Twitter whistleblower Zatko disses bird site as dysfunctional data dump
Mudge tells senators his former bosses are 'terrified' of the French, US regulators are toothless
Twitter's former head of security Peiter "Mudge" Zatko on Tuesday told the US Senate Judiciary Committee that the social media company's lax data handling and inability to present problems to its board of directors threaten the privacy, security, and democracy for Americans.
Zatko appeared before Senate lawmakers to testify about the whistleblower report he submitted late last month detailing concerns about the state of cybersecurity at the microblogging outfit. In today's testimony he claimed Twitter management was lying to its board, and to regulators both foreign and domestic.
"Twitter’s security failures threaten national security, compromise the privacy and security of users, and at times threaten the very continued existence of the Company," said Zatko in prepared remarks [PDF].
Zatko worked as Twitter Security Lead – the executive in charge of cybersecurity – from November 2020 until January 2022. His 84-page whistleblower disclosure [PDF] alleges that the company has misrepresented its platform security, privacy, and integrity, defrauded investors, violated SEC auditing rules, and has been either negligent or complicit with regard to foreign influence operations.
In his testimony, Zatko said Twitter has two basic problems.
"First they don't know what data they have, where it lives, or where it came from, and so unsurprisingly, they can't protect it," said Zatko.
"And this leads to the second problem, which is the employees then have to have too much access to too much data and to too many systems. You can think of it this way: It doesn't matter who has keys if you don't have any locks on the doors."
- Musk seeks yet another excuse to get out of Twitter buyout: This time it's Mudge's severance check
- Musk tries to stall Twitter takeover trial following whistleblower claims
- Judge tells Elon Musk he can't stall Twitter trial
- Twitter whistleblower summoned to Senate Judiciary Committee
He described Twitter as a company managed by crises rather than one that manages crises. And he revealed surprising practices. For example, he said that Twitter doesn't have a staging environment and instead engineers push code to live production systems handling real-time data.
This has implications for employees acting as agents of foreign governments, Zatko said, both in terms of their access to sensitive data and in terms of their ability to observe content decisions of interest to various nations. He said he observed "with high confidence, a foreign agent placed from India" who was trying to understand how Twitter handled content relevant to politics in that country.
Enemies in the house
He also recounted being informed by the FBI a week before he was fired that there was at least one Chinese intelligence agent on Twitter's payroll.
"While it was disturbing to hear, I and many others, recognizing the state of the environment at Twitter, were really thinking if you are not placing foreign agents inside Twitter – because it's very difficult to detect them, it's very valuable to a foreign agent to be inside there – then as a foreign intelligence [agency] then you're not doing your job."
In 2019, two former Twitter employees were charged by the US Department of Justice with providing personal data about Saudi dissidents to the government of Saudi Arabia during a period between 2013 and 2015. One of these individuals, Ahmad Abouammo, was convicted of spying last month. The other, Ali Alzabarah, remains at large and was said to have returned to Saudi Arabia in 2015.
Zatko, hired several months after the 2020 Twitter account takeovers of former President Barack Obama, Elon Musk, and others, said it was not far-fetched to say an employee at the company could take over the Twitter accounts of every senator in the room and said his concern about this state of affairs was what prompted him, at great professional and personal risk, to become a whistleblower.
Asked about what he observed with regard to efforts to access Twitter data by foreign agents, Zatko said one of the consequences of Twitter being a decade behind in security investment is that the company lacks a way to track unauthorized access.
So even when the company was aware of allegations that employees might be spying, defensive efforts were hampered by lack of centralized logging and the ability to see what suspect insiders were doing or to contain their actions.
"They simply lack the ability to hunt for foreign intelligence agencies and expel them on their own," he said.
Not only that, he encountered a defeatist or indifferent attitude internally: one Twitter executive apparently told him, in response to his concerns that a foreign agent had infiltrated its ranks, that seeing as one was already inside, did it really matter if more were hired?
A web of lies
Separately, he noted that Twitter does not delete the data of users who quit the service and has misled regulators about this. "Instead of answering whether we delete user data, we intentionally have replied we deactivate users and try to sidestep the program, because we know we do not delete user data and cannot comply with that if they demand we do so," he said.
Zatko's revelations about operations at Twitter have been seized upon by billionaire Elon Musk, who made an offer to buy Twitter for $44 billion then had second thoughts after a market correction.
Twitter is now worth about $32 billion, or about 30 percent less at $41.74 per share than Musk's offer at $54.20 per share. What's more, the market correction has reduced the value of stock in other companies that Musk and allied investors might sell to fund the purchase. Predictably, Twitter shareholders on Tuesday voted to approve the sale in light of Musk's unintentionally generous offer.
Musk hopes Zatko's claims can be substantiated to the point that they excuse him from his contractual obligation to buy the social media biz. The tweet-happy billionaire and Twitter are currently preparing to take their dispute to trial next month.
Simultaneously, Zatko and those around him have reportedly been the subject of inquiries seeking information that could be used to discredit his testimony.
Twitter meanwhile disputed Zatko's claims without explaining where he supposedly erred.
"Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies," a Twitter spokesperson said in a statement emailed to The Register.
Asked to cite specific inaccuracies, Twitter's spokesperson did not respond further.
Regulators with teeth
One of the more telling points in Zatko's testimony was on the role of regulators.
Twitter viewed FTC one-off fines over data misuse as a "cost of doing business," he said. But the company was "terrified" of regulators in France and other countries.
The reason is other countries actually follow up on actions, to make sure companies improve after receiving a fine, with the French being particularly dogged on this front. By contrast American regulators are seen as pushovers.
Zatko's observations about his former employer proved sufficiently concerning that Senator Dick Durbin (D-IL), Judiciary Committee Chairman, and Senator Chuck Grassley (R-IA), Ranking Member, sent Twitter CEO Parag Agrawal a letter [PDF] on Tuesday seeking answers to issues raised in the complaint and the hearing. The letter asks, among other things, what Twitter has done to adjust its hiring and employee oversight policies in light of the company's infiltration by individuals working on behalf of the Saudi government.
During the hearing, Senator Lindsey Graham (R-SC) said that he and Senator Elizabeth Warren (D-MA), though politically far apart, share a belief that the current US regulatory system can't manage social media platforms.
Consequently, they intend to work together to change things. "We're going to create a system more like Europe, a regulatory environment with teeth," he said. ®