The former security chief at Twitter has told the United States Congress that the social media platform is plagued by weak cyber-defences that make it vulnerable to exploitation by “teenagers, thieves and spies” and put the privacy of its users at risk.
“I am here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors,” Peiter “Mudge” Zatko, a respected cybersecurity expert, said before the Senate Judiciary Committee on Tuesday.
“They don’t know what data they have, where it lives and where it came from and so, unsurprisingly, they can’t protect it,” Zatko added. “It doesn’t matter who has keys if there are no locks.”
His message echoed one brought to Congress against another social media giant last year, but unlike that Facebook whistleblower, Frances Haugen, Zatko did not bring troves of internal documents to back up his claims.
His testimony comes as US lawmakers attempt to crack down on disinformation campaigns that risk skewing elections and public health campaigns.
Zatko was the head of security for the influential platform until he was sacked early this year.
The 51-year-old first gained prominence in the 1990s as a pioneer in the ethical hacking movement and later worked in senior positions at an elite Department of Defense research unit and at Google. He joined Twitter in late 2020 at the urging of then-CEO Jack Dorsey.
He filed a whistleblower complaint in July with Congress, the US Department of Justice, the Federal Trade Commission (FTC) and the Securities and Exchange Commission.
Among his most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.
US Senator Dick Durbin, an Illinois Democrat who heads the Judiciary Committee, said Zatko has detailed flaws “that may pose a direct threat to Twitter’s hundreds of millions of users as well as to American democracy”.
“Twitter is an immensely powerful platform and can’t afford gaping vulnerabilities,” he said.
Unknown to Twitter users, there’s far more personal information disclosed than they — or sometimes even Twitter itself — realise, Zatko testified. He said that “basic systemic failures” that were brought forward by company engineers were not addressed.
The FTC has been “a little over its head”, and far behind European counterparts, in policing the sort of privacy violations that have occurred at Twitter, Zatko also said.
Many of Zatko’s claims are uncorroborated and appear to have little documentary support.
Twitter has called Zatko’s description of events “a false narrative … riddled with inconsistencies and inaccuracies” and lacking important context.
Zatko has also accused the company of deception in its handling of automated “spam bots” or fake accounts.
That allegation is at the core of billionaire tycoon Elon Musk’s attempt to back out of his $44bn deal to buy Twitter. Musk and Twitter are locked in a bitter legal battle, with Twitter having sued Musk to force him to complete the agreement.
The Delaware judge overseeing the case ruled last week that Musk can include new evidence related to Zatko’s allegations in the high-stakes trial, which is set to start on October 17.
Senator Charles Grassley, the committee’s ranking Republican, said on Tuesday that Twitter CEO Parag Agrawal declined to testify at the hearing, citing the ongoing legal proceedings with Musk.
But the hearing is “more important that Twitter’s civil litigation in Delaware”, Grassley said. Twitter declined to comment on Grassley’s remarks.
In his complaint, Zatko accused Agrawal as well as other senior executives and board members of numerous violations, including making “false and misleading statements to users and the FTC about the Twitter platform’s security, privacy and integrity”.
Twitter has said Zatko was fired for “ineffective leadership and poor performance”, and that his allegations appeared designed to harm the company.
Among the assertions from Zatko that drew attention from US lawmakers on Tuesday was that Twitter knowingly allowed the government of India to place its agents on the company payroll, where they had access to highly sensitive data on users.
Twitter’s lack of ability to log how employees accessed user accounts made it hard for the company to detect when employees were abusing their access, Zatko said.
India has not commented on that assertion.
The whistleblower disclosures had also noted that the US Federal Bureau of Investigation had informed Twitter of at least one Chinese agent inside the company, Senator Grassley said in his opening statement.
Zatko said on Tuesday that in the week before he was sacked, he learned an agent of China’s Ministry of State Security, or MSS, an agency comparable to the US Central Intelligence Agency, was on the payroll at Twitter.
It was not immediately clear if the alleged Chinese agent was still working at the company.
Twitter has said Zatko was fired for ‘ineffective leadership and poor performance’ and that his allegations appeared designed to harm the company