Twitter has told a US senator it is cutting ties with a European bulk messaging company that it used to send sensitive passcodes after a Bureau investigation, Bloomberg reports.
The social media company told Ron Wyden, a Democrat senator for Oregon, that it is transitioning its service away from Mitto AG, according to one of the senator’s aides. The Bureau and Bloomberg reported in December that, according to former employees and clients, a co-founder of Mitto operated a service that helped governments secretly surveil and track mobile phones.
Twitter cited media reports as the motivating factor behind its decision, the Wyden aide said.
Mitto is one of several bulk messaging companies that deliver one-time passcodes used by web giants to verify log-ins to email inboxes, bank accounts and other sensitive personal data. The company has attracted major technology companies as customers, including Twitter, Google and WhatsApp.
Several other companies have allegedly already cut ties with Mitto. In recent weeks, messaging companies Kaleyra and MessageBird have both ceased commercial relationships with Mitto, according to three people familiar with the matter. A Twitter representative declined to comment.
A spokesman for Mitto, which is based in Zug, Switzerland, said in a statement that the company “does not disclose information about its business partners, through any channel – official or unofficial – full stop. Generally, such agreements are mutual in nature, with both parties agreeing to protect the privacy and integrity of the other.”
Mitto works with leading telecommunications companies to deliver text messages in bulk to billions of phones around the world, according to its website and promotional documents.
However Mitto’s co-founder and chief operating officer, Ilja Gorelik, was also allegedly selling access to Mitto’s networks to secretly locate people via their mobile phones, and in some cases obtain their call logs. The Mitto venture allegedly involved exploiting weaknesses in a telecommunications protocol known as SS7, or Signalling System 7.
A Mitto representative previously said that the company had no involvement in any surveillance business and had launched an internal investigation “to determine if our technology and business has been compromised” and would take corrective action if necessary. Mitto representatives allegedly informed some clients that Gorelik was no longer involved at the company, although he is still listed on the website as chief operating officer.
Earlier this year Google told Wyden it had been warned that Mitto was allegedly siphoning off user passcodes to aid surveillance carried out by foreign governments, according to reporting by Bloomberg.
Bloomberg asked Google about the communications with Wyden’s office. The company would not specifically address the allegation about Mitto, but a spokesperson said it had investigated allegations concerning a unnamed business it works with in Europe and found “no evidence of wrongdoing or any connection between the allegations and our separate work with them”. The Google spokesperson added that the company was monitoring an investigation in Switzerland and “will not hesitate to take immediate action if new facts come to light.”
After the Bureau and Bloomberg's investigation, which was covered by 60 outlets in a dozen countries, Switzerland’s federal data protection and information commissioner opened an investigation focusing on Mitto’s operations, which has yet to conclude.
Mitto’s lawyers told Bloomberg: “Clearly if Google had any concerns (which they apparently did not) then they most certainly have the technological and legal wherewithal to establish if those are valid or not, and act accordingly.” They added: “Our client is a trusted provider to Google and any suggestion to the contrary would be entirely at odds with the actual position.”
Header image: Zug, Switzerland where Mitto is headquartered. Credit: imageBROKER/Daniel Baertschi/Getty Images
Reporter: Meirion Jones
Global editor: James Ball
Editor: Meirion Jones
Our reporting on Decision Machines is funded by Open Society Foundations. None of our funders have any influence over the Bureau's editorial decisions or output.