Four takeaways from the Twitter whistleblower hearing
Former Twitter security chief Peiter “Mudge” Zatko testified before the Senate Judiciary Committee Tuesday alleging widespread security deficiencies at the social media platform, expanding on his bombshell whistleblower disclosure made public in reports last month.
During a two-and-a-half hour hearing, Zatko alleged Twitter lacked a framework to protect user data or log who was accessing the information — to the extent that he said an “employee could take over the accounts of all the senators in this room.”
The hearing also led to calls for restructuring Twitter management, revamping U.S. regulatory agencies, and passing bipartisan bills targeting tech giants that have struggled to get across the finish line.
Here are four takeaways from the hearing.
Twitter lacks framework for protecting user data
Zatko accused Twitter of failing to prioritize user safety and data protection in a way that threatened national security.
“What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards,” he said.
Zatko said Twitter doesn’t know “what data they have, where it lives, or where it came from.”
“So unsurprisingly, they can’t protect it,” he said.
He said employees have “too much access to too much data,” and that Twitter lacks systems in place to keep a log of who is accessing the data and when.
For the average user, Twitter has sensitive data including the user’s geolocation, contact information, and emails associated with the accounts, Zatko said. The information is available to roughly half of Twitter’s staff, about 4,000 employees, to search for, since engineers are given access by default, he said.
“Those employees would be in a position then, if they wanted to, to get this information and dox Twitter users?” Sen. Josh Hawley (R-Mo.) asked Zatko.
“That is a concern I have, yes,” Zatko said.
A Twitter engineer with knowledge of the system could also tweet as any user, including as elected officials, he said.
Zatko’s testimony also raised the risk of foreign agents gaining access to Twitter’s data. Part of his disclosure alleged that the Indian government forced Twitter to hire specific individuals who were government agents who would have access to “vast amounts of sensitive data.”
“I am reminded of one conversation with an executive where I said, ‘I am confident that we have a foreign agent, and their response was ‘Since we already have one, what does it matter if we have more? Let’s keep growing the office’,” Zatko told the committee.
Twitter has pushed back on Zatko’s allegations.
A company spokesperson said “today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies.”
According to a Twitter spokesperson, the company’s hiring process is independent of any foreign influence.
Twitter’s access to data is also managed through measures such as background checks, access controls, and monitoring and deceptions systems, according to the spokesperson.
US regulators’ enforcement not up to par
At the core of Zatko’s testimony and disclosure is his allegation that Twitter has not complied with a 2011 consent decree from the Federal Trade Commission (FTC) to maintain a security program designed to protect privacy and nonpublic consumer information.
Zatko said the Federal Trade Commission is “over their head” when dealing with large tech companies, like Twitter.
“Compared to the size of the Big Tech companies and the challenge they have against them, they are left letting companies grade their own homework,” Zatko said.
Zatko said “the intent of the regulators was correct,” but less quantitative standards allow Twitter to “hold up an isolated example” and knowingly mislead regulators by letting them “assume that example was the whole environment.”
At Twitter, foreign regulators, such as the French equivalent of the FTC, are more feared, he said.
“They dig in technically and go towards more quantitative results that are less easy for organizations to sort wordsmith around,” he said.
Bipartisan consensus to target tech, but lack of action on bills
Zatko’s hearing is the latest in a long series of Senate hearings over the past couple of years to target social media companies. Last year lawmakers heard from Facebook whistleblower Frances Haugen, and before that from the CEOs of tech companies including former Twitter head Jack Dorsey.
Although there are lingering partisan differences on tech issues, mainly on content moderation, Tuesday’s hearing again showcased the rare unified support from both sides of the aisle to take action to hold tech companies accountable.
But lawmakers have not been able to get bills targeting the companies across the finish line, even though several bills have advanced with bipartisan support out of the Judiciary and Commerce committees, including the American Online Innovation and Choice Act and the Children’s Online Privacy Protection Act.
“Despite this probably being our 50th hearing … between commerce and judiciary we have not passed one bill out of the U.S. Senate when it comes to competition, when it comes to privacy, when it comes to better funding the agencies, when it comes to the protection of kids,” Sen. Amy Klobuchar (D-Minn.) said.
“At some point when we talk about the agencies, I think we better be putting the mirror on ourselves,” she said.
A group of bipartisan lawmakers in the House and Senate released a comprehensive privacy bill earlier this year. The bill advanced out of the House Energy and Commerce Committee, but has been stalled in the Senate, where Commerce Committee Chairwoman Maria Cantwell (D-Wash.) has pushed back on the proposal.
Zatko said when it comes to bills related to holding tech companies accountable, lawmakers must consider that previous tries that were not quantifiable or able to be externally audited were able to be “gamed” by the tech companies so they could answer questions without doing what was intended.
Sen. Lindsey Graham (R-S.C.) said he’s going to work with his Democratic colleagues to ensure the risk Zatko took coming forward with his allegations is “not in vain.”
“There’s no way to deal with this without bipartisanship, from my point of view, so I’m working with [Sen.] Elizabeth Warren (D-Mass.) of all people. We have different perspectives on most everything else, but Elizabeth and I have come to believe it’s now time to look at social media platforms anew, and we have this general understanding among ourselves that the regulatory system regarding social media is not working effectively,” Graham said.
Graham said the aim is to create a system “more like Europe, a regulatory environment with teeth” and an agency that “came about after 1914,” the year the FTC was established.
Sen. Richard Blumenthal (D-Conn.) also suggested creating a new agency tasked with privacy oversight.
But given the delay in action on existing proposals, even ones that have advanced out of the committee level with bipartisan support, it is not clear if these proposals have an immediate chance of going forward.
Calls for Twitter to be restructured
The hearing also led to calls for Twitter management to be restructured.
Ranking member Sen. Chuck Grassley (R-Iowa) suggested Twitter CEO Parag Agrawal may not be fit to continue leading the company.
“If these allegations are true, I don’t see how Mr. Agrawal can maintain his position at Twitter,” Grassley said.
Agrawal became CEO of the company in November, taking the reins from Twitter founder Jack Dorsey. Agrawal had previously served as chief technology officer at Twitter.
Zatko said point-blank that Twitter management should be restructured, shifted and changed.
“That kind of structural reform is necessary to achieve changes within the company?” Blumenthal asked.
“That is my belief,” Zatko said.
Zatko alleged management intended to mislead government agencies, and that intent went up to the CEO level.
“I do not know to what level inside the board they did not know because of misrepresentation or chose not to push,” Zatko said.
Outside of government scrutiny, changes may be coming to Twitter due to an embattled buyout from billionaire Elon Musk.
Musk and Twitter came to an agreement earlier this year for Musk to buy the company for $44 billion. Twitter shareholders voted Tuesday, shortly after the whistleblower hearing concluded, to approve Musk’s buyout deal.
But the deal is still challenged, since Musk in July tried to back out of his offer. Twitter is suing to force Musk to follow through with the deal, and the two sides are set to face off at a trial next month.