Whistleblower Peiter Zatko alleged in congressional testimony on Tuesday that Twitter’s careless collection and storage of user data made the platform a potential source of valuable information for foreign governments, whose penetration of the company may have exceeded what’s currently known.
That alleged sloppiness — compounded by what Zatko, formerly Twitter’s head of security, characterized as a relative lack of interest in the topic from company leadership — also led to a host of other ills. Zatko, who also goes by Mudge, told senators that more than half of Twitter employees could access users’ locations and other data to do their jobs, that the company was lying to federal regulators about whether the platform was actually deleting all that lost data when requested and that many employees could actually take over accounts, as teenage hackers did during a major 2020 attack.
Zatko put forward many of his concerns in a whistleblower complaint to the Securities and Exchange Commission he released in August, including his allegation that the company succumbed to pressure from India’s government to hire two of its agents. He went into more detail on Tuesday about internal conversations and the nature of his worries during a hearing before the Senate Judiciary Committee.
Twitter “simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own,” Zatko said, adding that the company did not track who had actually gotten a look at particular information and almost always had to learn about suspected government agents from outsiders such as law enforcement.
He also said the failure to track data, combined with collecting more information than was necessary, meant the company’s thousands of engineers had to be given access to a lot of user data “by default” just to do their jobs — information that would also be available to any bad actor who infiltrated the company, whether foreign agents or employees willing to dox users. Zatko, whom CEO Parag Agrawal fired suddenly in January, said that he had also learned of a suspected Chinese agent within the company in his last days there.
“I and many others, recognizing the state of the environment at Twitter, were really thinking: If you are not placing foreign agents inside Twitter, because it’s very difficult to detect them … you’re most likely not doing your job,” Zatko said, referring to the thinking of foreign intelligence services.
Twitter has said Zatko’s complaint is “riddled with … inaccuracies” and lacks context and that he is just trying to get back at the company that sacked him for “poor performance.” At times in both his complaint and his testimony, Mudge highlighted potential risks and concerns, rather than actual instances of harm, and he conceded that Twitter collects data that’s already public in many cases, such as the location information many accounts proudly display on their tweets. Many mobile apps also collect the same data that Zatko described, or even more, and larger social media companies — Meta in particular — are generally thought to know way more about users than Twitter does.
Zatko said little about what Washington could actually do to improve matters at Twitter, beyond vague statements that users should have more insight into social media companies’ data practices. Some members of Congress are hoping to finally pass new laws to rein in tech this fall, and they have insisted lawmakers are ready to move forward on privacy or Big Tech competition in the few productive days left this year for legislating.
During the hearing, though, lawmakers made clear they haven’t actually come together on an approach to tech despite all the many hearings over many years previously billed as blockbusters. They discussed data protection, new agencies, new liabilities or simply asking Zatko what he thinks would be right to do. Republican Sen. Lindsey Graham said he and Democrat Elizabeth Warren would introduce legislation that would create a new tech-focused agency to take on privacy, content and other issues — even as a privacy bill that has advanced in the House wants to empower the Federal Trade Commission to take on tech.
Zatko did add that the firms should have less ability to verify their own compliance with the law when talking to U.S. enforcers, and should worry as much about those agencies as they do about international regulators. International regulators often have much greater staff than U.S. ones, and Zatko said the French agency known as the CNIL in particular “terrified Twitter in comparison to the FTC,” largely because of its technical expertise when probing potential violations of the law.
Mudge has alleged, for instance, the company was never in compliance with its 2011 consent decree with the FTC, and he said on Tuesday that the chief privacy officer told him the company has a “ruse”: Because it can’t find some user information in its systems, it just tells regulators who ask about deleting user data that it has deactivated the accounts. In May, the FTC fined Twitter $150 million for alleged violations of the 2011 settlement.The lawmakers also said little about Elon Musk’s bid to buy Twitter and the court battle that has ensued since he tried to back out of the agreement. A judge recently gave Musk the green light to bring in some of Zatko’s allegations about spam into his claims. Also on Tuesday, the company’s shareholders approved the deal, as expected, meaning the two sides will almost certainly face each other in an October trial.