European data privacy watchdogs grill Twitter over Mudge security claims

Two European data privacy watchdogs in France and Ireland said they are looking into recent claims made by Twitter’s former head of security Peiter Zatko.

A spokesperson for Ireland’s Data Protection Commission (DPC) told The Record it met with Twitter representatives on Tuesday after news reports broke of Zatko’s incendiary claims about the social media giant’s cybersecurity and data practices.

In multiple interviews and a witness complaint, Zatko said Twitter had misled regulators in the U.S. and several other countries. 

“When, years earlier, the FTC [Federal Trade Commission] had asked questions about the training material used to build Twitter’s machine learning models, Twitter realized that truthful answers would implicate the company in extensive copyright / intellectual property rights violations,” Zatko said in his complaint. 

“Twitter’s strategy, which executives explicitly acknowledged was deceptive, was to decline to provide the FTC with the requested training material, and instead pointed the FTC towards particular models that would not expose Twitter’s failure to acquire appropriate IP rights.”

According to Zatko, Twitter expected the DPC in Ireland and France’s data privacy watchdog Commission nationale de l'informatique et des libertés (CNIL) to ask similar questions in the early months of 2022. 

Zatko said senior privacy employees told him Twitter was “going to attempt the same deception.”

“Unless circumstances have changed since Mudge was fired in January, then Twitter’s continued operation of many of its basic products is most likely unlawful and could be subject to an injunction, which could take down most or all of the Twitter platform,” the complaint said.

“Before Mudge could dig deeper into this issue he was terminated.”

The FTC said it had no comment when asked about the claims in Zatko’s complaint. 

A Twitter spokesperson told The Record that it will continue to work with regulators around the world on issues related to safety and security.

“For the moment we are not in a position to confirm or deny the accuracy of the alleged breaches,” a CNIL spokesperson said, adding that the agency is currently investigating the complaint. 

“If the accusations are true, the CNIL could carry out checks that could lead to an order to comply or a sanction if breaches are found. In the absence of a breach, the procedure would be terminated.”

Ireland’s DPC said it plans to “continue to engage” with Twitter on the issues Zatko raised. 

Twitter did not respond to requests for comment about Zatko’s claims related to the company'sconduct with European regulators. 

Twitter apparently used their cookies for "all purposes" (security cookies used for advertising) ++ once told by the French CNIL to change this, they kept it on purposefully for another month "in order to extract maximum profit from French users before rolling out the fix." pic.twitter.com/6pSNQTcu8F

— Zach Edwards (@thezedwards) August 24, 2022

Several parts of Zatko’s whistleblower complaint have alarmed regulators and lawmakers, most notably the section outlining the efforts of multiple countries to place government agents in roles at the company. 

He is expected to testify in front of the the Senate Judiciary Committee on September 13.

“Mr. Zatko’s allegations of widespread security failures and foreign state actor interference at Twitter raise serious concerns. If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” Sens. Richard J. Durbin (D-Ill.) and Charles E. Grassley (R-Iowa) said in a statement to the Washington Post.