Peiter Zatko, who is also known as Mudge poses for a portrait on Monday August 22, 2022 in Washington, DC.

Matt McClain | The Washington Post | Getty Images

A Twitter whistleblower is alleging “extreme, egregious deficiencies by Twitter” related to privacy, security and content moderation, according to complaints filed with the Securities and Exchange Commission, Federal Trade Commission and Department of Justice.

The complaints, obtained by CNBC, were filed by nonprofit law firm Whistleblower Aid, which is representing Twitter’s former head of security, Peiter “Mudge” Zatko. Whistleblower Aid, which also represented Facebook whistleblower Frances Haugen, verified the authenticity of the documents with CNBC.

Shares of Twitter were down more than 5% in morning trading.

In a complaint with the SEC, Zatko alleges that he “witnessed senior executive engaging in deceitful and/or misleading communications affecting Board members, users and shareholders” on multiple occasions in 2021, during which CEO Parag Agrawal asked Zatko to provide false and misleading documents.

The news was first reported by The Washington Post and CNN.

Parag Agrawal, CEO of Twitter, and his wife Vineeta Agarwal, walk to a morning session during the Allen & Company Sun Valley Conference on July 07, 2022 in Sun Valley, Idaho.

Kevin Dietsch | Getty Images News | Getty Images

In his final report for Twitter after he was terminated, according to the whistleblower documents, Zatko charged that the company failed to accurately represent four key issues to the board: out-of-date software that lacked basic security measures, “Gross problems” in who could access or control systems and data, problematic internal processes and a “volume and frequency of security incidents impacting a large number of users’ data that is frankly stunning.”

Zatko alleged in the report that more than half of Twitter’s 500,000 servers were running out-of-date software and more than a quarter of employee computers have disabled software updates that can provide important security patches. He said Twitter’s alleged practice of granting broad access to the platform’s production environment was “unheard of in a company the age and importance of Twitter, where nearly all employees have access to systems or data they should not.”

If government regulators were to find Twitter misled consumers about its security protocols, that may be considered a violation of its 2011 agreement with the FTC. At the time, Twitter was barred for 20 years from misleading consumers about how it protects their security and private information. The agreement also required Twitter to create and maintain a comprehensive information security program to be evaluated by an independent auditor for 10 years.

A spokesperson for the Senate Select Committee on Intelligence said in a statement that the panel has also received the complaint “and is in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously.”

The whistleblower complaint mentions misrepresentations by Twitter to Elon Musk, who is locked in a legal battle seeking to back out of a deal to purchase the social media company, over the Tesla CEO’s “doubts on the accuracy of Twitter’s claim in legal findings that