knowledge.”

In the following centuries, whistleblowers became symbols of moral honor. The English shipping clerk Edmund Dene Morel was instrumental in exposing the brutal, plantation slave labor in the Congo. The retired Marine general and Medal of Honor recipient Smedley Butler exposed a plot to overthrow the U.S. government during Franklin D. Roosevelt’s administration. The epidemiologist Peter Buxtun, working for the U.S. Public Health Service, exposed the Tuskegee Study, in which his employer had denied treatment to Black men infected with syphilis over four decades. The government analyst Daniel Ellsberg leaked the documents that became known as the Pentagon Papers, a secret account of the U.S. government’s mishandling of the Vietnam War spanning multiple presidencies. The New York City police officer Frank Serpico disclosed widespread bribery and financial corruption in the force. Edward Snowden, an intelligence contractor, leaked evidence of the NSA’s global surveillance programs. (Snowden offers an illustrative example of how messy the designation of “whistleblower” can be. He was charged under the Espionage Act in 2013 and fled to Moscow, where he has lived since.)

Fame often followed their revelations. An entire Whistleblower Cinematic Universe retold the stories of Serpico, Snowden, and others. But that notoriety came as a result of the moral stakes of the revelations and the virtue required to unveil them. Past whistleblowers did more than just expose misdeeds. They selflessly did so from a position of far less power than those they accused, in order to protect or defend others who similarly lack power. The whistleblower is—or was—an actor moved by duty, virtue, or both.

To this day, the formal definition of a whistleblower descends directly from its 18th-century precedent, in the form of laws that encourage actors to reveal misconduct by protecting them if they do so. The protections formally afforded to whistleblowers increased over time, but most of those protections were still afforded to government workers.

That changed relatively recently. In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act became law. Dodd-Frank, passed in the aftermath of the Great Recession (and the wrongdoing by big banks that helped cause it), inaugurated a major shift in whistleblowerdom, especially in the private sector, where other laws generally didn’t reach. Crucially, Dodd-Frank added a financial incentive to the sometimes-risky practice of becoming an informant. Under the law, the SEC offers cash rewards for tips that lead to the receipt of monetary sanctions. Since its inception, the SEC has recovered billions of such dollars and awarded a cool $1 billion back to people who helped it get the goods. Money, once the enemy that inspired Serpico to blow a whistle, became a motivation for doing so.

And predictably, whistleblowing has become a business. Stephen M. Kohn, a whistleblower attorney who won one of the largest awards in history, $104 million for a tax-evasion case, wrote a book about the practice, The New Whistleblower’s Handbook. “Doing what’s right,” a phrase that appears in the book’s subtitle, imbricated with doing what produces financial gain. This is a tremendous shift, and one with enormous consequences: Though some people will argue that whistleblowers deserve financial comfort—in addition to protection from persecution—for having the courage to speak up, society relies on people to tell the truth because it is right, not because they might get paid for it.

Zatko may well be acting out of conscience. In his complaint, he calls his disclosures an “ethical obligation” and suggests that he aspires to remain true to a hacker’s obligation to notify an affected party of its security-related problems. The complaint exclusively refers to him by his hacker name, Mudge, seemingly to underscore that allegiance. But he is indisputably a different type of actor than the civil-servant whistleblowers of history. And the structures that have arisen around whistleblowing in recent years complicate its appeals to principle alone.

Zatko’s complaint against Twitter contains dozens of allegations about what the company did wrong, including lax device security, poor control of its production environment, missaccounting of bot accounts, and more. (A Twitter spokesperson defended the company’s security practices to the Post, and told the paper that “Zatko’s allegations appeared to be ‘riddled with inaccuracies’ and that Zatko ‘now appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders.’”) But all throughout the complaint, these claims are framed not principally as misdeeds against best practice, national security, user privacy, or other domains of legitimate concern to the general public. No, they are first presented as evidence of fraud. Defrauding investors is the financial crime for which the SEC can pursue redress and, upon a successful enforcement action, restitution. For every dollar or million that the SEC might recover from Twitter if Zatko’s allegations prove actionable, Zatko (and his lawyers) could be entitled to 10 to 30 percent.

John Tye, chief disclosure officer of the nonprofit legal group Whistleblower Aid, which represents Zatko, says the prospect of a reward didn’t motivate Zatko. “In fact he didn't even know about the reward program when he decided to become a lawful whistleblower,” Tye said in an email. He did so, Tye said, to help the SEC enforce the laws. That’s fair enough. But enforcing securities law—already a somewhat dubious moral prospect compared with historical whistleblower interventions—now entails a reward whether you ask for one or not. Remuneration infects the process. Kohn did call it the new whistleblowing, after all.

Whistleblower Aid also counts Frances Haugen, the Facebook Papers leaker, as a client. The eBay billionaire Pierre Omidyar has funded both Whistleblower Aid and Haugen’s efforts, a philanthropic gesture that might reasonably be construed as realpolitik to expose legitimate wrongdoing by some of the most powerful companies in the world, but that also amounts to the creation of a fundraising and organization-building activity—a whole jobs program surrounding tech oppositionalism.

And then there’s the dude who has the most to gain from Zatko’s supposedly righteous revelations about Twitter: Elon Musk, the world’s richest man, who still hopes he doesn’t have to write a $44 billion check to buy the company. Zatko’s extensive warnings about the number of bots on Twitter, an issue that obsesses Musk, seem startlingly aligned with Musk’s interests rather than those of misled investors, let alone the public. (Tye, Zatko’s representative, told me that his client began the process that led to this disclosure in December, before Musk expressed any interest in acquiring Twitter. Musk has not been involved “in any way,” Tye said in an email.)

Zatko’s complaint does issue some concerning accusations against his former employer. According to Zatko, Twitter played fast and loose with security, and in a way that might violate a settlement the company reached in 2011 after the FTC alleged major lapses in its data-security practices. But the complaint is also riddled with gripes that speak more to Zatko’s dissatisfaction than Twitter’s alleged corruption. His bosses didn’t take his advice, and Zatko didn’t like that. Then they froze him out, and fired him. Maybe doing so constitutes fraud or violation—the SEC and FTC will have to sort that matter out. But even if so, Zatko’s barrage of accusations might not amount to the “explosive” revelation that some news coverage of the complaint has described. The document reads like a paid legal expert’s report on why Twitter committed fraud by a disgruntled former employee who stands to gain from its exposure, not as a righteous man’s case for why a global social network is obviously and grievously dangerous.

But alas, the media cannot resist the temptation to cast the new whistleblowers in the role of the old ones. As I wrote for The Atlantic when the Facebook Papers broke, stories such as Daniel Ellsberg’s come from the golden age of journalism, when information couldn’t find an audience without the aid of a newspaper or magazine or television network. Ad-driven internet companies such as Facebook and Google and Twitter absconded with that access, and the spoils that accompanied it. These companies royally mucked up both the business of journalism and the operation of the democracy the Fourth Estate holds in check; journalists are both right to hold the tech industry’s power to account and sometimes overly eager to do so.

Perhaps one of the greatest ironies of the new whistleblowing is that tattling for material scraps is the only way the internet operates. Online life is a constant contest of appearance, both physical and moral. With attention at a premium and content proliferating, all anyone can do is scrabble to claim whatever crumbs any situation might shake loose: a hot take that produces clicks that burnish a reputation; a thirst trap that generates followers to justify sponsorship rates; a megaviral post that yields neither satisfaction nor even SoundCloud listens, but only the passing attention of a million people you’ve never met. A whistleblower complaint that might yet yield a payday, even if it also reveals a hidden truth.

An amorphous creature has attached itself to the new whistleblowers, like a barnacle on the warship Warren: glory and the influence it might deliver. Once an act that at least aspired toward modesty, whistleblowing entailed sufficient risk that informing on a more powerful actor might still ruin one’s life. But now, in the internet age, whistleblowing has become a path—if a terrible, unintuitive one—to fame and its trappings. That glory drives the hungry maw of material success, whether or not the being that devours its spoils thrives or starves. Like everything else, whistleblowing is just another hustle.