WASHINGTON (AP) â Twitter's former security chief told Congress Tuesday there was âat least one agentâ from China's intelligence service on Twitter's payroll and that the company knowingly allowed India to add agents to the company roster as well, potentially giving those nations access to sensitive data about users.
These were some of the troubling revelations from Peiter âMudgeâ Zatko, a respected cybersecurity expert and Twitter whistleblower who appeared before the Senate Judiciary Committee to lay out his allegations against the company.
Zatko told lawmakers that the social media platform is plagued by weak cyber defenses that make it vulnerable to exploitation by âteenagers, thieves and spiesâ and put the privacy of its users at risk.
âI am here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors," Zatko said as he began his sworn testimony.
âThey donât know what data they have, where it lives and where it came from and so, unsurprisingly, they canât protect it,â Zatko said. âIt doesnât matter who has keys if there are no locks."
âTwitter leadership ignored its engineers,â he said, in part because âtheir executive incentives led them to prioritize profit over security.â
In a statement, Twitter said its hiring process is âindependent of any foreign influenceâ and access to data is managed through a host of measures, including background checks, access controls, and monitoring and detection systems and processes.
One issue that didn't come up in the hearing was the question of whether Twitter is accurately counting its active users, an important metric for its advertisers. Tesla CEO Elon Musk, who is trying to get out of a $44 billion deal to buy Twitter, has argued without evidence that many of Twitterâs roughly 238 million daily users are fake or malicious accounts, aka âspam bots.â
The Delaware judge overseeing the case ruled last week that Musk can include new evidence related to Zatkoâs allegations in the high-stakes trial, which is set to start Oct. 17. During the hearing, Musk tweeted a popcorn emoji, often used to suggest that one is sitting back in anticipation of unfolding drama.
Separately on Tuesday, Twitter's shareholders voted overwhelmingly to approve the deal, according to multiple media reports. Shareholders have been voting remotely on the issue for weeks. The vote was largely a formality, particularly given Musk's efforts to nullify the deal, although it does clear a legal hurdle to closing the sale.
Zatko's message echoed one brought to Congress against another social media giant last year. But unlike that Facebook whistleblower, Frances Haugen, Zatko hasn't brought troves of internal documents to back up his claims.
Zatko was the head of security for the influential platform until he was fired early this year. He filed a whistleblower complaint in July with Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission. Among his most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.
Sen. Dick Durbin, an Illinois Democrat who heads the Judiciary Committee, said Zatko has detailed flaws âthat may pose a direct threat to Twitterâs hundreds of millions of users as well as to American democracy.â
âTwitter is an immensely powerful platform and canât afford gaping vulnerabilities,â he said.
Unknown to Twitter users, thereâs far more of their personal information disclosed than they â or sometimes even Twitter itself â realize, Zatko testified. He said Twitter did not address âbasic systemic failuresâ brought forward by company engineers.
The FTC has been âa little over its headâ, and far behind European counterparts, in policing the sort of privacy violations that have occurred at Twitter, Zatko said.
Sen. Lindsey Graham, a Republican from South Carolina, said one positive result that could come out of Zatkoâs findings would be bipartisan legislation to set up a tighter system of regulation of tech platforms.
âWe need to up our game in this country,â he said.
Many of Zatkoâs claims are uncorroborated and appear to have little documentary support. Twitter has called Zatkoâs description of events âa false narrative ... riddled with inconsistencies and inaccuraciesâ and lacking important context.
Still, Zatko came off as a convincing whistleblower who has âa lot of credibility in this space,â said Ari Lightman, professor of digital media and marketing at Carnegie Mellon University. But he said many of the problems he raised can likely be found at many other digital technology platforms
âThey avoid security protocols in a sense of innovating and running really fast,â Lightman said. âWe gave digital platforms so much autonomy at the beginning to grow and develop. Now weâre at a point where weâre, âWait a minute ... This has gotten out of hand.â
Among the assertions from Zatko that drew attention from lawmakers Tuesday was that Twitter knowingly allowed the government of India to place its agents on the company payroll, where they had access to highly sensitive data on users. Twitterâs lack of ability to log how employees accessed user accounts made it hard for the company to detect when employees were abusing their access, Zatko said.
Zatko said he spoke with âhigh confidenceâ about a foreign agent that the government of India placed at Twitter to âunderstand the negotiationsâ between Indiaâs ruling party and Twitter about new social media restrictions and how well those negotiations were going.
Zatko also revealed Tuesday that he was told about a week before his firing that âat least one agentâ from the Chinese intelligence service MSS, or the Ministry of State Security, was âon the payrollâ at Twitter.
He said he was similarly âsurprised and shockedâ by an exchange with current Twitter CEO Parag Agrawal about Russia â in which Twitter's current CEO, who was chief technology officer at the time, asked if it would be possible to âpuntâ content moderation and surveillance to the Russian government, since Twitter doesn't really âhave the ability and tools to do things correctly.â
âAnd since they have elections, doesnât that make them a democracy?â Zatko recalled Agrawal saying.
Sen. Charles Grassley, the committee's ranking Republican, said Tuesday that Agrawal declined to testify at the hearing, citing the ongoing legal proceedings with Musk. But the hearing is âmore important than Twitterâs civil litigation in Delaware," Grassley said. Twitter declined to comment on Grassley's remarks.
In his complaint, Zatko accused Agrawal as well as other senior executives and board members of numerous violations, including making âfalse and misleading statements to users and the FTC about the Twitter platformâs security, privacy and integrity.â
Zatko, 51, first gained prominence in the 1990s as a pioneer in the ethical hacking movement and later worked in senior positions at an elite Defense Department research unit and at Google. He joined Twitter in late 2020 at the urging of then-CEO Jack Dorsey.
-----
WASHINGTON (AP) â The former security chief at Twitter told Congress that the social media platform is plagued by weak cyber defenses that make it vulnerable to exploitation by âteenagers, thieves and spiesâ and put the privacy of its users at risk. Peiter âMudgeâ Zatko, a respected cybersecurity expert, appeared before the Senate Judiciary Committee to lay out his allegations Tuesday.
âI am here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors," Zatko said as he began his sworn testimony.
âThey donât know what data they have, where it lives and where it came from and so, unsurprisingly, they canât protect it,â Zatko said. âIt doesnât matter who has keys if there are no locks."
Zatko said âTwitter leadership ignored its engineers,â in part because âtheir executive incentives led them to prioritize profit over security.â
His message echoed one brought to Congress against another social media giant last year, but unlike that Facebook whistleblower, Frances Haugen, Zatko hasn't brought troves of internal documents to back up his claims.
Zatko was the head of security for the influential platform until he was fired early this year. He filed a whistleblower complaint in July with Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission. Among his most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.
Sen. Dick Durbin, an Illinois Democrat who heads the Judiciary Committee, said Zatko has detailed flaws âthat may pose a direct threat to Twitterâs hundreds of millions of users as well as to American democracy.â
âTwitter is an immensely powerful platform and canât afford gaping vulnerabilities,â he said.
Unknown to Twitter users, thereâs far more personal information disclosed than they âor sometimes even Twitter itself â realize, Zatko testified. He said âbasic systemic failuresâ that were brought forward by company engineers were not addressed.
The FTC has been âa little over its headâ, and far behind European counterparts, in policing the sort of privacy violations that have occurred at Twitter, Zatko said.
Zatko's claims could also affect Tesla billionaire Elon Musk's attempt to back out of his $44 billion deal to acquire the social platform. Musk claims that Twitter has long underreported spam bots on its platform and cites that as a reason to nix the deal he struck in April.
Many of Zatkoâs claims are uncorroborated and appear to have little documentary support. Twitter has called Zatkoâs description of events âa false narrative ... riddled with inconsistencies and inaccuraciesâ and lacking important context.
Among the assertions from Zatko that drew attention from lawmakers Tuesday was that Twitter knowingly allowed the government of India to place its agents on the company payroll, where they had access to highly sensitive data on users. Twitterâs lack of ability to log how employees accessed user accounts made it hard for the company to detect when employees were abusing their access, Zatko said.
Zatko also accuses the company of deception in its handling of automated âspam bots,â or fake accounts. That allegation is at the core of billionaire tycoon Elon Muskâs attempt to back out of his $44 billion deal to buy Twitter. Musk and Twitter are locked in a bitter legal battle, with Twitter having sued Musk to force him to complete the deal. The Delaware judge overseeing the case ruled last week that Musk can include new evidence related to Zatko's allegations in the high-stakes trial, which is set to start Oct. 17.
Sen. Charles Grassley, the committee's ranking Republican, said Tuesday that Twitter CEO Parag Agrawal declined to testify at the hearing, citing the ongoing legal proceedings with Musk. But the hearing is âmore important that Twitterâs civil litigation in Delaware," Grassley said. Twitter declined to comment on Grassley's remarks.
In his complaint, Zatko accused Agrawal as well as other senior executives and board members of numerous violations, including making âfalse and misleading statements to users and the FTC about the Twitter platformâs security, privacy and integrity.â
Zatko, 51, first gained prominence in the 1990s as a pioneer in the ethical hacking movement and later worked in senior positions at an elite Defense Department research unit and at Google. He joined Twitter in late 2020 at the urging of then-CEO Jack Dorsey.
-----------
WASHINGTON (AP) â Peiter âMudgeâ Zatko, the Twitter whistleblower who is warning of security flaws, privacy threats and lax controls at the social platform, will take his case to Congress on Tuesday.
Senators who will hear Zatkoâs testimony before the Senate Judiciary Committee are alarmed by his Twitter allegations at a time of heightened concern over the safety of powerful tech platforms.
Itâs Zatkoâs second Capitol Hill appearance, and in some ways a 21st-century echo of his first. In 1998, he testified before a Senate panel along with fellow members of a hacker collective who warned about the security dangers of the then-emerging internet age.
Zatko, a respected cybersecurity expert, was Twitterâs head of security until he was fired early this year. He has brought the stunning allegations to Congress and federal regulators, asserting that the influential social platform misled regulators about its cyber defenses and efforts to control millions of âspamâ or fake accounts.
Sen. Dick Durbin, the Illinois Democrat who chairs the panel, has said that if Zatkoâs claims are accurate, âthey may show dangerous data-privacy and security risks for Twitter users around the world.â
Zatko's accusations are also playing into billionaire tycoon Elon Musk's battle with Twitter. The Tesla CEO is trying to get out of his $44 billion bid to buy the company; Twitter has sued to force him to complete the deal. The Delaware judge overseeing that case ruled last week that Musk can include new evidence related to Zatkoâs allegations in the high-stakes trial set to start Oct. 17.
The allegation that Twitter engaged in deception in its handling of automated âspam botâ accounts is at the core of Muskâs attempt to back out of the Twitter deal.
At the same time, many of Zatkoâs claims are uncorroborated and appear to have little documentary support. In a statement, Twitter has called Zatkoâs description of events âa false narrative.â
Also on Tuesday, Twitterâs shareholders are scheduled to vote on the companyâs pending buyout by Musk. The vote is something of a formality given that the deal is on hold while the court case plays out. But if the measure passes as expected, it would also pave the way for a Musk takeover should Twitter prevail in court.
Zatko also filed complaints with the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission. Among his most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.
The SEC is questioning Twitter about how it counts fake accounts on its platform. Twitter uses counts of its presumably real users to attract advertisers, whose payments make up about 90% of its revenue. The âspam botsâ have no value to advertisers because thereâs no person behind them.
San Francisco-based Twitter has an estimated 238 million daily active users worldwide. The company says it removes 1 million spam accounts daily.
Zatkoâs 84-page complaint alleges that he found âextreme, egregious deficiencies" on the platform, including issues with "user privacy, digital and physical security, and platform integrity/content moderation.â
It accuses CEO Parag Agrawal and other senior executives and board members of making âfalse and misleading statements to users and the FTC" about these issues. Twitter denies those claims and said that Zatko was fired in January for âineffective leadership and poor performance.â Zatkoâs attorneys say the performance claim is false.
Twitter also hinted that Zatko's complaint might be designed to bolster Musk's legal fight with the company. Twitter called Zatkoâs complaint âa false narrativeâ that is âriddled with inconsistencies and inaccuracies, and lacks important context."
News of Zatkoâs complaint surfaced on Aug. 23, almost two months before the Twitter-Musk trial is scheduled to begin. . One of Zatkoâs attorneys has said âheâs never met Elon Musk. Doesnât know Elon Musk. They know people in common.â
The company also says it has significantly tightened security since 2020.
Among Zatko's specific allegations:
â The company had such poor cybersecurity that it easily could have been exposed to outside attacks or attempts to siphon off its internal data.
âThe company lacked effective leadership, with its top executives practicing âdeliberate ignoranceâ of pressing problems. Zatko described former CEO Jack Dorsey as âextremely disengagedâ during the last months of his tenure, to the point where he wouldnât even speak during meetings on complex issues. Dorsey stepped down in November 2021.
âThat Twitter knowingly allowed the government of India to place its agents on the company payroll, where they had âdirect unsupervised accessâ to highly sensitive data on users. It makes a parallel but less detailed accusation that Twitter took funding from unidentified Chinese entities who may have gained access enabling them to access the identities and sensitive data of Chinese users who secretly use Twitter, which is officially banned in China.
Better known by his hacker handle âMudge,â Zatko, 51, first gained prominence in the 1990s. He was the best-known member of the Boston-based collective L0pht, which pioneered ethical hacking, embarrassing companies including Microsoft for poor security. His work raised awareness in the computing world that forced such major companies to take security seriously. He co-founded the consultancy @Stake, which was later acquired by Symantec.
Zatko later worked in senior positions at the Pentagonâs Defense Advanced Research Projects Agency and Google. He joined Twitter at Dorseyâs urging in late 2020, the same year the company suffered an embarrassing security breach involving hackers who broke into the Twitter accounts of world leaders, celebrities and tech moguls, including Musk, in an attempt to scam their followers out of bitcoin.