Sloppy data use is Twitter’s original sin, Mudge tells Congress

Infiltration, lies to the FTC and employees’ ability to impersonate users all have one cause, according to whistleblower Peiter Zatko.

WASHINGTON, DC - SEPTEMBER 13: Peiter “Mudge” Zatko, former head of security at Twitter, is sworn-in as he testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC. Zatko claims that Twitter's widespread security failures pose a security risk to user's privacy and information and could potentially endanger national security. (Photo by Kevin Dietsch/Getty Images)

Zatko told senators that more than half of Twitter employees could access users’ locations and other data to do their jobs.

Photo: Kevin Dietsch/Getty Images

Whistleblower Peiter Zatko alleged in congressional testimony on Tuesday that Twitter’s careless collection and storage of user data made the platform a potential source of valuable information for foreign governments, whose penetration of the company may have exceeded what’s currently known.

That alleged sloppiness — compounded by what Zatko, formerly Twitter’s head of security, characterized as a relative lack of interest in the topic from company leadership — also led to a host of other ills. Zatko, who also goes by Mudge, told senators that more than half of Twitter employees could access users’ locations and other data to do their jobs, that the company was lying to federal regulators about whether the platform was actually deleting all that lost data when requested and that many employees could actually take over accounts, as teenage hackers did during a major 2020 attack.

Zatko put forward many of his concerns in a whistleblower complaint to the Securities and Exchange Commission he released in August, including his allegation that the company succumbed to pressure from India’s government to hire two of its agents. He went into more detail on Tuesday about internal conversations and the nature of his worries during a hearing before the Senate Judiciary Committee.

Twitter “simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own,” Zatko said, adding that the company did not track who had actually gotten a look at particular information and almost always had to learn about suspected government agents from outsiders such as law enforcement.

He also said the failure to track data, combined with collecting more information than was necessary, meant the company’s thousands of engineers had to be given access to a lot of user data “by default” just to do their jobs — information that would also be available to any bad actor who infiltrated the company, whether foreign agents or employees willing to dox users. Zatko, whom CEO Parag Agrawal fired suddenly in January, said that he had also learned of a suspected Chinese agent within the company in his last days there.

“I and many others, recognizing the state of the environment at Twitter, were really thinking: If you are not placing foreign agents inside Twitter, because it’s very difficult to detect them … you’re most likely not doing your job,” Zatko said, referring to the thinking of foreign intelligence services.

Twitter has said Zatko’s complaint is “riddled with … inaccuracies” and lacks context and that he is just trying to get back at the company that sacked him for “poor performance.” At times in both his complaint and his testimony, Mudge highlighted potential risks and concerns, rather than actual instances of harm, and he conceded that Twitter collects data that’s already public in many cases, such as the location information many accounts proudly display on their tweets. Many mobile apps also collect the same data that Zatko described, or even more, and larger social media companies — Meta in particular — are generally thought to know way more about users than Twitter does.

Zatko said little about what Washington could actually do to improve matters at Twitter, beyond vague statements that users should have more insight into social media companies’ data practices. Some members of Congress are hoping to finally pass new laws to rein in tech this fall, and they have insisted lawmakers are ready to move forward on privacy or Big Tech competition in the few productive days left this year for legislating.

During the hearing, though, lawmakers made clear they haven’t actually come together on an approach to tech despite all the many hearings over many years previously billed as blockbusters. They discussed data protection, new agencies, new liabilities or simply asking Zatko what he thinks would be right to do. Republican Sen. Lindsey Graham said he and Democrat Elizabeth Warren would introduce legislation that would create a new tech-focused agency to take on privacy, content and other issues — even as a privacy bill that has advanced in the House wants to empower the Federal Trade Commission to take on tech.

Zatko did add that the firms should have less ability to verify their own compliance with the law when talking to U.S. enforcers, and should worry as much about those agencies as they do about international regulators. International regulators often have much greater staff than U.S. ones, and Zatko said the French agency known as the CNIL in particular “terrified Twitter in comparison to the FTC,” largely because of its technical expertise when probing potential violations of the law.

Mudge has alleged, for instance, the company was never in compliance with its 2011 consent decree with the FTC, and he said on Tuesday that the chief privacy officer told him the company has a “ruse”: Because it can’t find some user information in its systems, it just tells regulators who ask about deleting user data that it has deactivated the accounts. In May, the FTC fined Twitter $150 million for alleged violations of the 2011 settlement.

The lawmakers also said little about Elon Musk’s bid to buy Twitter and the court battle that has ensued since he tried to back out of the agreement. A judge recently gave Musk the green light to bring in some of Zatko’s allegations about spam into his claims. Also on Tuesday, the company’s shareholders approved the deal, as expected, meaning the two sides will almost certainly face each other in an October trial.

Inside Amazon’s free video strategy

Amazon has been doubling down on original content for Freevee, its ad-supported video service, which has seen a lot of growth thanks to a deep integration with other Amazon properties.

Freevee’s investment into original programming like 'Bosch: Legacy' has increased by 70%.

Photo: Tyler Golden/Amazon Freevee

Amazon’s streaming efforts have long been all about Prime Video. So the company caught pundits by surprise when, in early 2019, it launched a stand-alone ad-supported streaming service called IMDb Freedive, with Techcrunch calling the move “a bit odd.”

Nearly four years and two rebrandings later, Amazon’s ad-supported video efforts appear to be flourishing. Viewership of the service grew by 138% from 2020 to 2021, according to Amazon. The company declined to share any updated performance data on the service, which is now called Freevee, but a spokesperson told Protocol the performance of originals in particular “exceeded expectations,” leading Amazon to increase investments into original content by 70% year-over-year.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

Wall Street is warming up to crypto

Secure, well-regulated technology infrastructure could draw more large banks to crypto.

Technology infrastructure for crypto has begun to mature.

Illustration: Christopher T. Fong/Protocol

Despite a downturn in crypto markets, more large institutional investors are seeking to invest in crypto.

One factor holding them back is a lack of infrastructure for large institutions compared to what exists in the traditional, regulated capital markets.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.


How I decided to go all-in on a federal contract — before assignment

Amanda Renteria knew Code for America could help facilitate access to expanded child tax credits. She also knew there was no guarantee her proof of concept would convince others — but tried anyway.

Code for America CEO Amanda Renteria explained how it's helped people claim the Child Tax Credit.

Photo: Code for America

Click banner image for more How I decided series

After the American Rescue Plan Act passed in March 2021, the U.S. government expanded child tax credits to provide relief for American families during the pandemic. The legislation allowed some families to nearly double their tax benefits per child, which was especially critical for low-income families, who disproportionately bore the financial brunt of the pandemic.

Keep Reading Show less
Hirsh Chitkara

Hirsh Chitkara ( @HirshChitkara) is a reporter at Protocol focused on the intersection of politics, technology and society. Before joining Protocol, he helped write a daily newsletter at Insider that covered all things Big Tech. He's based in New York and can be reached at hchitkara@protocol.com.


This carbon capture startup wants to clean up the worst polluters

The founder and CEO of point-source carbon capture company Carbon Clean discusses what the startup has learned, the future of carbon capture technology, as well as the role of companies like his in battling the climate crisis.

Carbon Clean CEO Aniruddha Sharma told Protocol that fossil fuels are necessary, at least in the near term, to lift the living standards of those who don’t have access to cars and electricity.

Photo: Carbon Clean

Carbon capture and storage has taken on increasing importance as companies with stubborn emissions look for new ways to meet their net zero goals. For hard-to-abate industries like cement and steel production, it’s one of the few options that exist to help them get there.

Yet it’s proven incredibly challenging to scale the technology, which captures carbon pollution at the source. U.K.-based company Carbon Clean is leading the charge to bring down costs. This year, it raised a $150 million series C round, which the startup said is the largest-ever funding round for a point-source carbon capture company.

Keep Reading Show less
Michelle Ma

Michelle Ma (@himichellema) is a reporter at Protocol covering climate. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at mma@protocol.com.

Latest Stories