Twitter Inc.’s security lapses were so grave that they threatened national security and far outpaced US regulators’ ability to police them, the company’s former head of security-turned-whistle-blower told senators on Tuesday.
(Bloomberg) — Twitter Inc.’s security lapses were so grave that they threatened national security and far outpaced US regulators’ ability to police them, the company’s former head of security-turned-whistle-blower told senators on Tuesday.
Speaking before the Senate Judiciary Committee, Peiter Zatko, also known by his hacker name “Mudge,” said Twitter was a decade behind necessary security upgrades, which he described as a “ticking bomb of security vulnerabilities.” He detailed several cases in which Twitter prioritized profit over addressing the risks on its influential platform.
“Twitter’s unsafe handling of the data of its users and its inability or unwillingness to truthfully represent issues to its board of directors and regulators have created real risk to tens of millions of Americans, the American democratic process, and America’s national security,” Zatko said in the hearing.
He also said the company’s leadership “repeatedly covered up its security failures by duping regulators and lying to users and investors.”
Sitting alone at a table facing the dais of senators, Zatko painted a picture of a company that collected vast amounts of user data but only understood how about 20% of it was used and allowed many employees a dangerous level of access to that information. Even though Twitter was under a 2011 consent decree from the Federal Trade Commission to address security lapses, Zatko said US regulators — and the one-time fees they use as deterrents — are ineffective compared to their foreign peers like France’s data protection agency.
“The FTC is in a little bit over their head” policing powerful companies like Google, Facebook and Twitter, Zatko said. “They’re left letting companies grade their own homework.”
Zatko, 51, first testified before Congress in 1998, warning a Senate committee about fundamental weaknesses in the internet’s infrastructure. He then went on to work at the US Defense Advanced Research Projects Agency, Alphabet Inc.’s Google and the payment service Stripe Inc. before being hired by Twitter founder and former Chief Executive Officer Jack Dorsey in 2020 to help address security concerns.
He was fired in January 2022 over what the company said were performance shortcomings.
Twitter declined to comment in advance of the testimony. But in an email to employees after Zatko filed his complaint with regulators, Twitter CEO Parag Agrawal disputed the allegations.
“We’re reviewing the redacted claims that have been published, but what we’ve seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context,” he wrote.
Zatko’s allegations come as Twitter prepares to go to court to force Tesla Inc. CEO Elon Musk to complete a $44 billion deal to buy the company. Zatko’s whistle-blower complaint backed up Musk’s concern about the prevalence of automated accounts known as bots, which is likely to feature prominently in the Oct. 17 trial in a Delaware court, but Tuesday’s hearing has focused on security shortcomings.
Follow the hearing on TOPLIV
Lawmakers raised concerns in particular about Mudge’s allegations that Twitter has allowed foreign agents to operate on its payroll and acquiesced to the demands of adversaries like China. Judiciary Chairman Dick Durbin, a Democrat from Illinois, compared users trusting Twitter to safeguard their data as they might trust a bank — but “at Twitter the vault is wide open,” he said.
“Twitter is an immensely powerful platform that cannot afford gaping security vulnerabilities,” Durbin said.
Iowa Senator Chuck Grassley, the committee’s top Republican, said Mudge’s disclosures “paint a disturbing picture of a company that’s solely focused on profits at any expense.”
Grassley said Twitter’s Agrawal was invited to Tuesday’s hearing to respond to the allegations, but declined because he claimed it could interfere with the ongoing litigation with Musk.
“The business of this committee, and protecting Americans from foreign influence, is more important than Twitter’s civil litigation in Delaware,” Grassley said, adding that Agrawal should step down from Twitter if the allegations are true.
Zatko pleaded with lawmakers to pass protections for whistle-blowers who want to come forward while they are still at the companies. He also said any privacy legislation should involve audits and quantifiable results that couldn’t be gamed by technology platforms.
There is bipartisan support for new internet regulation to protect user privacy and security, but current proposals have failed to gain much traction as Congress focuses on other priorities.
Connecticut Democrat Richard Blumenthal called for a new technology-focused regulator that could help shift the balance of power between immensely profitable companies and the agencies charged with protecting consumers.
“To effectively address this problem, we need not only to insist on restructuring the company but also likely restructuring, reforming and energizing our regulatory apparatus,” Bumenthal said. “Clearly what we’re doing right now is not working.”
(Updates with comments on FTC from fifth paragraph)
More stories like this are available on bloomberg.com
©2022 Bloomberg L.P.
