Twitter's whistleblower testifies before Senate committee

With his decision to go public with his concerns, Peiter "Mudge" Zatko could find himself at the center of renewed regulatory scrutiny of Twitter, as happened when Frances Haugen blew the whistle on Facebook.

Before joining Twitter, Zatko, now 51, led an influential cybersecurity grantmaking program at the Pentagon, worked at a Google division for developing cutting-edge technology, helped build the cybersecurity team at fintech firm Stripe, and advised US lawmakers and officials on how to plug security holes in the internet.

Twitter hired Zatko in November 2020 to beef up cybersecurity and privacy at the company in the wake of a high-profile hack, allegedly spearheaded by a Florida teenager, in July 2020 that compromised the Twitter accounts of some of the most famous people on the planet, including then-presidential candidate Joe Biden. The senior executive role meant Zatko reported directly to then-CEO Jack Dorsey, according to the disclosure.

Some who've worked alongside Zatko over the last three decades paint a picture of him as a principled technologist with a knack for making the complex accessible and an earnest desire to fix problems, as he's done for much of his career working with the public and private sector. The decision to blow the whistle, they say, is in keeping with that approach.

His career has shown that "there was more to hacking than just one-upping each other, that there was actually a social good and impact that you could have," said Dug Song, chief strategy officer at Cisco Security, who has known Zatko since the 1990s. 

Read the full story.

In his disclosure, Zatko levels a barrage of devastating allegations that US lawmakers say are extremely concerning.

Zatko claims Twitter is full of critical security flaws; may not be deleting the data of users who leave the platform as it is required to do; has misled the public about its spam account problem; may currently have foreign intelligence agents on the payroll; and that it hasn't lived up to years of legal obligations stemming from an earlier privacy settlement with the Federal Trade Commission, which could lead to further liability.

Twitter has criticized Zatko and broadly defended itself against the allegations, saying the disclosure paints a "false narrative" of the company.

Read our full report on the takeaways.

In response to Zatko's whistleblower disclosure, Twitter has said that security and privacy are both longtime priorities for the company.

The company says Zatko was fired in January for "ineffective leadership and poor performance," and that his disclosure paints a "false narrative" of the company and is "riddled with inconsistencies and inaccuracies and lacks important context." (Zatko contends his firing came after he raised concerns internally about security vulnerabilities and misrepresentations by executives to the company's board.)

In an internal meeting shortly after Zakto's disclosure was first reported, Twitter executives defended the company and themselves to employees.

The company did not respond to a request for comment ahead of Tuesday's hearing.

US lawmakers sent Twitter more than a dozen questions about its security practices Monday, on the eve of the whistleblower's testimony.

In a letter addressed to CEO Parag Agrawal, leading members of the Senate Judiciary Committee questioned Twitter about the steps the company takes to secure personal data on its platform; how it protects against insider threats and foreign intelligence operatives; and allegations it's intentionally misled regulators about Twitter's privacy protections for users, claims that could lead to billions of dollars in fines for Twitter if they are proven. 

The committee also invited Agrawal to testify alongside the whistleblower, Peiter "Mudge" Zatko, according to a copy of the letter obtained by CNN. But a committee aide told CNN on Monday evening that the official witness list for Tuesday's hearing remains unchanged and that Zatko continues to be the sole witness, an indication that Twitter has declined the invitation. 

Twitter didn't immediately respond to a request for comment.

On the same day that Peiter Zatko will be on Capitol Hill to testify about his experience at Twitter, the company's shareholders will convene virtually to vote on whether to approve the $44 billion acquisition by Elon Musk.

The shareholder vote is one of the final steps needed to close the deal, which Musk is now fighting to get out of in court.

Twitter's board has unanimously recommended that shareholders vote in favor of the deal.

Read more here.

Peiter Zatko's whistleblower disclosure makes a number of allegations that could raise questions about the company's ability to handle election-related threats ahead of the US midterms.

His disclosure accuses the company of having a reactive approach to misinformation and platform manipulation; a disconnect between product and safety teams; content moderation shortcomings; and a lack of controls to prevent foreign interference.

Members of the US House Committee on Homeland Security last month sent Twitter CEO Parag Agrawal a letter demanding that he address Zatko's allegations and explain Twitter's readiness for the 2022 midterms.

"Twitter plays a unique role in our information and political ecosystems. Security flaws that put users' sensitive personal data within easy reach of a hacker looking to take control of a high-profile account or a foreign dictator looking for information on dissidents are nothing short of a threat to national security," Rep. Bennie Thompson and Rep. Yvette Clark, chairs of the Committee on Homeland Security and the Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation, respectively, said in the letter.

For its part, Twitter earlier this month said it had activated its policies for safeguarding its platform ahead of the upcoming US midterm elections, plans that include labeling and reducing the spread of misinformation. The company also pushes reliable information to users, including localized election information; labels candidates for US House, US Senate and governor; trains state and local election officials about how to use the platform; and says it enforces its rules at scale, such as those prohibiting harassment, spam and manipulated media.

A company spokesperson said Twitter has "a cross-functional team around the globe that's focused on curbing the spread of misinformation and fostering an environment conducive to healthy, meaningful conversation on Twitter."

Read the full story.

Zatko could disclose more today than what's been disclosed so far in his official filings. Under questioning from lawmakers, Zatko could be asked to reveal new details of meetings he may have had, or other recollections from his time as Twitter's head of security, that may serve as further evidence of his claims.

To the extent Zatko may be under legal restrictions preventing him from discussing his time at Twitter, those limitations wouldn't apply to whistleblower testimony to lawmakers and the rest of the US government, according to Whistleblower Aid, the organization providing Zatko's legal representation.

That's part of why Tuesday's hearing carries such high stakes: It may be one of the few venues where the public may see Zatko speaking freely.

Lawmakers won't be the only ones interested in what Peiter Zatko has to say during Tuesday's hearing. Zatko's testimony — and any resulting action taken by lawmakers and regulators — could also have implications for the legal battle over Elon Musk's effort to walk away from the $44 billion deal he struck to buy the company.

Musk on Friday filed updated his counterclaims against Twitter, after the judge overseeing the case said he could amend his argument based on Zatko's disclosure. Also on Friday, Musk sent a third letter seeking to terminate the Twitter deal, citing a purported $7.75 million severance payment the company made to Zatko in June, prior to his disclosure. Twitter hit back in a Monday response calling Musk's letter "invalid and wrongful."

Zatko's lawyers have previously said he has no connection to Musk and his disclosure was not motivated by the fight over the deal.

Twitter and Musk are set to go to trial over the dispute in October.