These were some of the disturbing revelations of Peiter “Mudge” Zatko, a respected cyber expert and Twitter whistleblower who appeared before the Senate Judiciary Committee to lay out his allegations against the company. Zatko told lawmakers that the social media platform is plagued by weak cyber defenses that leave it vulnerable to exploitation by “teenagers, thieves and spies” and put its users’ privacy at risk. “I’m here today because Twitter’s leadership is misleading the public, lawmakers, regulators, and even its own board of directors,” Zatko said as he began his affidavit. “They don’t know what data they have, where it lives and where it’s coming from, and so, predictably, they can’t protect it,” Zatko said. “It doesn’t matter who has keys if there are no locks.” “Twitter’s leadership ignored its engineers,” he said, in part because “their executive motivations led them to prioritize profit over security.” In a statement, Twitter said its recruitment process is “independent of any outside influence” and access to data is managed through a range of measures, including background checks, access controls and tracking and tracing systems and processes. One issue that did not come up at the hearing was whether Twitter is accurately counting its active users, an important metric for its advertisers. Tesla CEO Elon Musk, who is trying to get out of a $44 billion deal to buy Twitter, has argued without evidence that many of Twitter’s roughly 238 million daily users are fake or malicious accounts, also known as ” spambots’. Even so, “that doesn’t mean Musk won’t use Zatko’s claim that Twitter isn’t interested in removing the bots to try to bolster his case for walking away from the deal,” said Insider Intelligence analyst Jasmine Enberg. The Delaware judge overseeing the case ruled last week that Musk can introduce new evidence about Zatko’s allegations in the high-stakes trial, which is set to begin on October 17. one sits back and waits for the drama to unfold. Separately on Tuesday, Twitter shareholders voted overwhelmingly in favor of the deal, according to multiple media reports. Shareholders have been voting remotely on the issue for weeks. The vote was largely formal, especially given Musk’s efforts to scuttle the deal, though it clears a legal hurdle to closing the sale. Zatko’s message echoed one delivered to Congress against another social media giant last year. But unlike that Facebook whistleblower, Francis Haugen, Zatko hasn’t brought a trove of internal documents to back up his claims. Zatko was head of security for the influential platform until he was fired earlier this year. In July, he filed a whistleblower complaint with Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission. Among its most serious allegations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming it had taken stricter measures to protect the security and privacy of its users. Sen. Dick Durbin, the Illinois Democrat who chairs the Judiciary Committee, said Zatko has detailed flaws “that could pose an immediate threat to the hundreds of millions of Twitter users as well as American democracy.” “Twitter is an extremely powerful platform and cannot afford vulnerabilities,” he said. Unknown to Twitter users, far more of their personal information is being exposed than they — or sometimes even Twitter itself — realize, Zatko testified. He said Twitter did not experience “major systemic failures” reported by the company’s engineers. The FTC has been “a little over its head” and far behind its European counterparts in policing the kind of privacy violations that have occurred on Twitter, Zatko said. Zatko’s claim that Twitter was more concerned about foreign regulators than the FTC, Enberg said, “could be a wake-up call for U.S. lawmakers,” who have been unable to pass meaningful regulation for social media companies. media. Sen. Lindsey Graham, R-South Carolina, said one positive outcome that could come from Zatko’s findings would be bipartisan legislation to create a tighter system for regulating tech platforms. “We have to up our game in this country,” he said. Many of Zatko’s claims are unconfirmed and appear to have little documentary support. Twitter called Zatko’s account of events “a false narrative … full of inconsistencies and inaccuracies” and without meaningful context. But Zatko emerged as a compelling whistleblower who has “a lot of credibility in this space,” said Ari Lightman, a professor of digital media and marketing at Carnegie Mellon University. However, he said many of the problems he raised could likely be found on many other digital platforms “They avoid security protocols in the sense of being innovative and very fast,” Lightman said. “We gave the digital platforms so much autonomy in the beginning to grow and develop. Now we’re at a point where we’re like, “Wait a minute … This is out of control.” Among Zatko’s allegations that drew the lawmaker’s attention was Twitter’s apparent failure to deal with governments that tried to find spy work inside the company. Twitter’s failure to record how employees accessed user accounts made it difficult for the company to detect when employees abused their access, Zatko said. Zatko said he spoke with “great confidence” about a foreign agent the Indian government placed on Twitter to “understand the negotiations” between India’s ruling party and Twitter about the new restrictions on social media and how well these negotiations were going on. Zatko also revealed on Tuesday that he was told about a week before his firing that “at least one agent” from China’s MSS intelligence agency, or Ministry of State Security, was “on the payroll” of Twitter. He said he was equally “surprised and shocked” by an exchange with current Twitter CEO Parag Agrawal about Russia — in which Twitter’s current CEO, who was chief technology officer at the time, asked if he would be possible to “bypass” content moderation and surveillance in the Russian government, as Twitter doesn’t “have the ability and tools to get things right.” “And since they have elections, doesn’t that make them a democracy?” Zatko recalled Agrawal saying. Sen. Charles Grassley, the committee’s ranking Republican, said Tuesday that Agrawal declined to testify at the hearing, citing ongoing legal proceedings with Musk. But the hearing is “more important than the Twitter civil trial in Delaware,” Grassley said. Twitter declined to comment on Grassley’s comments. In his complaint, Zatko accused Agrawal and other senior executives and board members of numerous violations, including making “false and misleading statements to users and the FTC about the security, privacy and integrity of the Twitter platform.” . Zatko, 51, first rose to prominence in the 1990s as a pioneer in the ethical hacking movement and later held senior positions at an elite Defense Department research unit and at Google. He joined Twitter in late 2020 at the urging of then-CEO Jack Dorsey.
O’Brien reported from Providence, RI. Ortutay reported from Oakland, California.
Follow Marcy Gordon at
