On Sept. 13, Peiter Zatko testified before a Senate committee that Twitter executives misled the public about the failed state of its data security practices. (Video: The Washington Post)
Updated September 13, 2022 at 6:45 p.m. EDT|Published September 13, 2022 at 6:15 a.m. EDT
A Twitter whistleblower on Tuesday testified before Congress that the company’s failure to secure sensitive data causes “real harm to real people,” prompting senators to grapple with Washington’s inability to effectively regulate major social networks.
Peiter “Mudge” Zatko’s Senate testimony — which expanded on an 84-page complaint shared with regulators and The Washington Post this summer — said that Twitter executives misled the public, regulators and the company’s own board about its systemically broken defenses against hackers.
He described an executive team that was financially incentivized to ignore root problems, such as employees having too much access to data. Because the company wasn’t properly tracking data access, he claimed, it was impossible for the company to respond to critical national security risks — including access gained by potential foreign agents on its payroll.
Zatko, the company’s former security lead and a renowned hacker, grounded his at-times highly technical disclosures in examples of risks that lawmakers could connect to, suggesting this unfettered access could result in Twitter engineers sending unauthorized tweets from their accounts.
“It doesn’t matter who has keys if you don’t have any locks on the doors,” he said. “It’s not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room.”
Twitter has said security and privacy are priorities at the company. “Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” said Rebecca Hahn, a Twitter spokeswoman. Twitter declined to say which of Zatko’s claims were inaccurate.
The federal government struggled for years with the growing influence of major tech companies, with lawmakers from both parties promising to pass regulations to protect Americans’ data, improve competition in the industry and keep children safe online. Yet no such bills have become law, despite dozens of hearings grilling some of the most powerful tech executives in the world, as well as former employees such as Zatko who are going public with alleged wrongdoing.
On Tuesday, lawmakers not only railed against Twitter, but also raised concerns about how their own inaction has prevented regulators such as the Federal Trade Commission from protecting Americans from alleged company abuses. They asked Zatko pointed questions about the ways smaller countries, such as France, have been able to pursue more aggressive oversight of data-privacy abuses.
“I believe this should be a watershed moment,” said Zatko attorney Alexis Ronickher, adding that she was heartened by the commitment from the senators to change regulation and enforcement.
In appearing before Congress to discuss his disclosures, Zatko joins a cohort of other tech whistleblowers who have turned to lawmakers to address allegedly improper activity in the tech industry. Zatko, who reported directly to former Twitter chief executive Jack Dorsey, was in a more senior position than Facebook whistleblower Frances Haugen or Cambridge Analytica whistleblower Christopher Wylie — raising the personal and professional stakes of his disclosure. Yet it remains to be seen whether Zatko’s allegations will spur action in a narrowly divided and often paralyzed Congress, in which intense industry lobbying, partisan division and competing priorities have thwarted previous efforts to rein in Silicon Valley.
Meanwhile, Twitter shareholders voted Tuesday to approve Elon Musk’s $44 billion acquisition offer, setting the world’s richest man on a collision course with the social media company as the two head to court in October. The approval — to accept Musk’s offer of $54.20 per share, far higher than the current share price of roughly $42 — was widely expected. Twitter has forged ahead with the deal, despite Musk’s attempts to back out because of what he says are problems with the company’s business.
Zatko’s testimony could also factor into Twitter’s ongoing litigation with Musk, who has already incorporated some of the arguments from the whistleblower’s complaint in court.
Zatko is also expected to meet with federal regulators, including the FTC, which could bring fines totaling hundreds of millions of dollars against Twitter for violating a previous consent order with the agency. Zatko has alleged that Twitter did not follow through on the commitments it made to the Federal Trade Commission to create a data-security program.
Ronickher declined to say whether Zatko was meeting with the agency while he was in D.C.
Zatko on Tuesday expanded on allegations in his redacted complaint regarding Twitter’s employment of suspected foreign government operatives, who may have had access to sensitive data because of the company’s lack of internal controls. He said agents for the Indian government and the Chinese government were on the company’s payroll.
A week before his January firing, Zatko testified, the FBI had warned security staff that a Chinese agent for the Ministry of State Security was employed at the company. Twitter ads paid for by the Chinese government alsocould have elicited information, including locations of users who click on them, he said.
Zatko’s testimony is already becoming a headache for Twitter and its chief executive, Parag Agrawal. Multiple senators slammed Agrawal for declining to testify before the Senate Judiciary Committee because of the company’s ongoing litigation with Musk.
Sen. Charles E. Grassley (R-Iowa), the committee’s top Republican, said that if Zatko’s allegations are true, Agrawal should be forced to step down as chief executive.
The disclosures Tuesday appeared to prompt some bipartisan soul-searching among lawmakers, many of whom spoke of a combined failure to bring enforcement against tech companies. Sen. Lindsey O. Graham (R-S.C.) said that he was working across party lines with Sen. Elizabeth Warren (D-Mass.) to create a regulatory system that would imitate one in Europe, where lawmakers have taken aggressive action to penalize American tech companies.
Graham and Warren are on opposite ends of the political spectrum, and Graham’s proposal signals how dramatically some Republicans’ positions on tech regulation have evolved in recent years. The party has historically favored a less stringent regulatory environment for businesses. A congressional aide, who spoke on the condition of anonymity to discuss ongoing negotiations, confirmed Warren was working with Graham, but a final agreement was “not imminent.”
Graham suggested a new regulator would address privacy, content moderation and foreign interference, and that it would provide an appeals process for users when companies remove their content.
“Your testimony today has legitimized what most of us feel is a process out of control, that the regulatory environment is insufficient to the task,” Graham said. “It’s time to up our game in this country.”
Multiple senators appeared interested in how other countries have approached regulating tech companies such as Twitter. Sen. Mazie Hirono (D-Hawaii) asked if French regulators had better standards to hold Twitter accountable. Zatko responded that France’s data regulator is “more feared” because “they dig in technically and go toward more quantitative results that are less easy for organizations to sort of wordsmith around.”
Sen. Richard Blumenthal (D-Conn.) floated the idea of creating a tech enforcement agency that would specifically address data security and national security threats posed by tech companies.
“I think the mounting evidence shows that the current regulatory structure is failing,” Blumenthal told The Post.
Zatko emphasized throughout the hearing that any regulations need to be enforced with independent audits and metrics, to ensure that well-resourced companies are unable to game the system.
He also called on lawmakers to consider legislation that would expand whistleblower protections to other government agencies, so that more employees would be able to disclose critical information to the government. Zatko and Haugen, the Facebook whistleblower, filed their complaints with the Securities and Exchange Commission, which has a dedicated program that offers rewards and protections for such complaints.
The FTC, the industry’s main tech regulator, does not have such a program, and the SEC does not protect whistleblowers at privately owned companies.
Early in the hearing, Zatko spoke about the personal and professional toll submitting his complaint had taken on him and his family. He said that he did not make his disclosures “out of spite or to harm Twitter.”
“What you did today will not be in vain,” Graham said.
Zatko testimony echoes his security warnings to the Hill in 1998
Zatko has testified before Congress since 1998. A previous version of this item incorrectly said he hadn’t testified since then. This item has been updated.
Peiter Zatko’s testimony before the Senate Judiciary Committee echoes his appearance in 1998, when he led a crew of seven hackers from the pioneering Boston group L0pht as they warned that the internet was unsafe at any speed. The others who testified under their online handles that day included Chris “Weld Pond” Wysopal, who went on to co-found the billion-dollar security firm Veracode, and Joe “Kingpin” Grand, an early hardware enthusiast who recently won acclaim for breaking into cryptocurrency wallets for owners who lost their passwords. (Wysopal made a return trip in 2003 to tell a House committee about rapid evolution in computer viruses.)
Twitter shareholder vote seen as a strategic move ahead of trial
Elon Musk’s takeover offer for Twitter heads to trial on Oct. 17.
Some investors, and governance and legal experts, have pointed to the shareholder vote as a key date on the calendar, signaling Twitter’s eagerness to bring the matter to a close and place pressure on Musk as the deal heads to court. Some of those experts have also cited the shareholder vote as a potential impetus for settlement talks, as the matter gets closer to trial.
Twitter has argued for an expedited trial, in an effort to limit damage to the company, an argument the judge found compelling enough to compress the trial to a week.
Elon Musk tweeted popcorn emoji during whistleblower hearing
The billionaire, who plans to incorporate some of Zatko’s claims at his upcoming trial against Twitter, also changed his Twitter display name to “Naughtius Maximus.”
Twitter shareholder vote brings matter one step closer to trial
Twitter shareholders’ approval of Elon Musk’s $44 billion offer to buy the company takes the matter one step closer to a heated battle in court.
Shareholders gave their assent to the deal Tuesday, according to a preliminary count of a vote, the company said. The vote took place during a short virtual meeting after brief remarks by Twitter CEO Parag Agrawal.
The result came as little surprise to those closely following the matter. Musk’s offer of $54.20 per share was substantially higher than Twitter’s current trading price, below $42.
Twitter shareholders are holding a vote Tuesday to formally consider Musk’s offer to buy the website for $44 billion, another step toward closing the deal as the disputed takeover heads to Delaware Chancery Court.
Shareholders are expected to greenlight the deal for $54.20 per share — Musk’s offer from April — a substantial premium over Monday’s trading price of around $41. Twitter’s board urged shareholders to vote yes ahead of the meeting, which will take place virtually at 1 p.m. EST.
Shareholders were also expected consider a measure to approve payouts tied to the merger for Twitter executives, though an affirmative vote is not required to complete the deal.
Senators noncommittal on issuing subpoena for Twitter CEO
Top Senate lawmakers repeatedly vented at Tuesday’s hearing that Twitter CEO Parag Agrawal would not appear before the panel but declined to say after the session whether they planned to issue a subpoena to compel him to appear.
Sens. Richard J. Durbin (D-Ill.) and Charles E. Grassley (R-Iowa), the chair and ranking member of the Senate Judiciary Committee, each told reporters they needed to consult with each other on the matter.
Asked whether he planned to hold an additional hearing on the whistleblower claims, Durbin replied, “It’s possible. I’ll talk that over with Senator Grassley.”
Twitter culture rewarded rosy reports, hid bad facts, Zatko alleged
Asked why as head of security he was unable to get Twitter to meet basic security standards, Peiter Zatko said his attempts were frustrated by a culture that dissuaded employees from reporting negative information.
Zatko alleged in his whistleblower complaint that executives touted internally and to the board that more than 90 percent of the company’s laptops had security software installed, while omitting the fact that the software showed that 30 percent of the machines had settings that prevented software updates from being installed automatically.
Twitter whistleblower Peiter Zatko alleged Sept. 16 that due to Twitter’s lack of internal controls, company engineers could tweet as other users (Video: The Washington Post)
Zatko alleged that due to Twitter’s lack of internal controls, company engineers had wide system access that would allow them to tweet as other users — including U.S. senators.
Zatko said he was not specifically aware of this occurring, but the example underscored how he was grounding his claims in anecdotal examples that senators could find relatable. In responding to lawmakers, Zatko has sought to ground his highly technical allegations by illustrating the real-world risks and harms of the company’s alleged lack of security controls.
Graham says U.S. needs to create a regulatory system more like Europe
Sen. Lindsey O. Graham (R-S.C.) said on Sept. 16 that the U.S. needs to create a regulatory system more like Europe. (Video: The Washington Post)
Sen. Lindsey O. Graham (R-S.C.) says he is working with Sen. Elizabeth Warren (D-Mass.) to create a tech regulatory regime “with teeth” that would be similar to the system in Europe, where policymakers have sought to aggressively regulate American tech giants.
“Your testimony today has legitimized what most of us feel is a process out of control, that the regulatory environment is insufficient to the task,” Graham said. “It’s time to up our game in this country.”
Graham and Warren are odd bedfellows on opposite ends of the political spectrum, underscoring how there is increasing bipartisan momentum behind efforts to regulate the tech industry. Graham’s call for the U.S. to be more like Europe show how drastically the Republicans’ position on tech regulation has evolved in recent years, as the party historically favored a less stringent regulatory environment for businesses.
Peiter Zatko’s allegations to lawmakers in the hearing’s first 90 minutes painted a portrait of a company that has placed financial gains over establishing basic security protections that would allow it to track vast troves of sensitive data and who is accessing it.
Zatko’s answers to lawmakers have gone beyond what he disclosed in his 84-page complaint to the SEC and other regulators, revealing new details about his allegations of foreign influence from China and India on the platform. He’s also sought to ground his highly technical claims in terms and risks that lawmakers can easily understand, such as suggesting it would be possible for a Twitter employee to access the account data of all the senators on the committee.
Cotton veers off topic into allegations of censorship
Sen. Tom Cotton (R-Ark.) veered away from Zatko’s allegations of security failures and national security risks, opening his questioning with accusations about alleged censorship on the platform.
The line of questioning reflected the persistent political divisions within Congress over regulating social media companies. Lawmakers have presented a largely united front during Zatko’s hearing, focusing questions on foreign influence operations and data security practices. Republican lawmakers have made accusations about Twitter and other large tech companies silencing conservative viewpoints central to their midterm political messaging.
Senators highlight national security risks from Twitter’s practices
Senators questioning Peiter Zatko said that the company was allowing risks to U.S. national security to fester by employing suspected spies and being unwilling to invest in methods for effectively tracking what data they accessed within the company.
The senators shared additional allegations that had been withheld or redacted from the original whistleblower complaint, including that Twitter ads said to be paid for by the Chinese government could have elicited information including users’ locations on users who click on them.
Republicans raise Twitter’s reported adult entertainment plans
Republican lawmakers on Tuesday peppered the whistleblower with questions about a news report that Twitter scrapped plans for a subscription service for adult content creators, detouring from the hearing’s stated focus on data security.
According to the Verge, the company considered monetizing the content in early 2022 by launching a competitor to the OnlyFans service, but opted against after discovering that the platform was not “effectively policing harmful sexual content on the platform.”
Sens. John Neely Kennedy (R-La.) and Marsha Blackburn (R-Tenn.) both broached the topic, with Kennedy saying that “Twitter for a while was going to go into the porn business.”
