Twitter's whistleblower testifies before Senate committee

Zatko said that when he arrived at Twitter, he began asking: "Why do they keep having so many security incidents? The same amount year after year … What is fundamentally, under-the-hood broken? Where is the systemic failure?"

One part of the problem, he said, is that Twitter doesn't fully understand all the data it collects from users or why it collects that data.

He cited an internal study conducted by engineers which allegedly found that for only about 20% of the data it collects does the company know "why they got it, how it was supposed to be used, when it was supposed to be deleted." With the remainder of the data, the company often did not know what the data was or why it was being collected, Zatko said. Samples of that unknown data in the study included personally identifying information such as phone numbers and addresses, he claimed.

Zatko also said that bad actors with access to Twitter's system could potentially access and exploit that data because the company doesn't properly understand, and therefore protect, the data it collects.

Former Twitter employee and whistleblower Peiter “Mudge” Zatko said that the platform's potential risk to national security and its users led him to decide it was "necessary to take on the personal and professional risk to myself and to my family of becoming a whislteblower."

Twitter CEO Parag Agrawal should step down if Zatko’s allegations are proven, according to Sen. Chuck Grassley, the Judiciary Committee’s top Republican. 

"I don’t see how Mr. Agrawal can maintain his position at Twitter” if Zatko’s claims turn out to be accurate, Grassley said. He also blasted the executive over a decision not to testify alongside Zatko despite a committee invitation to appear. 

According to Grassley, Twitter declined to make Agrawal available amid its concerns that his testimony could jeopardize the company’s ongoing litigation with billionaire Elon Musk. 

Twitter did not immediately respond to a request for comment.

Sen. Dick Durbin, the chair of the committee, pointed in his opening statement to the importance of security on Twitter for those who use the platform to criticize governments. Durbin specifically noted Saudi Arabia as an example:

Durbin was referring to a former Twitter manager who was accused of spying for Saudi Arabia and convicted last month on six criminal counts, including acting as an agent for the country and trying to disguise a payment from an official tied to Saudi's royal family. Prosecutors said he used his insider knowledge to access Twitter accounts and dig up personal information about Saudi dissidents.

"Twitter is immensely powerful platform that cannot afford gaping security vulnerabilities," Durbin added.

As he began his testimony Tuesday, Peiter “Mudge” Zatko laid out why he decided to become a whistleblower.  

When he joined the company, he said he discovered "this enormously influential company was over a decade behind" industry security standards ... "causing real harm to real people."

Zatko said he raised concerns about security vulnerabilities brought to him by Twitter's own engineers to the company's executives, but executives failed to act. He quoted writer Upton Sinclair, saying, "It is difficult to get someone to understand something when his salary depends on him not understanding something." This, he said, was the mentality of Twitter executives when he raised concerns.

"It's not far fetched to say a Twitter employee could take over the accounts of all of the senators in this room," he said.

"My genuine hope," he continued, "is that my disclosures help Twitter finally address its security failures and encourage the company to listen to its engineers and employees who have long reported the same issues I have disclosed.” 

The FBI has warned Twitter it may have at least one Chinese agent on its payroll, according to Sen. Chuck Grassley, summarizing previously undisclosed details of an allegation by Twitter whistleblower Peiter “Mudge” Zatko against his former employer. 

A previously reported version of Zatko’s whistleblower disclosure — submitted to authorities in July and first reported by CNN and The Washington Post in August — indicated that the US government had provided Twitter with specific information that at least one of its employees, perhaps more, may be working for a foreign intelligence agency. 

But that version of the disclosure did not identify which country the suspected agent may have been affiliated with.

"Because of [Zatko’s] disclosures, we’ve learned that personal data from Twitter users was potentially exposed to foreign intelligence agencies,” Grassley said in his opening remarks during a whistleblower hearing involving Zatko on Tuesday. "For example, his disclosures indicate that India was able to place at least two suspected foreign assets within Twitter. His disclosures also note that the FBI notified Twitter of at least one Chinese agent in the company.”

Twitter has not publicly responded to Zatko’s allegations of foreign intelligence compromise, though it has accused Zatko more generally of spreading a “false narrative” about the company. 

The company did not immediately respond to a request for comment on Grassley's remarks.

The hearing featuring Twitter whistleblower Peiter “Mudge” Zatko has kicked off.

Zatko appeared before lawmakers Tuesday in a dark gray windowpane suit and light blue tie. He walked in holding a wooden cane — which has flames on it — and he sat before the committee at a low table in the center of the massive Hart Senate office hearing room, which had been changed from its initial location to accommodate a larger audience.

It's his first public appearance since his bombshell allegations against Twitter were reported last month by CNN and The Washington Post. He previously alleged Twitter has undisclosed security and privacy vulnerabilities.

US lawmakers sent Twitter more than a dozen questions about its security practices Monday, on the eve of the whistleblower's testimony.

With his decision to go public with his concerns, Peiter "Mudge" Zatko could find himself at the center of renewed regulatory scrutiny of Twitter, as happened when Frances Haugen blew the whistle on Facebook.

Before joining Twitter, Zatko, now 51, led an influential cybersecurity grantmaking program at the Pentagon, worked at a Google division for developing cutting-edge technology, helped build the cybersecurity team at fintech firm Stripe, and advised US lawmakers and officials on how to plug security holes in the internet.

Twitter hired Zatko in November 2020 to beef up cybersecurity and privacy at the company in the wake of a high-profile hack, allegedly spearheaded by a Florida teenager, in July 2020 that compromised the Twitter accounts of some of the most famous people on the planet, including then-presidential candidate Joe Biden. The senior executive role meant Zatko reported directly to then-CEO Jack Dorsey, according to the disclosure.

Some who've worked alongside Zatko over the last three decades paint a picture of him as a principled technologist with a knack for making the complex accessible and an earnest desire to fix problems, as he's done for much of his career working with the public and private sector. The decision to blow the whistle, they say, is in keeping with that approach.

His career has shown that "there was more to hacking than just one-upping each other, that there was actually a social good and impact that you could have," said Dug Song, chief strategy officer at Cisco Security, who has known Zatko since the 1990s. 

Read the full story.

In his disclosure, Zatko levels a barrage of devastating allegations that US lawmakers say are extremely concerning.

Zatko claims Twitter is full of critical security flaws; may not be deleting the data of users who leave the platform as it is required to do; has misled the public about its spam account problem; may currently have foreign intelligence agents on the payroll; and that it hasn't lived up to years of legal obligations stemming from an earlier privacy settlement with the Federal Trade Commission, which could lead to further liability.

Twitter has criticized Zatko and broadly defended itself against the allegations, saying the disclosure paints a "false narrative" of the company.

Read our full report on the takeaways.