Twitter whistleblower to Congress: Your data is at risk too
"Employees inside the company could take over the accounts of all of the senators in this room," former Twitter security chief Peiter “Mudge” Zatko told the Judiciary Committee on Tuesday.
Twitter’s protection of users' sensitive data is so lax that just about anyone with an account has reason to fear for the security of their accounts — even members of the Senate, the company's former chief security officer told lawmakers Tuesday.
It's “not far-fetched to say that employees inside the company could take over the accounts of all of the senators in this room,” Peiter “Mudge” Zatko testified to the Senate Judiciary Committee during the latest in a long round of hearings focused on Silicon Valley's alleged failings.
Zatko, a renowned hacker and former Defense Department employee who has filed whistleblower complaints with several federal agencies and congressional committees, said the failings in cybersecurity practices "would be a goldmine" for foreign governments or intelligence agencies, turning the company's shortcomings into a potential national security risk.
When he joined the company in late 2020, he said, it was “over a decade behind industry security standards.” He said yes when Sen. John Kennedy (R-La.) asked if it's true that "all of the engineers and half of the employees at Twitter" have access to people’s accounts. Zatko added that he has seen posts on underground forums offering to sell "access to accounts, to delete accounts, to un-ban accounts," though he didn't know if they are genuine.
“It doesn't matter who has keys if you don't have any locks on the doors,” he said, referring to what he described as Twitter's lack of strict controls on employees' access to user data.
The accusations are disturbing, Judiciary Chair Dick Durbin (D-Ill.) said.
"The bottom line is this: Twitter is an immensely powerful platform that cannot afford gaping security vulnerabilities," Durbin said in his opening statement.
Twitter has denied Zatko’s claims, saying they’re “riddled with inconsistencies and inaccuracies.” But the company's security practices have been under scrutiny since July 2020, when a massive cyberattack allowed hackers to send bogus tweets promoting a Bitcoin scam from the accounts of famous users such as former Presidents Barack Obama, then-presidential candidate Joe Biden and rapper Kanye West.
Then-Twitter CEO Jack Dorsey hired Zatko months after the incident, beginning a brief tenure that ended when the company fired Zatko earlier this year.
Committee ranking member Chuck Grassley (R-Iowa) had some barbs for current CEO Parag Agrawal, who had declined an invitation from to testify alongside Zatko. Agrawal cited possible complications for the company’s ongoing lawsuit against Elon Musk, committee leaders had said Monday.
“Simply put, the whistleblower disclosures paint a disturbing picture of a company that’s solely focused on profits at any expense, including at the expense of the safety and security of its users,” Grassley said in his opening remarks. He added: “If these allegations are true, I don’t see how Mr. Agrawal can maintain his position at Twitter.”
Twitter declined to comment about the committee’s outreach to Agrawal.
Tuesday’s hearing marks a step up in Congress’ pressure on tech companies to take more responsibility for security flaws. The issue is especially urgent as the midterm elections approach and social media platforms are put to the test again to combat the kind of misinformation that spread widely during the 2020 presidential contest.
But lawmakers' concerns about Twitter and other social media platforms extend well beyond the security flaws Zatko is alleging, said Durbin, who noted a sharp partisan split that has cropped up in Congress' tech debates.
"I for one believe that Twitter should be doing far more to combat the proliferation of hate speech and conspiracy theories," Durbin said. "Republicans, on the other hand, claim that Twitter censors their conservative speakers. I urge my colleagues to set some of these partisan differences aside to try to find the common ground that we would need to establish security standards that would be raised today by our whistleblower."
Committee member Amy Klobuchar (R-Minn.) zeroed in on misinformation on Twitter, saying bogus claims aired on the social network "resulted in an attack on a member of my family." She said she had told Dorsey about the incident, "and nothing ever changed."
"Those are the kinds of things that happen to people in this building because of the misinformation that is rampant on social media," she said.
Zatko’s complaints have also been admitted as evidence in Twitter’s legal battle with Musk, the one-time suitor who has disavowed his earlier deal to buy the company for $44 billion. Twitter shareholders are widely expected to vote in favor of the Musk sale on Tuesday, even though Musk is trying to get out of the deal.
Zatko alleged in a whistleblower complaint first reported by The Washington Post and CNN that Twitter executives lied about cyber vulnerabilities and data security. Those included charges that Twitter does not always delete data from deactivated accounts, and that it has failed to scrub the platform of automated bot accounts that have been known to spread propaganda and harm users’ experience on the site.
Among his more alarming accusations was that the India’s government had pressured Twitter to hire at least one of the country’s government agents.
The India example points to a larger danger of foreign governments or spy agencies finding ways to implant employees at the social media platform, given Twitter's lack of internal safeguards, Zatko testified Tuesday.
If such an entity were to "place somebody in Twitter, as we know has happened, it would be very difficult for Twitter to find them," he said in response to a question from Sen. Tom Cotton (R-Ark.). "They would probably be able to stay there a long period of time and gain a significant amount of information to provide to back, if they're targeting people or on information as to Twitter's decisions and discussions and to the direction of the company."
Zatko also testified that Twitter committed multiple violations of a 2011 privacy and security consent decree with the Federal Trade Commission. He added that big tech companies have far less fear of the FTC and other U.S. regulators than they do of regulatory agencies in Europe, which have the legal authority to impose harsh, repeated fines for privacy violations.
“The FTC is a little over their head," he said. "They're left letting the companies grade their own homework.”
The hearing came a day before both current and former Twitter officials are expected to appear before the Senate Homeland Security and Governmental Affairs Committee as part of a separate hearing on “social media’s impact on homeland security.” Twitter’s head of consumer product, Jay Sullivan, will appear alongside chief product officiers from Meta, YouTube and TikTok.
Tuesday’s hearing also came after Twitter’s Sacramento data center crashed due to extreme heat last week, putting the social media platform in a “non-redundant state,” according to an internal memo reported by CNN. The shortage of redundant or additional backup data centers was another concern Zatko raised in whistleblower complaint.
Agrawal fired Zatko in January, after which Zatko filed whistleblower documents in July to the Judiciary Committee — along with several other committees — as well as the Justice Department, Federal Trade Commission and Securities and Exchange Commission.
Twitter has said it fired Zatko because of “ineffective leadership and poor performance.” The company later paid him $7 million as part of a settlement in June that included a nondisclosure agreement, The Wall Street Journal reported last week.
Zatko’s complaint also raised concerns that Twitter executives do not receive incentives to accurately “detect” or report spam bots. That overlaps with accusations from Musk, who used claims that Twitter is underreporting its spam bot problem as a reason to back out of his offer to buy the company.
Zatko is well respected within both the hacker, security researcher and U.S. intelligence communities, having previously worked at the Defense Department along with other tech companies prior to Twitter, said John Tye, his lawyer at the nonprofit legal group Whistleblower Aid.
“He wants to see this platform and other platforms being everything they can be in terms of actually playing a positive role in public conversation in this country and in other countries around the world and playing a positive influence on elections and human rights,” Tye said in an interview.
Maggie Miller contributed to this report.