On September 13, Twitter whistleblower Peiter Zatko testified before the Senate Judiciary Committee about his allegations that the social media platform has “egregious deficiencies” in its cybersecurity defenses. During the hearing, Zatko fielded questions from members of the Committee about foreign agents infiltrating the platform, Twitter employees’ level of access to user data, company culture at the tech giant, and more.
Background
Zatko, also known as “Mudge,” worked as Twitter’s “head of security from November 2020 until January 2022. He filed whistleblower complaints with the U.S. Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), and Department of Justice (DOJ) in July 2022,” according to prior WNN reporting. Zatko alleges that the company misled users and regulators like the Federal Trade Commission (FTC) about privacy and security on the platform. Read more about the allegations here.
Zatko’s disclosures have also been thrust into Elon Musk’s legal battle with Twitter: the Tesla and SpaceX CEO subpoenaed Zatko on August 29 and asked for more information about allegations pertaining to bot accounts on Twitter. “The issue of bot accounts has been contentious in Musk’s initial deal to buy Twitter for $44 billion and then subsequent backing out of the deal,” WNN reported. On September 7, a judge ruled that Musk can use Zatko’s allegations in his legal case against Twitter but cannot push back the date of the trial, which will remain October 17.
Zatko’s Allegations and the Risks of Whistleblowing
“For 30 years, my mission has been to make the world better by making it more secure,” Zatko said in his opening statement before the Senate Committee. “I’m here today because Twitter leadership is misleading the public, lawmakers, regulators, and even its own Board of Directors. What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards.”
“The company’s cyber security failures make it vulnerable to exploitation, causing real harm to real people,” Zatko continued. “And when an influential media platform can be compromised by teenagers, thieves, and spies and the company repeatedly creates security problems on their own, this is a big deal for all of us.”
In his opening remarks, Zatko highlighted the risks he took blowing the whistle and the challenges of raising concerns from the inside of the company. “When I brought concrete evidence of these fundamental problems to the executive team and repeatedly sounded the alarm of the real risks associated with them – and these were problems brought to me by the engineers and employees of the company themselves – the executive team chose instead to mislead its board, shareholders, lawmakers, and the public instead of addressing them,” Zatko said.
“Given the real harm to users and national security, I determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistleblower,” Zatko told the senators. Speaking with emotion, he said, “I did not make my whistleblower disclosures out of spite or to harm Twitter – far from that. I continue to believe in the mission of the company and root for its success. But that success can only happen if the privacy and security of Twitter’s users and the public are protected.”
What and Where is the Data?
Zatko detailed in his opening statement and throughout the hearing that Twitter does not “know what data they have, where it lives, or where it came from, and so unsurprisingly, they can’t protect it.” Multiple members of the Committee asked about the type of information that Twitter engineers could access, and often Zatko would point to Twitter’s lack of knowledge about what kind of data it has on its users and where the data is stored. “Twitter didn’t even know what it was collecting,” Zatko told Senator Dick Durbin (D-IL). He explained that Twitter engineers were all given access to the “production environment” containing user information and could thus identify data and use it for their own purposes.
Regarding the production environment, Zatko pointed out that Twitter seemed to stand out as only having this production environment, “the running systems, the live data” as opposed to having a testing area or “staging environment.” Zatko remarked that “this is an oddity, this is an exception to the norm.” He also talked about a conversation he had with a senior engineer who told him, “Mudge, you should know that this company doesn’t really have centralized logging. We don’t log the activities of the systems.” This lack of logging at Twitter “is a remnant of being so far behind on their infrastructure and the engineering and the engineers not being given the ability to put things in place to modernize,” Zatko said.
Foreign Agents and Threats
Several Committee members brought up the issue of foreign governments or entities placing individuals inside Twitter for several reasons, some of which could be to gain insight on Twitter’s censorship policies and planning or attempting to identify and target dissidents. The lack of logging issue came into play during these lines of questioning, as Zatko explained that Twitter was unable to properly track employees’ activities. He told the Committee that a foreign agent could probably stay at Twitter undetected “for a long period of time.”
“One of the disturbing things that I saw based upon being 10 years behind where I would expect a modern tech company to be was a lack of an ability to internally look for and identify inappropriate access within their own systems,” Zatko said. “When we did know of a person inside acting on behalf of a foreign interest as an unregistered agent, it was extremely difficult to track the people. There was a lack of logging and an ability to see what they were doing, what information was being accessed, or to contain their activities, let alone set steps for remediation and possible reconstitution of any damage. They’ve simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own.”
Zatko described another conversion with an executive in which he tried to raise concerns about a foreign agent who had infiltrated Twitter. According to Zatko, the executive’s response was, “Well, since we already have one, what does it matter if we have more, let’s keep growing the office.” Also discussed during the hearing was foreign governments’ roles in placing click-through ads, which “expose a risk that non-click-through ads do not,” Zatko stated. “Twitter would be a gold mine, from my understanding,” for foreign entities placing spies, Zatko told the senators.
Not-So-Scary U.S. Regulators
The senators also asked about the role of regulatory bodies like the FTC and what improvements should be made to crack down on Big Tech’s conduct. Zatko stated that from what he saw, “a lot of the regulators’ examinations were interview questions, so the organization was allowed to grade their own homework.” He said that there “wasn’t a lot of quantified measurements,” and that “a fair amount of the interviews came from companies, auditors, that Twitter themselves were able to hire,” which Zatko pointed to as a potential conflict of interest.
“I think the regulators have tools that do work, but they’re not able to see which tools in their toolbelt are the ones actually working and they’re using the ones – the one-time fines – that the companies aren’t really afraid of,” Zatko said. When Sen. Amy Klobuchar (D-MN) asked about the efficacy of passing privacy legislation, Zatko explicitly mentioned strengthening protections for whistleblowers. “I think one thing that would be very helpful is that the FTC and other regulators don’t have laws or rules that would create whistleblower protection programs for people while they were still in these organizations.”
Zatko also highlighted the weakness of U.S. regulatory bodies, stating that “some of the foreign regulators were much more feared than the FTC,” like France’s regulatory authority. He pointed to the strength of some overseas regulators, including being more “aggressive,” imposing hard deadlines, not accepting “face-value answers,” and “threaten[ing] to preclude monetizing entire markets.”
The Company Culture at Twitter and Profits vs. User Safety
In his testimony, Zatko described Twitter as “a company that was managed by risk and and by crises, instead of one that manages risk and crises.” His claims harken back to those of Facebook whistleblower Frances Haugen, who alleged that Facebook, now Meta, consistently made choices that prioritized profits and growth over the safety of its users. Several times in his testimony, Zatko described resistance from others in the company to make changes and invest in efforts to modernize the infrastructure and fix issues. For example, when Sen. Mike Lee (R-UT) asked why Twitter wouldn’t create a tracking or logging system to more easily identify foreign agents, Zatko replied, “I think they would like to, but they’re simply unwilling to put the effort in at the cost of other efforts such as driving revenue.”
According to Zatko, many Twitter employees wants change. “I learned a lot of information, a lot of people wanted to share the information. When I came on board, they were excited that there was an executive that was listening and that was willing to ruffle feathers, that was willing to fight for some of these things because they had tried to raise them.”
“The engineers and the employees want this change,” he said in another part of the hearing. Twitter has a culture, according to Zatko, “where they don’t prioritize, they’re only able to focus on one crisis at a time. And that crisis isn’t completed, it’s simply replaced by another crisis. So I think they would like to wave a magic wand and have all of these things fixed, but they’re unwilling to bite the bullet and look strategically and say, hey, we’re going to have to devote some time and money to get these basic things in place and to be honest with their investors, the public, their board, themselves, and do the legwork rather than just react to what’s coming in that they hear from a hearing like this or from the news, just until the next crisis comes along.”
Zatko also said that “[t]here was a culture of not reporting bad results up, only reporting good results up, because that was the internal incentive structure. You were rewarded based upon relationships and how you performed in an emergency, not for identifying existing errors and doing the groundwork for keeping the lights on, running the business.” He described being unable to find straight answers about the data kept.
Ultimately, Zatko painted a picture of Twitter as leagues behind their Big Tech peers in terms of safety and privacy: according to his testimony, the company simply does not have a good grasp on the data it collects from users or where to find it. His suggestions for moving forward? “Holding accountability and setting quantitative goals and standards that can be measured and audited independently, I believe, is what’s going to be required to change management structures and drive change in companies when it’s needed such as this.”
The hearing record will be open for one week for submission of materials for the record. Watch the entire hearing here.