Sloppy data use is Twitter’s original sin, Mudge tells Congress

Infiltration, lies to the FTC and employees’ ability to impersonate users all have one cause, according to whistleblower Peiter Zatko.

WASHINGTON, DC - SEPTEMBER 13: Peiter “Mudge” Zatko, former head of security at Twitter, is sworn-in as he testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC. Zatko claims that Twitter's widespread security failures pose a security risk to user's privacy and information and could potentially endanger national security. (Photo by Kevin Dietsch/Getty Images)

Zatko told senators that more than half of Twitter employees could access users’ locations and other data to do their jobs.

Photo: Kevin Dietsch/Getty Images

Whistleblower Peiter Zatko alleged in congressional testimony on Tuesday that Twitter’s careless collection and storage of user data made the platform a potential source of valuable information for foreign governments, whose penetration of the company may have exceeded what’s currently known.

That alleged sloppiness — compounded by what Zatko, formerly Twitter’s head of security, characterized as a relative lack of interest in the topic from company leadership — also led to a host of other ills. Zatko, who also goes by Mudge, told senators that more than half of Twitter employees could access users’ locations and other data to do their jobs, that the company was lying to federal regulators about whether the platform was actually deleting all that lost data when requested and that many employees could actually take over accounts, as teenage hackers did during a major 2020 attack.

Zatko put forward many of his concerns in a whistleblower complaint to the Securities and Exchange Commission he released in August, including his allegation that the company succumbed to pressure from India’s government to hire two of its agents. He went into more detail on Tuesday about internal conversations and the nature of his worries during a hearing before the Senate Judiciary Committee.

Twitter “simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own,” Zatko said, adding that the company did not track who had actually gotten a look at particular information and almost always had to learn about suspected government agents from outsiders such as law enforcement.

He also said the failure to track data, combined with collecting more information than was necessary, meant the company’s thousands of engineers had to be given access to a lot of user data “by default” just to do their jobs — information that would also be available to any bad actor who infiltrated the company, whether foreign agents or employees willing to dox users. Zatko, whom CEO Parag Agrawal fired suddenly in January, said that he had also learned of a suspected Chinese agent within the company in his last days there.

“I and many others, recognizing the state of the environment at Twitter, were really thinking: If you are not placing foreign agents inside Twitter, because it’s very difficult to detect them … you’re most likely not doing your job,” Zatko said, referring to the thinking of foreign intelligence services.

Twitter has said Zatko’s complaint is “riddled with … inaccuracies” and lacks context and that he is just trying to get back at the company that sacked him for “poor performance.” At times in both his complaint and his testimony, Mudge highlighted potential risks and concerns, rather than actual instances of harm, and he conceded that Twitter collects data that’s already public in many cases, such as the location information many accounts proudly display on their tweets. Many mobile apps also collect the same data that Zatko described, or even more, and larger social media companies — Meta in particular — are generally thought to know way more about users than Twitter does.

Zatko said little about what Washington could actually do to improve matters at Twitter, beyond vague statements that users should have more insight into social media companies’ data practices. Some members of Congress are hoping to finally pass new laws to rein in tech this fall, and they have insisted lawmakers are ready to move forward on privacy or Big Tech competition in the few productive days left this year for legislating.

During the hearing, though, lawmakers made clear they haven’t actually come together on an approach to tech despite all the many hearings over many years previously billed as blockbusters. They discussed data protection, new agencies, new liabilities or simply asking Zatko what he thinks would be right to do. Republican Sen. Lindsey Graham said he and Democrat Elizabeth Warren would introduce legislation that would create a new tech-focused agency to take on privacy, content and other issues — even as a privacy bill that has advanced in the House wants to empower the Federal Trade Commission to take on tech.

Zatko did add that the firms should have less ability to verify their own compliance with the law when talking to U.S. enforcers, and should worry as much about those agencies as they do about international regulators. International regulators often have much greater staff than U.S. ones, and Zatko said the French agency known as the CNIL in particular “terrified Twitter in comparison to the FTC,” largely because of its technical expertise when probing potential violations of the law.

Mudge has alleged, for instance, the company was never in compliance with its 2011 consent decree with the FTC, and he said on Tuesday that the chief privacy officer told him the company has a “ruse”: Because it can’t find some user information in its systems, it just tells regulators who ask about deleting user data that it has deactivated the accounts. In May, the FTC fined Twitter $150 million for alleged violations of the 2011 settlement.

The lawmakers also said little about Elon Musk’s bid to buy Twitter and the court battle that has ensued since he tried to back out of the agreement. A judge recently gave Musk the green light to bring in some of Zatko’s allegations about spam into his claims. Also on Tuesday, the company’s shareholders approved the deal, as expected, meaning the two sides will almost certainly face each other in an October trial.

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories