Twitter whistleblower testifies to Congress, calls for tech regulation reforms

Former Twitter security chief Peiter “Mudge” Zatko testified before the Senate Judiciary Committee Tuesday, alleging infiltration of Twitter by foreign agents, widespread lack of data controls and ineffective U.S. regulation. 

These problems left Americans’ data and national security at risk, according to Zatko — who said leadership wasn’t incentivized to fix the problems.

“It is difficult to get a man to understand something when his salary depends on him not understanding it,” he said during the hearing, quoting a famous line from author Upton Sinclair. 

Zatko is an “ethical hacker” with a decades-long track record, including years inside the federal government. According to a whistleblower complaint first reported last month by CNN and the Washington Post, he was fired after raising complaints about security issues and fraud. 

His testimony Tuesday alarmed lawmakers. 

Roughly half of Twitter employees are engineers who have vast practical access to the company’s systems, according to Zatko. However, those systems often lack logging capabilities, so it can be hard to track if someone inappropriately accesses information. 

“It doesn’t matter who has keys if you don’t have any locks on the doors,” Zatko said. 

At the same time, the platform has access to a significant amount of user data — including location data that can be used to map patterns of life, Zatko noted. 

Such information could be particularly valuable to foreign intelligence operations. 

“We’ve learned that personal data from Twitter users was potentially exposed to foreign intelligence agencies,” ranking member Sen. Chuck Grassley (R-Iowa) said, referencing allegations regarding the placement of two suspected Indian assets within the company. 

“His disclosures also note that the FBI notified Twitter of at least one Chinese agent in the company,” Grassley added. 

During questioning, Zatko confirmed this, and he recalled that in one exchange he told another Twitter official he was confident there was a foreign agent within a certain office.

The Twitter employee's response, Zatko said, was: “Well, since we already have one, what does it matter if we have more? Let’s keep growing the office.”

Twitter did not immediately respond to a request for comment about Zatko’s testimony. 

Limits of regulation 

Zatko emphasized in his testimony the lack of effective regulation from the Federal Trade Commision (FTC), which he described as unfeared inside the company.

“To effectively address this problem, we need to not only insist on restructuring the company, but also restructuring, reforming and energizing our regulatory apparatus — not only as to Twitter, but also as to other Internet companies and platforms,” Sen. Richard Blumenthal (D-Conn.) said. 

Zatko agreed, noting that inquiries from other regulators — including those in Europe, were taken more seriously by the company. 

Twitter has been under a consent decree with the FTC since 2011 due to data security failures. In May, the company decided to settle a civil complaint from the agency charging that Twitter violated that order by collecting phone numbers of users for account security purposes, then using them to target advertising. The company agreed to pay a $150 million fine – the sort of one-time payment that would not phase a company of Twitter’s scale, Zatko testified.

“Who is going to force Twitter to do anything?,” asked Sen. Mazie Hirano (D-Hawaii).

The answer, according to Zatko, is change from the top of the company as well as creating quantifiable standards that regulators can use to hold companies like Twitter accountable. 

During the hearing, legislators suggested several potential regulatory solutions to the issues raised by Zatko’s testimony, including a bipartisan privacy bill currently being considered by Congress that would give additional authority to the FTC. 

The agency is also in the beginning stages of a process that could result in commercial data privacy and security rules, rather than the case-by-case enforcement it employs now. 

The Wall Street Journal recently reported that Twitter agreed in June to pay Zatko a $7 million dollar settlement over his departure from the company. The deal included a nondisclosure agreement that prevents him from speaking about his time at the company, with exceptions for government testimony and formal complaints.